Edit tour

Windows Analysis Report
ProduKey.exe

Overview

General Information

Sample Name:	ProduKey.exe
Analysis ID:	800703
MD5:	9260e593a0f2d798fddc16a7b19ad808
SHA1:	8b3736186f9963a5cedd4a2d8dca66041799d0cd
SHA256:	bace5e41e07df9f71b07828dacfde462ce609fa1cd387c7e1cc4aacc59cf00e5
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the product ID of Windows

Extensive use of GetProcAddress (often used to hide API calls)

Uses code obfuscation techniques (call, push, ret)

Queries the product ID of Microsoft Office

Contains functionality to dynamically determine API calls

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

ProduKey.exe (PID: 4460 cmdline: C:\Users\user\Desktop\ProduKey.exe MD5: 9260E593A0F2D798FDDC16A7B19AD808)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ProduKey.exe	ReversingLabs: Detection: 55%
Source: ProduKey.exe	Virustotal: Detection: 50%			Perma Link

Source: ProduKey.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ProduKey.exe

Static PE information: certificate valid

Source:

Binary string: c:\Projects\VS2005\ProduKey\Release\ProduKey.pdb source: ProduKey.exe

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_0040867D FindFirstFileA,FindNextFileA,

0_2_0040867D

Source: ProduKey.exe	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ProduKey.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ProduKey.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ProduKey.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ProduKey.exe	String found in binary or memory: http://www.nirsoft.net/
Source: ProduKey.exe	String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html
Source: ProduKey.exe	String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html/stext/shtml/sverhtml/sxml/stab/scomma/stabul

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_0040455B OpenClipboard,

0_2_0040455B

Source: ProduKey.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ProduKey.exe	ReversingLabs: Detection: 55%
Source: ProduKey.exe	Virustotal: Detection: 50%

Source: ProduKey.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ProduKey.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ProduKey.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: classification engine

Classification label: clean48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\ProduKey.exe

File opened: C:\Users\user\Desktop\ProduKey.cfg

Jump to behavior

Source: C:\Users\user\Desktop\ProduKey.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Jump to behavior

Source: ProduKey.exe

Static PE information: certificate valid

Source: ProduKey.exe	Static PE information: section name: RT_CURSOR
Source: ProduKey.exe	Static PE information: section name: RT_BITMAP
Source: ProduKey.exe	Static PE information: section name: RT_ICON
Source: ProduKey.exe	Static PE information: section name: RT_MENU
Source: ProduKey.exe	Static PE information: section name: RT_DIALOG
Source: ProduKey.exe	Static PE information: section name: RT_STRING
Source: ProduKey.exe	Static PE information: section name: RT_ACCELERATOR
Source: ProduKey.exe	Static PE information: section name: RT_GROUP_ICON

Source: ProduKey.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Projects\VS2005\ProduKey\Release\ProduKey.pdb source: ProduKey.exe

Source: C:\Users\user\Desktop\ProduKey.exe	Code function: 0_2_0040EAD0 push eax; ret	0_2_0040EAE4
Source: C:\Users\user\Desktop\ProduKey.exe	Code function: 0_2_0040EAD0 push eax; ret	0_2_0040EB0C
Source: C:\Users\user\Desktop\ProduKey.exe	Code function: 0_2_00401309 push ecx; ret	0_2_00401319

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_0040180A GetDlgItem,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_0040180A

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_0040C73D RegOpenKeyExA,memset,memset,memset,memset,memset,GetPrivateProfileStringA,RegCloseKey,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,memset,RegCloseKey,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,

0_2_0040C73D

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_00401ACF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00401ACF

Source: C:\Users\user\Desktop\ProduKey.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\ProduKey.exe	Window / User API: foregroundWindowGot 510			Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe	Window / User API: foregroundWindowGot 413			Jump to behavior

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_0040867D FindFirstFileA,FindNextFileA,

0_2_0040867D

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_0040180A GetDlgItem,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_0040180A

Source: C:\Users\user\Desktop\ProduKey.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductID	Jump to behavior

Source: C:\Users\user\Desktop\ProduKey.exe

Code function: 0_2_004092C5 GetVersionExA,

0_2_004092C5

Source: C:\Users\user\Desktop\ProduKey.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration\{90160000-002A-0000-1000-0000000FF1CE} ProductID	Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration\{90160000-002A-0000-1000-0000000FF1CE} DigitalProductID	Jump to behavior
Source: C:\Users\user\Desktop\ProduKey.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration\{90160000-002A-0000-1000-0000000FF1CE} DigitalProductId4	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	1 Application Window Discovery	Remote Services	1 Clipboard Data	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ProduKey.exe	55%	ReversingLabs
ProduKey.exe	50%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.nirsoft.net/utils/product_cd_key_viewer.html/stext/shtml/sverhtml/sxml/stab/scomma/stabul	ProduKey.exe	false	high
http://www.nirsoft.net/	ProduKey.exe	false	high
http://www.nirsoft.net/utils/product_cd_key_viewer.html	ProduKey.exe	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800703
Start date and time:	2023-02-07 18:26:35 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ProduKey.exe
Detection:	CLEAN
Classification:	clean48.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.7% (good quality ratio 95.9%) Quality average: 86.5% Quality standard deviation: 24.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 85
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.479180238883247
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ProduKey.exe
File size:	96464
MD5:	9260e593a0f2d798fddc16a7b19ad808
SHA1:	8b3736186f9963a5cedd4a2d8dca66041799d0cd
SHA256:	bace5e41e07df9f71b07828dacfde462ce609fa1cd387c7e1cc4aacc59cf00e5
SHA512:	0f2a95f78387b6c4d0c92fd2ef09d7c54c001caed53a63e99af4a19bc92ae0f9dd7a4b655f43667221169d2151a37872ddba3166f74a446be7f06862a4fe3535
SSDEEP:	1536:QuSJT0fl+h17f8OOaC4ujuZkbqYsh/Oud84KTEAUo2Gye42sbiE2:7SJT0fEhhfQH6ZkbqYshTLTGye45R2
TLSH:	F2936B43B7E04471E6E30A712ABA97368EF57D705538C90F57505A8B6CB07C0EE2A39B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+q..J...J...J..'i_..J...i...J..'i...J...EB..J...J...K....m..J....c..J....g..J..Rich.J..........PE..L....O.X...................

File Icon


Icon Hash:	54b26869f8c8cc00

Static PE Info

General

Entrypoint:	0x4010e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x58EB4FC1 [Mon Apr 10 09:26:25 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	db1e107cc62854bf6b319abbe0feb186

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/12/2014 2:00:00 AM 9/13/2019 1:59:59 AM
Subject Chain	CN=Nir Sofer, O=Nir Sofer, STREET=5 Hashoshanim st., L=Ramat Gan, S=Gush Dan, PostalCode=52583, C=IL
Version:	3
Thumbprint MD5:	20080320FBD46305C5578175AB0A9EAA
Thumbprint SHA-1:	A80BAEDA573DF2712F23A41857E648475EAC9BA5
Thumbprint SHA-256:	EAFCB355770E7E64E5559482605D7801F30FEE6B159BF91196D5C9DC6B2419AC
Serial:	1AF0660E837A35A2CD92EC613FC15DB8

Entrypoint Preview

Instruction
push 00000070h
push 0040F3F0h
call 00007FF59CC303F9h
xor ebx, ebx
push ebx
mov edi, dword ptr [0040F108h]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007FF59CC30231h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FF59CC30224h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FF59CC30231h
cmp eax, 0000020Bh
je 00007FF59CC30217h
mov dword ptr [ebp-1Ch], ebx
jmp 00007FF59CC30239h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FF59CC30204h
xor eax, eax
cmp dword ptr [ecx+000000F8h], ebx
jmp 00007FF59CC30220h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FF59CC301F4h
xor eax, eax
cmp dword ptr [ecx+000000E8h], ebx
setne al
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040F370h]
pop ecx
or dword ptr [00412EBCh], FFFFFFFFh
or dword ptr [00412EC0h], FFFFFFFFh
call dword ptr [0040F36Ch]
mov ecx, dword ptr [0041217Ch]
mov dword ptr [eax], ecx
call dword ptr [0040F368h]
mov ecx, dword ptr [00412178h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040F364h]
mov eax, dword ptr [eax]
mov dword ptr [00412EB8h], eax
call 00007FF59CC3034Fh
cmp dword ptr [00412000h], ebx
jne 00007FF59CC3021Eh
push 004012CAh
call dword ptr [0040F31Ch]
pop ecx
call 00007FF59CC30324h

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10834	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x39b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x14a00	0x2ed0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xf3d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x394	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdc3f	0xde00	False	0.5847585867117117	data	6.373935270388497	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x2a5e	0x2c00	False	0.46351207386363635	data	5.673793868405335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0xec4	0x200	False	0.20703125	data	1.1949104842322338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13000	0x39b4	0x3a00	False	0.31654094827586204	data	4.101674932157477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x136e8	0x134	data	English	United States
RT_BITMAP	0x1381c	0x3e8	Device independent bitmap graphic, 112 x 16 x 4, image size 896, 16 important colors	Hebrew	Israel
RT_BITMAP	0x13c04	0xd8	Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/m	English	United States
RT_BITMAP	0x13cdc	0xd8	Device independent bitmap graphic, 14 x 14 x 4, image size 112, resolution 3780 x 3780 px/m	English	United States
RT_ICON	0x13db4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Hebrew	Israel
RT_ICON	0x1409c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Hebrew	Israel
RT_ICON	0x141c4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Hebrew	Israel
RT_MENU	0x142ec	0x73a	data	English	United States
RT_MENU	0x14a28	0x20c	data	English	United States
RT_DIALOG	0x14c34	0xa2	data	Hebrew	Israel
RT_DIALOG	0x14cd8	0x296	data	Hebrew	Israel
RT_DIALOG	0x14f70	0xabc	data	Hebrew	Israel
RT_DIALOG	0x15a2c	0xfa	data	Hebrew	Israel
RT_STRING	0x15b28	0x230	data	English	United States
RT_STRING	0x15d58	0x52	data	English	United States
RT_STRING	0x15dac	0x128	data	English	United States
RT_STRING	0x15ed4	0x4c	Matlab v4 mat-file (little endian) S, numeric, rows 0, columns 0	English	United States
RT_STRING	0x15f20	0x50	data	English	United States
RT_STRING	0x15f70	0xd6	Matlab v4 mat-file (little endian) P, numeric, rows 0, columns 0	English	United States
RT_STRING	0x16048	0x5a	data	English	United States
RT_STRING	0x160a4	0x42	data	English	United States
RT_STRING	0x160e8	0x6a	data	English	United States
RT_STRING	0x16154	0x78	data	English	United States
RT_STRING	0x161cc	0x6c	Matlab v4 mat-file (little endian) Q, numeric, rows 0, columns 0	English	United States
RT_STRING	0x16238	0x62	data	English	United States
RT_ACCELERATOR	0x1629c	0x70	data	Hebrew	Israel
RT_GROUP_CURSOR	0x1630c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x16320	0x22	data	Hebrew	Israel
RT_GROUP_ICON	0x16344	0x14	data	Hebrew	Israel
RT_VERSION	0x16358	0x2dc	data	Hebrew	Israel
RT_MANIFEST	0x16634	0x380	ASCII text, with very long lines (435), with CRLF line terminators	English	United States

Imports

DLL	Import
MPR.dll	WNetOpenEnumA, WNetEnumResourceA, WNetCloseEnum
msvcrt.dll	_cexit, _XcptFilter, _exit, _c_exit, _onexit, __dllonexit, _purecall, exit, _strlwr, _itoa, strchr, strtoul, _memicmp, __setusermatherr, _initterm, __getmainargs, qsort, _acmdln, malloc, free, ??2@YAPAXI@Z, ??3@YAXPAX@Z, atof, atoi, _strnicmp, _mbsicmp, _stricmp, _strcmpi, strrchr, strncat, sprintf, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _except_handler3, memset, memcpy
COMCTL32.dll	CreateToolbarEx, ImageList_Create, ImageList_ReplaceIcon, ImageList_SetImageCount, ImageList_AddMasked
WS2_32.dll	gethostbyname, WSAStartup, WSACleanup, htons, WSAGetLastError, connect, WSAAsyncSelect, gethostbyaddr, closesocket, WSASetLastError
KERNEL32.dll	OpenProcess, CreateThread, ResumeThread, ReadProcessMemory, ExitProcess, CreateFileA, GetStartupInfoA, GetFileSize, GetModuleFileNameA, GetTimeFormatA, GetCurrentProcessId, SetErrorMode, DeleteFileA, GetStdHandle, EnumResourceNamesA, WritePrivateProfileStringA, GetPrivateProfileIntA, MultiByteToWideChar, GetFileAttributesA, LoadLibraryExA, GetLastError, FindNextFileA, FindFirstFileA, GetLogicalDrives, GetComputerNameA, GetDriveTypeA, WideCharToMultiByte, GetPrivateProfileStringA, Sleep, GetCurrentProcess, CompareFileTime, FileTimeToLocalFileTime, FreeLibrary, FileTimeToSystemTime, GetProcAddress, LoadLibraryA, GetModuleHandleA, FormatMessageA, GetTempFileNameA, FindClose, GetWindowsDirectoryA, ReadFile, GetDateFormatA, GetSystemDirectoryA, GetVersionExA, WriteFile, CloseHandle, GetTempPathA, GlobalAlloc, LocalFree, GlobalLock, GlobalUnlock
USER32.dll	SetTimer, PostQuitMessage, TrackPopupMenu, EndDeferWindowPos, KillTimer, GetFocus, TranslateMessage, DispatchMessageA, DestroyWindow, ModifyMenuA, CreateDialogParamA, LoadStringA, BeginDeferWindowPos, GetMessageA, IsDialogMessageA, DeferWindowPos, RegisterWindowMessageA, SetCursor, GetSysColorBrush, ChildWindowFromPoint, ShowWindow, LoadCursorA, EndDialog, GetDlgItem, CreateWindowExA, SetDlgItemInt, SendDlgItemMessageA, GetDlgItemInt, SetDlgItemTextA, GetDlgItemTextA, SetWindowTextA, RegisterClassA, UpdateWindow, GetSystemMetrics, PostMessageA, SetMenu, LoadAcceleratorsA, SetWindowPos, DefWindowProcA, TranslateAcceleratorA, MessageBoxA, GetWindowPlacement, SendMessageA, GetWindowRect, LoadImageA, LoadIconA, GetWindowLongA, SetWindowLongA, InvalidateRect, SetFocus, MapWindowPoints, GetSysColor, GetClassNameA, GetMenu, CloseClipboard, GetParent, OpenClipboard, EmptyClipboard, GetDC, GetSubMenu, EnableMenuItem, MoveWindow, ReleaseDC, CheckMenuItem, GetMenuItemCount, GetClientRect, LoadMenuA, GetMenuStringA, SetClipboardData, EnableWindow, GetCursorPos, DialogBoxParamA, GetDlgCtrlID, DestroyMenu, EnumChildWindows, GetMenuItemInfoA, GetWindowTextA
GDI32.dll	GetTextExtentPoint32A, SetBkColor, GetStockObject, GetDeviceCaps, SetTextColor, CreateFontIndirectA, SetBkMode, DeleteObject
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA, FindTextA
ADVAPI32.dll	RegUnLoadKeyA, RegConnectRegistryA, RegEnumValueA, RegDeleteValueA, RegQueryInfoKeyA, RegOpenKeyExA, RegCloseKey, RegEnumKeyExA, RegQueryValueExA, RegSetValueExA, RegDeleteKeyA, RegLoadKeyA
SHELL32.dll	ShellExecuteA, SHBrowseForFolderA, SHGetMalloc, SHGetPathFromIDListA, ShellExecuteExA
ole32.dll	CoInitialize, CoUninitialize

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Hebrew	Israel

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: ProduKey.exePID: 4460, Parent PID: 3528

General

Target ID:	0
Start time:	18:27:36
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\ProduKey.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ProduKey.exe
Imagebase:	0x400000
File size:	96464 bytes
MD5 hash:	9260E593A0F2D798FDDC16A7B19AD808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ProduKey.exePID: 4460, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1655
Total number of Limit Nodes:	66

Executed Functions

Function 0040C73D Relevance: 49.3, APIs: 17, Strings: 11, Instructions: 292
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0040C73D(char _a4, void* _a8, intOrPtr* _a12) {
				void* _v8;
				void _v147;
				int _v148;
				void _v283;
				char _v284;
				void _v419;
				char _v420;
				void _v683;
				char _v684;
				void _v947;
				char _v948;
				void* __ebx;
				void* __esi;
				void* _t79;
				long _t80;
				long _t83;
				long _t85;
				void* _t90;
				void* _t94;
				intOrPtr* _t107;
				intOrPtr _t125;
				int _t128;
				intOrPtr _t134;
				intOrPtr* _t139;
				void* _t145;
				intOrPtr* _t148;
				char* _t159;
				intOrPtr _t160;
				char* _t161;
				CHAR* _t167;
				char* _t170;
				char _t174;
				void* _t176;
				void* _t177;
				void* _t178;

				_t79 = _a8;
				_t178 = _t177 - 0x3b0;
				 *(_a4 + 0x1dc) = _t79;
				_t156 =  &_v8;
				_t150 = 0;
				_t80 = RegOpenKeyExA(_t79, "Microsoft\\Windows NT\\CurrentVersion", 0, 0x20019,  &_v8); // executed
				if(_t80 != 0) {
					L22:
					if(E00409B24() == 0 || RegOpenKeyExA(_a8, "Microsoft\\Windows\\CurrentVersion", _t150, 0x20019,  &_v8) != 0) {
						L29:
						_t83 = RegOpenKeyExA(_a8, "Microsoft\\Internet Explorer\\Registration", _t150, 0x20019,  &_v8); // executed
						if(_t83 != 0) {
							_t164 = _a4;
							_t167 = 0x40f469;
						} else {
							_t94 = E00407C3F(0x7e4);
							_t164 = _a4;
							_t167 = 0x40f469;
							E0040BEFD(_a4, _t94, _v8, 3, 0x40f469, 0x40f469, 1); // executed
							RegCloseKey(_v8); // executed
							_t150 = 0;
						}
						_t85 = RegOpenKeyExA(_a8, "Microsoft\\Exchange\\Setup", _t150, 0x20019,  &_v8); // executed
						_t206 = _t85;
						if(_t85 == 0) {
							_t150 = 0x899;
							E0040BEFD(_t164, E00407C3F(0x899), _v8, 5, _t167, _t167, 1);
							RegCloseKey(_v8);
						}
						_t168 = _a8;
						E0040C2B2(_t156, _t164, _a8); // executed
						E0040C61B(_t156, _t164, _a8); // executed
						E0040C6A7(_t150, _t164, _t168); // executed
						E0040BC45(_t156, _t206, _t164, _t168); // executed
						_t90 = E0040B715(_t156, _t164, _t168); // executed
						return _t90;
					} else {
						_v148 = _t150;
						memset( &_v147, _t150, 0x80);
						_t170 =  &_v148;
						E00401F0A(0x80, _t156, _t170, _v8, "ProductName");
						_pop(_t156);
						if(_v148 != _t150) {
							L28:
							E0040BEFD(_a4,  &_v148, _v8, 1, 0x40f469, 0x40f469, 1);
							RegCloseKey(_v8);
							goto L29;
						}
						_t107 = E00407C3F(0x7d0);
						_t159 = _t170;
						do {
							_t156 =  *_t107;
							_t107 = _t107 + 1;
							 *_t159 = _t156;
							_t159 = _t159 + 1;
						} while (_t156 != 0);
						_t150 = 0;
						goto L28;
					}
				}
				_v148 = 0;
				memset( &_v147, 0, 0x80);
				_v420 = 0;
				memset( &_v419, 0, 0x80);
				_v948 = 0;
				memset( &_v947, 0, 0x104);
				E00401F0A(0x80,  &_v8,  &_v148, _v8, "ProductName"); // executed
				E00401F0A(0x80,  &_v8,  &_v420, _v8, "CSDVersion"); // executed
				E00401F0A(0x104, _t156,  &_v948, _v8, "PathName"); // executed
				_t178 = _t178 + 0x3c;
				if(_v148 != 0) {
					L5:
					if(_a12 == _t150) {
						L15:
						_t174 = _a4;
						 *(_t174 + 0x1f0) = _t150;
						 *(_t174 + 0x1f4) = _t150;
						E0040BEFD(_t174,  &_v148, _v8, 1,  &_v948,  &_v420, 1); // executed
						RegCloseKey(_v8); // executed
						if( *(_t174 + 0x1f0) != _t150 ||  *(_t174 + 0x1f4) == _t150) {
							_t125 =  *0x4126f8; // 0xbc25b0
							if( *((intOrPtr*)(_t125 + 0x590)) != _t150 && RegOpenKeyExA(_a8, "Microsoft\\Windows NT\\CurrentVersion\\DefaultProductKey", _t150, 0x20019,  &_v8) == 0) {
								_t156 = _t174;
								_t128 =  *(_t174 + 0x1f0);
								if(_t128 != _t150) {
									 *((intOrPtr*)(_t128 + 0x3a4)) = 1;
								}
								E0040BEFD(_t156,  &_v148, _v8, 1,  &_v948,  &_v420, 1);
								RegCloseKey(_v8);
							}
						}
						goto L22;
					}
					_t134 =  *0x4126f8; // 0xbc25b0
					if( *((intOrPtr*)(_t134 + 0x580)) == _t150) {
						goto L15;
					}
					_v684 = _t150;
					memset( &_v683, _t150, 0x104);
					_v284 = _t150;
					memset( &_v283, _t150, 0x80);
					_t139 = _a12;
					_t178 = _t178 + 0x18;
					_t156 = _t139 + 1;
					do {
						_t160 =  *_t139;
						_t139 = _t139 + 1;
					} while (_t160 != _t150);
					if(_t139 - _t156 + 0xd >= 0x104) {
						_v684 = _t150;
					} else {
						E00409ADF( &_v684, _a12, "prodspec.ini");
						_pop(_t156);
					}
					GetPrivateProfileStringA("Product Specification", "Product", 0x40f469,  &_v284, 0x80,  &_v684); // executed
					if(_v284 != _t150) {
						_t145 = 0;
						do {
							_t156 =  *((intOrPtr*)(_t176 + _t145 - 0x118));
							 *((char*)(_t176 + _t145 - 0x90)) = _t156;
							_t145 = _t145 + 1;
						} while (_t156 != _t150);
					}
					goto L15;
				} else {
					_t148 = E00407C3F(0x7d0);
					_t161 =  &_v148;
					do {
						_t156 =  *_t148;
						_t148 = _t148 + 1;
						 *_t161 = _t156;
						_t161 = _t161 + 1;
					} while (_t156 != 0);
					_t150 = 0;
					goto L5;
				}
			}

0x0040c740
0x0040c746
0x0040c74f
0x0040c755
0x0040c75e
0x0040c767
0x0040c774
0x0040c9a0
0x0040c9a7
0x0040ca3d
0x0040ca4f
0x0040ca57
0x0040ca88
0x0040ca8b
0x0040ca59
0x0040ca5e
0x0040ca63
0x0040ca68
0x0040ca76
0x0040ca7e
0x0040ca84
0x0040ca84
0x0040caa2
0x0040caa8
0x0040caaa
0x0040caac
0x0040cac1
0x0040cac9
0x0040cac9
0x0040cacf
0x0040cad4
0x0040cadb
0x0040cae2
0x0040cae9
0x0040caf0
0x0040caf9
0x0040c9c9
0x0040c9d2
0x0040c9d8
0x0040c9ea
0x0040c9f0
0x0040c9fc
0x0040c9fd
0x0040ca17
0x0040ca2f
0x0040ca37
0x00000000
0x0040ca37
0x0040ca04
0x0040ca09
0x0040ca0b
0x0040ca0b
0x0040ca0d
0x0040ca0e
0x0040ca10
0x0040ca11
0x0040ca15
0x00000000
0x0040ca15
0x0040c9a7
0x0040c783
0x0040c789
0x0040c79a
0x0040c7a0
0x0040c7b5
0x0040c7bb
0x0040c7d3
0x0040c7e8
0x0040c800
0x0040c805
0x0040c80e
0x0040c82c
0x0040c82f
0x0040c8ec
0x0040c8ec
0x0040c90c
0x0040c912
0x0040c918
0x0040c920
0x0040c92c
0x0040c936
0x0040c941
0x0040c95f
0x0040c961
0x0040c969
0x0040c96b
0x0040c96b
0x0040c992
0x0040c99a
0x0040c99a
0x0040c941
0x00000000
0x0040c92c
0x0040c835
0x0040c840
0x00000000
0x00000000
0x0040c854
0x0040c85a
0x0040c86b
0x0040c871
0x0040c876
0x0040c879
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c881
0x0040c882
0x0040c88d
0x0040c8a5
0x0040c88f
0x0040c89d
0x0040c8a2
0x0040c8a2
0x0040c8c9
0x0040c8d5
0x0040c8d7
0x0040c8d9
0x0040c8d9
0x0040c8e0
0x0040c8e7
0x0040c8e8
0x0040c8d9
0x00000000
0x0040c810
0x0040c815
0x0040c81a
0x0040c820
0x0040c820
0x0040c822
0x0040c823
0x0040c825
0x0040c826
0x0040c82a
0x00000000
0x0040c82a

APIs

RegOpenKeyExA.KERNELBASE(?,Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 0040C767
memset.MSVCRT ref: 0040C789
memset.MSVCRT ref: 0040C7A0
memset.MSVCRT ref: 0040C85A
memset.MSVCRT ref: 0040C871
GetPrivateProfileStringA.KERNEL32(Product Specification,Product,0040F469,?,00000080,?), ref: 0040C8C9
RegCloseKey.KERNELBASE(?), ref: 0040C920
RegCloseKey.ADVAPI32(?), ref: 0040C99A
RegOpenKeyExA.ADVAPI32(?,Microsoft\Windows NT\CurrentVersion\DefaultProductKey,00000000,00020019,?), ref: 0040C955

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,?,004074B9,?,00000000), ref: 00407C68
Part of subcall function 00407C3F: LoadStringA.USER32 ref: 00407CF2
Part of subcall function 00407C3F: memcpy.MSVCRT ref: 00407D31

memset.MSVCRT ref: 0040C7BB

Part of subcall function 00401F0A: RegQueryValueExA.KERNELBASE(?,d!@,00000000,?,?,000003FF,?,?,?,00402164,?,000003FF,000003FF), ref: 00401F23

RegOpenKeyExA.ADVAPI32(?,Microsoft\Windows\CurrentVersion,00000000,00020019,?), ref: 0040C9BF
memset.MSVCRT ref: 0040C9D8
RegCloseKey.ADVAPI32(?), ref: 0040CA37
RegOpenKeyExA.KERNELBASE(?,Microsoft\Internet Explorer\Registration,00000000,00020019,?), ref: 0040CA4F
RegCloseKey.KERNELBASE(?), ref: 0040CA7E
RegOpenKeyExA.KERNELBASE(?,Microsoft\Exchange\Setup,00000000,00020019,?), ref: 0040CAA2
RegCloseKey.ADVAPI32(?), ref: 0040CAC9

Strings

Product Specification, xrefs: 0040C8C4
Microsoft\Windows\CurrentVersion, xrefs: 0040C9B7
Microsoft\Internet Explorer\Registration, xrefs: 0040CA47
Product, xrefs: 0040C8BF
CSDVersion, xrefs: 0040C7D8
prodspec.ini, xrefs: 0040C892
PathName, xrefs: 0040C7ED
Microsoft\Windows NT\CurrentVersion, xrefs: 0040C761
ProductName, xrefs: 0040C7C3, 0040C9E0
Microsoft\Windows NT\CurrentVersion\DefaultProductKey, xrefs: 0040C94D
Microsoft\Exchange\Setup, xrefs: 0040CA9A

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$CloseOpen$String$HandleLoadModulePrivateProfileQueryValuememcpy
String ID: CSDVersion$Microsoft\Exchange\Setup$Microsoft\Internet Explorer\Registration$Microsoft\Windows NT\CurrentVersion$Microsoft\Windows NT\CurrentVersion\DefaultProductKey$Microsoft\Windows\CurrentVersion$PathName$Product$Product Specification$ProductName$prodspec.ini
API String ID: 863424103-2459169945
Opcode ID: 2f1ae3630423fb6f94f2999e834ce3867e05bd29bf800bfc63ea9038b4619e0b
Instruction ID: 89fe104b12c181dfcffe6dd1a7b5e5f4c638de4d53f192457852ed34a3777f68
Opcode Fuzzy Hash: 2f1ae3630423fb6f94f2999e834ce3867e05bd29bf800bfc63ea9038b4619e0b
Instruction Fuzzy Hash: E0A1B271A00219FFDB21EB65DC81FEB7BACAF05304F0441BAF508B6192D7785E489B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C06D Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 180
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040C06D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t68;
				void* _t73;
				long _t76;
				int _t111;
				void* _t114;
				void* _t116;
				int _t121;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t133;

				_t114 = __ecx;
				_t128 = _t130 - 0x68;
				_t111 = 0;
				 *((char*)(_t128 - 0x30)) = 0;
				memset(_t128 - 0x2f, 0, 0x80);
				 *(_t128 + 0x5c) = 0;
				 *(_t128 + 0x60) = 0;
				E0040BB75( *((intOrPtr*)(_t128 + 0x78)), _t128 - 0x30);
				_t132 = _t130 - 0x698 + 0x10;
				 *((intOrPtr*)(_t128 + 0x54)) = 1;
				if( *((intOrPtr*)(_t128 + 0x78)) >= 0xe) {
					 *((intOrPtr*)(_t128 + 0x54)) = 4;
				}
				_t68 = RegOpenKeyExA( *(_t128 + 0x74), "ProductID", _t111, 0xf003f, _t128 + 0x5c); // executed
				if(_t68 == 0) {
					if(RegOpenKeyExA( *(_t128 + 0x74), "DigitalProductID", _t111, 0xf003f, _t128 + 0x60) == 0) {
						E0040B8BD(_t114,  *((intOrPtr*)(_t128 + 0x70)), _t128 - 0x30,  *(_t128 + 0x5c), 0x40f469,  *(_t128 + 0x60), 0x40f469, 2,  *((intOrPtr*)(_t128 + 0x7c)), 0x40f469, 0x40f469, 1);
						RegCloseKey( *(_t128 + 0x60));
					}
					RegCloseKey( *(_t128 + 0x5c));
				}
				_t121 = 0xff;
				 *(_t128 + 0x58) = _t111;
				 *(_t128 - 0x230) = _t111;
				memset(_t128 - 0x22f, _t111, 0xff);
				_t73 = E00401EC5(0xff,  *(_t128 + 0x74), _t111, _t128 - 0x230); // executed
				_t133 = _t132 + 0x18;
				while(_t73 == 0) {
					_t76 = RegOpenKeyExA( *(_t128 + 0x74), _t128 - 0x230, _t111, 0x20019, _t128 + 0x64); // executed
					if(_t76 == 0) {
						 *(_t128 - 0x130) = _t111;
						memset(_t128 - 0x12f, _t111, _t121);
						_t127 = _t128 - 0x130;
						E00401F0A(_t121, _t114, _t128 - 0x130,  *(_t128 + 0x64), "ProductName"); // executed
						_t133 = _t133 + 0x14;
						if( *(_t128 - 0x130) != _t111) {
							L12:
							E00409476(0x80, _t128 - 0x30, _t128 - 0x130);
							_t111 = 0;
							_t121 = 0xff;
						} else {
							E00401F0A(_t121, _t114, _t127,  *(_t128 + 0x64), "ConvertToEdition"); // executed
							_pop(_t116);
							if( *(_t128 - 0x130) != _t111) {
								goto L12;
							} else {
								E00401F0A(_t121, _t116, _t127,  *(_t128 + 0x64), "ProductNameNonQualified"); // executed
								if( *(_t128 - 0x130) != _t111) {
									goto L12;
								} else {
									 *(_t128 - 0x630) = _t111;
									memset(_t128 - 0x62f, _t111, 0x3ff);
									sprintf(_t128 - 0x630, "Microsoft\\Windows\\CurrentVersion\\Uninstall\\%s", _t128 - 0x230);
									E00402134(_t127,  *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x70)) + 0x1dc)), _t128 - 0x630, "DisplayName", _t121); // executed
									_t133 = _t133 + 0x28;
									if( *(_t128 - 0x130) == _t111) {
										E0040BB75( *((intOrPtr*)(_t128 + 0x78)), _t128 - 0x30);
									} else {
										goto L12;
									}
								}
							}
						}
						_pop(_t114);
						E0040BEFD( *((intOrPtr*)(_t128 + 0x70)), _t128 - 0x30,  *(_t128 + 0x64), 2,  *((intOrPtr*)(_t128 + 0x7c)), 0x40f469,  *((intOrPtr*)(_t128 + 0x54))); // executed
						RegCloseKey( *(_t128 + 0x64)); // executed
					}
					 *(_t128 + 0x58) =  *(_t128 + 0x58) + 1;
					_t73 = E00401EC5(_t121,  *(_t128 + 0x74),  *(_t128 + 0x58), _t128 - 0x230); // executed
					_t133 = _t133 + 0xc;
				}
				return _t73;
			}

0x0040c06d
0x0040c06e
0x0040c07b
0x0040c087
0x0040c08a
0x0040c096
0x0040c099
0x0040c09c
0x0040c0a1
0x0040c0a8
0x0040c0af
0x0040c0b1
0x0040c0b1
0x0040c0d1
0x0040c0d5
0x0040c0e9
0x0040c108
0x0040c110
0x0040c110
0x0040c119
0x0040c119
0x0040c11f
0x0040c12d
0x0040c130
0x0040c136
0x0040c148
0x0040c14d
0x0040c2a0
0x0040c169
0x0040c171
0x0040c180
0x0040c186
0x0040c195
0x0040c19b
0x0040c1a0
0x0040c1a9
0x0040c237
0x0040c246
0x0040c24b
0x0040c24d
0x0040c1af
0x0040c1b9
0x0040c1c5
0x0040c1c6
0x00000000
0x0040c1c8
0x0040c1d2
0x0040c1df
0x00000000
0x0040c1e1
0x0040c1ee
0x0040c1f4
0x0040c20c
0x0040c227
0x0040c22c
0x0040c235
0x0040c25b
0x00000000
0x00000000
0x00000000
0x0040c235
0x0040c1df
0x0040c1c6
0x0040c260
0x0040c278
0x0040c280
0x0040c280
0x0040c286
0x0040c298
0x0040c29d
0x0040c29d
0x0040c2af

APIs

memset.MSVCRT ref: 0040C08A
RegOpenKeyExA.KERNELBASE(?,ProductID,00000000,000F003F,?,?,?), ref: 0040C0D1
RegOpenKeyExA.ADVAPI32(?,DigitalProductID,00000000,000F003F,?,?,?), ref: 0040C0E5
RegCloseKey.ADVAPI32(?,?,?), ref: 0040C110
RegCloseKey.ADVAPI32(?,?,?), ref: 0040C119
memset.MSVCRT ref: 0040C136
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?,?,?,?,?,?,?,?), ref: 0040C169
memset.MSVCRT ref: 0040C186

Part of subcall function 00401F0A: RegQueryValueExA.KERNELBASE(?,d!@,00000000,?,?,000003FF,?,?,?,00402164,?,000003FF,000003FF), ref: 00401F23

memset.MSVCRT ref: 0040C1F4
sprintf.MSVCRT ref: 0040C20C

Part of subcall function 00402134: RegCloseKey.KERNELBASE(?,000003FF), ref: 0040216E

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C280

Strings

ConvertToEdition, xrefs: 0040C1AF
Microsoft\Windows\CurrentVersion\Uninstall\%s, xrefs: 0040C206
ProductName, xrefs: 0040C18B
ProductID, xrefs: 0040C0C9
DigitalProductID, xrefs: 0040C0DD
ProductNameNonQualified, xrefs: 0040C1C8
DisplayName, xrefs: 0040C212

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Closememset$Open$QueryValuesprintf
String ID: ConvertToEdition$DigitalProductID$DisplayName$Microsoft\Windows\CurrentVersion\Uninstall\%s$ProductID$ProductName$ProductNameNonQualified
API String ID: 4153920573-3786628886
Opcode ID: 42d0bb4ae8faf92211928f32afe96cafbe48130fd5398bc368d234c6df37b995
Instruction ID: 17a31d91986c2938db73b06899a3cda4d2c46c2a9cde59d7237f82d5fe52a8b0
Opcode Fuzzy Hash: 42d0bb4ae8faf92211928f32afe96cafbe48130fd5398bc368d234c6df37b995
Instruction Fuzzy Hash: A151707194024CAEDF21EFA5CC81EEE3BADBB44344F04017AF904B21A2D3399E49DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004062A6 Relevance: 25.6, APIs: 17, Instructions: 103
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062A6(void* __esi) {
				void* _v20;
				void* _v28;
				void* _v40;
				void* _t20;
				long _t28;
				long _t31;
				intOrPtr* _t34;
				long _t35;
				intOrPtr* _t38;
				void* _t42;
				int _t43;
				void* _t45;
				long* _t46;
				long* _t47;

				_t42 = __esi;
				_t34 = __imp__ImageList_SetImageCount;
				_t38 = ImageList_Create;
				if( *((intOrPtr*)(__esi + 0x1a4)) != 0) {
					_t31 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					_t47 = __esi + 0x198;
					 *_t47 = _t31;
					 *_t34(_t31, 1);
					SendMessageA( *(__esi + 0x190), 0x1003, 1,  *_t47); // executed
				}
				if( *((intOrPtr*)(_t42 + 0x1a8)) != 0) {
					_t28 =  *_t38(0x20, 0x20, 0x19, 1, 1);
					_t46 = _t42 + 0x19c;
					 *_t46 = _t28;
					 *_t34(_t28, 1);
					SendMessageA( *(_t42 + 0x190), 0x1003, 0,  *_t46);
				}
				_t43 = 0x10;
				 *(_t42 + 0x194) = GetModuleHandleA(_t43);
				_v20 = LoadImageA(GetModuleHandleA(0), 0x85, 0, _t43, _t43, 0x1000);
				_t20 = LoadImageA(GetModuleHandleA(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_t45 = _t20;
				 *_t34( *(_t42 + 0x194), 0, _t43, 0x19, 1, 1);
				_t35 = GetSysColor(0xf);
				ImageList_AddMasked( *(_t42 + 0x194), _v28, _t35);
				ImageList_AddMasked( *(_t42 + 0x194), _t45, _t35);
				DeleteObject(_v40);
				DeleteObject(_t45);
				return E0040A27B( *(_t42 + 0x190),  *(_t42 + 0x194));
			}

0x004062a6
0x004062af
0x004062b7
0x004062bd
0x004062c9
0x004062cd
0x004062d4
0x004062d7
0x004062e9
0x004062e9
0x004062f6
0x00406302
0x00406306
0x0040630d
0x00406310
0x00406322
0x00406322
0x00406330
0x0040633d
0x0040635e
0x00406375
0x0040637f
0x00406381
0x00406391
0x0040639e
0x004063a8
0x004063b4
0x004063b7
0x004063d0

APIs

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000000,?), ref: 004062C9
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 004062D7
SendMessageA.USER32(?,00001003,00000001,?), ref: 004062E9
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001,00000000,?), ref: 00406302
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00406310
SendMessageA.USER32(?,00001003,00000000,?), ref: 00406322
GetModuleHandleA.KERNEL32(00000010,00000010,00000019,00000001,00000001,00000000,?), ref: 00406333
GetModuleHandleA.KERNEL32(00000000), ref: 00406343
LoadImageA.USER32 ref: 0040635A
GetModuleHandleA.KERNEL32(00000000), ref: 00406362
LoadImageA.USER32 ref: 00406375
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00406381
GetSysColor.USER32(0000000F), ref: 00406385
ImageList_AddMasked.COMCTL32(?,00000001,00000000), ref: 0040639E
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 004063A8
DeleteObject.GDI32(?), ref: 004063B4
DeleteObject.GDI32(00000000), ref: 004063B7

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Image$List_$CountHandleModule$CreateDeleteLoadMaskedMessageObjectSend$Color
String ID:
API String ID: 1402380124-0
Opcode ID: b0a71af7c13c1d3a9646c943d6bb8ac48b3b6636949e90c24aa39a3b535041e0
Instruction ID: ef437634802c0f8593373c4151400824c734c6e78cd70dfdfe96a1fd0efcfe5a
Opcode Fuzzy Hash: b0a71af7c13c1d3a9646c943d6bb8ac48b3b6636949e90c24aa39a3b535041e0
Instruction Fuzzy Hash: 2B317F31280348BFFA316B61DC06FC67BA9FB88B04F010839F3596A1E1C6F274549A18

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC45 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 119
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040BC45(void* __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				void* _v24;
				long _v288;
				char _v1312;
				char _v2336;
				char _v4384;
				void* __esi;
				long _t45;
				void* _t48;
				long _t51;
				void* _t55;
				long _t58;
				long _t61;
				int _t77;
				void* _t79;

				_t75 = __ecx;
				E0040EAD0(0x111c, __ecx);
				_t77 = 0;
				_v8 = 0;
				_t45 = RegOpenKeyExA(_a8, "Adobe", 0, 0x20019,  &_v8); // executed
				if(_t45 == 0) {
					_push( &_v1312);
					_v16 = 0;
					_push(0);
					while(1) {
						_push(_v8);
						_t48 = E00401EC5(0x3ff); // executed
						_t79 = _t79 + 0xc;
						if(_t48 != 0) {
							break;
						}
						_a8 = _t77;
						_t51 = RegOpenKeyExA(_v8,  &_v1312, _t77, 0x20019,  &_a8); // executed
						if(_t51 != 0) {
							L11:
							_v16 = _v16 + 1;
							_push( &_v1312);
							_push(_v16);
							continue;
						}
						_push( &_v2336);
						_v20 = _t77;
						_push(_t77);
						while(1) {
							_push(_a8);
							_t55 = E00401EC5(0x3ff); // executed
							_t79 = _t79 + 0xc;
							if(_t55 != 0) {
								break;
							}
							_v12 = _t77;
							_t58 = RegOpenKeyExA(_a8,  &_v2336, _t77, 0x20019,  &_v12); // executed
							if(_t58 == 0) {
								_v24 = _t77;
								_t61 = RegOpenKeyExA(_v12, "Registration", _t77, 0x20019,  &_v24); // executed
								if(_t61 == 0) {
									_v288 = _t61;
									sprintf( &_v4384, "%s %s",  &_v1312,  &_v2336);
									_t78 =  &_v288;
									E00402134( &_v288, _v12, "Installer", "Path", 0x104);
									_t79 = _t79 + 0x20;
									E0040B6A4(_t75,  &_v288, _a4,  &_v4384, _v24, _t78);
									RegCloseKey(_v24);
									_t77 = 0;
								}
								RegCloseKey(_v12); // executed
							}
							_v20 = _v20 + 1;
							_push( &_v2336);
							_push(_v20);
						}
						RegCloseKey(_a8);
						goto L11;
					}
					return RegCloseKey(_v8);
				}
				return _t45;
			}

0x0040bc45
0x0040bc4d
0x0040bc65
0x0040bc70
0x0040bc73
0x0040bc77
0x0040bc83
0x0040bc84
0x0040bc87
0x0040bd97
0x0040bd97
0x0040bd9f
0x0040bda4
0x0040bda9
0x00000000
0x00000000
0x0040bc9d
0x0040bca0
0x0040bca4
0x0040bd8a
0x0040bd8a
0x0040bd93
0x0040bd94
0x00000000
0x0040bd94
0x0040bcb0
0x0040bcb1
0x0040bcb4
0x0040bd69
0x0040bd69
0x0040bd71
0x0040bd76
0x0040bd7b
0x00000000
0x00000000
0x0040bcca
0x0040bccd
0x0040bcd1
0x0040bce5
0x0040bce8
0x0040bcec
0x0040bcee
0x0040bd0e
0x0040bd25
0x0040bd2b
0x0040bd30
0x0040bd43
0x0040bd4b
0x0040bd51
0x0040bd51
0x0040bd56
0x0040bd56
0x0040bd5c
0x0040bd65
0x0040bd66
0x0040bd66
0x0040bd84
0x00000000
0x0040bd84
0x00000000
0x0040bdb2
0x0040bdbc

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?), ref: 0040BCA0
RegCloseKey.ADVAPI32(?), ref: 0040BD84
RegOpenKeyExA.KERNELBASE(?,Adobe,00000000,00020019,?), ref: 0040BC73

Part of subcall function 00401EC5: RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

RegCloseKey.ADVAPI32(?), ref: 0040BDB2

Strings

Adobe, xrefs: 0040BC68
%s %s, xrefs: 0040BD08
Installer, xrefs: 0040BD1D
Path, xrefs: 0040BD18
Registration, xrefs: 0040BCDD

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseOpen$Enum
String ID: %s %s$Adobe$Installer$Path$Registration
API String ID: 2405484398-749104014
Opcode ID: 37e36cab5502024957e1061bd9b290c5346aa24695d22ce388a156261b215221
Instruction ID: 3d9d02df14edbda81bbc41b24b47b15c7df725d8365267db9a209b612df55d88
Opcode Fuzzy Hash: 37e36cab5502024957e1061bd9b290c5346aa24695d22ce388a156261b215221
Instruction Fuzzy Hash: 1741E7B294011DBADF219B91DC41EEFBB7CEF04754F0080B2B908B2191E7359B599FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404E27 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 129
windownetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00404E27(void* __ecx, void* __edx, void* __eflags, intOrPtr _a12) {
				char _v408;
				char* _v420;
				struct HWND__* _v424;
				intOrPtr _v428;
				struct HWND__* _v824;
				char _v1088;
				char _v1140;
				struct tagMSG _v1176;
				void* __edi;
				void* __esi;
				void* _t27;
				int _t37;
				int _t39;
				int _t49;
				struct HWND__* _t52;
				int _t55;
				struct HWND__* _t57;
				int _t59;
				int _t64;
				struct HWND__* _t70;
				void* _t75;
				intOrPtr* _t76;

				_push(_t75);
				_t27 = E0040A4CC(__eflags);
				if(_t27 != 0) {
					_t70 = 0;
					__imp__CoInitialize(0); // executed
					E004018BC();
					SetErrorMode(0x8001); // executed
					_push( &_v408);
					_push(0x101); // executed
					L0040132C(); // executed
					E004087F0(__eflags);
					E004043A7( &_v1088, _t75);
					_v420 =  &_v1140;
					E004089A5(__eflags,  &_v1140, _a12);
					_t37 = E004087A8(_v428, "/savelangfile");
					__eflags = _t37;
					if(_t37 < 0) {
						E00407DA7(); // executed
						_t39 = E004087A8(_v420, "/deleteregkey");
						__eflags = _t39;
						if(_t39 < 0) {
							__eflags =  *((intOrPtr*)(_v420 + 0x30)) - 1;
							if(__eflags < 0) {
								L11:
								_t83 =  &_v1088;
								E004046C8( &_v1088);
								E0040D722( &_v1088);
								E0040D5FD( &_v1088);
								E0040D62E(_t83, 0x419);
								_t76 = GetMessageA;
								_t49 = GetMessageA( &_v1176, _t70, _t70, _t70); // executed
								__eflags = _t49;
								if(_t49 == 0) {
									L19:
									L00401332();
									__imp__CoUninitialize();
									L7:
									E00403A2B(_t49,  &_v1088);
									E004087D7( &_v1140);
									_t52 = _t70;
									L2:
									return _t52;
								}
								do {
									_t55 = E0040D5E4( &_v1088,  &(_v1176.wParam));
									__eflags = _t55;
									if(_t55 != 0) {
										goto L18;
									}
									_t57 =  *0x412794; // 0x0
									__eflags = _t57 - _t70;
									if(_t57 == _t70) {
										L16:
										_t59 = IsDialogMessageA(_v824,  &(_v1176.wParam)); // executed
										__eflags = _t59;
										if(_t59 == 0) {
											TranslateMessage( &(_v1176.wParam));
											DispatchMessageA( &(_v1176.wParam)); // executed
										}
										goto L18;
									}
									_t64 = IsDialogMessageA(_t57,  &(_v1176.wParam));
									__eflags = _t64;
									if(_t64 != 0) {
										goto L18;
									}
									goto L16;
									L18:
									_t49 =  *_t76( &(_v1176.wParam), _t70, _t70, _t70); // executed
									__eflags = _t49;
								} while (_t49 != 0);
								goto L19;
							}
							_t49 = E00404B92( &_v1088, __eflags);
							__eflags = _t49;
							if(_t49 == 0) {
								goto L11;
							}
							_t70 = _v424;
							goto L7;
						}
						_t49 = E0040385F();
						goto L7;
					}
					 *0x412a70 = 0x412160;
					E00403A2B(E0040820F(),  &_v1088);
					E004087D7( &_v1140);
					_t52 = 0;
					goto L2;
				}
				_t52 = _t27 + 1;
				goto L2;
			}

0x00404e35
0x00404e36
0x00404e3d
0x00404e49
0x00404e4c
0x00404e52
0x00404e5c
0x00404e69
0x00404e6a
0x00404e6f
0x00404e78
0x00404e81
0x00404e8e
0x00404e95
0x00404ea6
0x00404eab
0x00404ead
0x00404ed7
0x00404ee8
0x00404eed
0x00404eef
0x00404f16
0x00404f1a
0x00404f32
0x00404f32
0x00404f36
0x00404f3d
0x00404f45
0x00404f51
0x00404f56
0x00404f64
0x00404f66
0x00404f68
0x00404fcd
0x00404fcd
0x00404fd2
0x00404ef6
0x00404efa
0x00404f03
0x00404f08
0x00404e40
0x00404e46
0x00404e46
0x00404f70
0x00404f79
0x00404f7e
0x00404f80
0x00000000
0x00000000
0x00404f82
0x00404f87
0x00404f89
0x00404f97
0x00404fa3
0x00404fa5
0x00404fa7
0x00404fae
0x00404fb9
0x00404fb9
0x00000000
0x00404fa7
0x00404f91
0x00404f93
0x00404f95
0x00000000
0x00000000
0x00000000
0x00404fbf
0x00404fc7
0x00404fc9
0x00404fc9
0x00000000
0x00404f70
0x00404f20
0x00404f25
0x00404f27
0x00000000
0x00000000
0x00404f29
0x00000000
0x00404f29
0x00404ef1
0x00000000
0x00404ef1
0x00404eaf
0x00404ec2
0x00404ecb
0x00404ed0
0x00000000
0x00404ed0
0x00404e3f
0x00000000

APIs

Part of subcall function 0040A4CC: MessageBoxA.USER32 ref: 0040A4FA

CoInitialize.OLE32(00000000), ref: 00404E4C
SetErrorMode.KERNELBASE(00008001,?,00000000), ref: 00404E5C
WSAStartup.WS2_32(00000101,?), ref: 00404E6F

Part of subcall function 00407DA7: memset.MSVCRT ref: 00407DC5

KiUserCallbackDispatcher.NTDLL ref: 00404F64
IsDialogMessageA.USER32(00000000,?,?,?,00000000), ref: 00404F91
IsDialogMessageA.USER32(?,?,?,?,00000000), ref: 00404FA3
TranslateMessage.USER32(?), ref: 00404FAE
DispatchMessageA.USER32 ref: 00404FB9
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000,?,00000000), ref: 00404FC7
WSACleanup.WS2_32 ref: 00404FCD
CoUninitialize.OLE32(?,00000000), ref: 00404FD2

Strings

/savelangfile, xrefs: 00404EA1
/deleteregkey, xrefs: 00404EE3

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Message$CallbackDialogDispatcherUser$CleanupDispatchErrorInitializeModeStartupTranslateUninitializememset
String ID: /deleteregkey$/savelangfile
API String ID: 4040013963-4127792980
Opcode ID: caa6eafc7bc68cfecc9a263428d1dd10884d39a2a9968c1ab802fbdca453c81d
Instruction ID: fff23fc833980d83a4cc391ec65c513dde3e2fbeff2dcd1e083f360bedff1e51
Opcode Fuzzy Hash: caa6eafc7bc68cfecc9a263428d1dd10884d39a2a9968c1ab802fbdca453c81d
Instruction Fuzzy Hash: 6D4151B150434A9BD710FBA2DD4596B73ACAF84348F40483FB680F7192DB78DD0987AA

Uniqueness

Uniqueness Score: -1.00%

Function 004047B6 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004047B6(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __esi;
				struct HWND__* _t99;
				void* _t103;
				struct HWND__* _t105;
				intOrPtr _t112;
				intOrPtr* _t119;
				void* _t133;
				void* _t134;
				void* _t144;
				intOrPtr _t147;
				void* _t151;
				void* _t152;
				char* _t162;
				void* _t164;
				void* _t165;
				void* _t167;
				void* _t169;
				char* _t171;
				void* _t173;
				void* _t176;

				_t176 = __eflags;
				_t171 = _t173 - 0x78;
				 *((char*)(_t171 - 0x27)) = 1;
				_t134 = __ecx;
				 *(_t171 - 0x30) = 0;
				 *((intOrPtr*)(_t171 - 0x2c)) = 0;
				 *((char*)(_t171 - 0x28)) = 0;
				 *((char*)(_t171 - 0x26)) = 0;
				 *((char*)(_t171 - 0x25)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t171 - 0x1c)) = 6;
				 *((intOrPtr*)(_t171 - 0x18)) = 0x9c5b;
				 *((char*)(_t171 - 0x14)) = 4;
				 *((char*)(_t171 - 0x13)) = 0;
				 *((char*)(_t171 - 0x12)) = 0;
				 *((char*)(_t171 - 0x11)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t171 - 8) = 1;
				 *((intOrPtr*)(_t171 - 4)) = 0x9c41;
				 *_t171 = 4;
				 *((char*)(_t171 + 1)) = 0;
				 *((char*)(_t171 + 2)) = 0;
				 *((char*)(_t171 + 3)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t171 + 0xc)) = 5;
				 *((intOrPtr*)(_t171 + 0x10)) = 0x9c44;
				 *((char*)(_t171 + 0x14)) = 4;
				 *((char*)(_t171 + 0x15)) = 0;
				 *((char*)(_t171 + 0x16)) = 0;
				 *((char*)(_t171 + 0x17)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t171 + 0x20)) = 2;
				 *((intOrPtr*)(_t171 + 0x24)) = 0x9c48;
				 *((char*)(_t171 + 0x28)) = 4;
				 *((char*)(_t171 + 0x29)) = 0;
				 *((char*)(_t171 + 0x2a)) = 0;
				 *((char*)(_t171 + 0x2b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t171 + 0x34)) = 3;
				 *((intOrPtr*)(_t171 + 0x38)) = 0x9c49;
				 *((char*)(_t171 + 0x3c)) = 4;
				 *((char*)(_t171 + 0x3d)) = 0;
				 *((char*)(_t171 + 0x3e)) = 0;
				 *((char*)(_t171 + 0x3f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t171 + 0x48)) = 0;
				 *((intOrPtr*)(_t171 + 0x4c)) = 0x9c4e;
				 *((char*)(_t171 + 0x50)) = 4;
				 *((char*)(_t171 + 0x51)) = 0;
				 *((char*)(_t171 + 0x52)) = 0;
				 *((char*)(_t171 + 0x53)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t171 + 0x5c)) = 4;
				 *((intOrPtr*)(_t171 + 0x60)) = 0x9c42;
				 *((char*)(_t171 + 0x64)) = 4;
				 *((char*)(_t171 + 0x65)) = 0;
				 *((char*)(_t171 + 0x66)) = 0;
				 *((char*)(_t171 + 0x67)) = 0;
				 *(_t171 + 0x70) =  *(_t171 + 0x70) | 0xffffffff;
				asm("stosd");
				_t165 = 0x66;
				asm("stosd");
				 *((intOrPtr*)(__ecx + 0x11c)) = E00408047(0, _t165);
				_t99 = E0040D65F(__ecx);
				__imp__#6(0x50000000, 0x40f469,  *((intOrPtr*)(__ecx + 0x108)), 0x101, _t152, _t164, _t133); // executed
				 *(__ecx + 0x114) = _t99;
				SendMessageA(_t99, 0x404, 1, _t171 + 0x70);
				_t103 = CreateToolbarEx( *(_t134 + 0x108), 0x50010900, 0x102, 7, 0, E00409923(), _t171 - 0x30, 8, 0x10, 0x10, 0x70, 0x10, 0x14); // executed
				 *(_t134 + 0x118) = _t103;
				_t105 = CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t134 + 0x108), 0x103, GetModuleHandleA(0), 0); // executed
				E0040C510( *((intOrPtr*)(_t134 + 0x290)), _t176, _t105, 1);
				E00406827( *((intOrPtr*)(_t134 + 0x290)));
				E0040B452( *((intOrPtr*)(_t134 + 0x290)));
				_t167 = 0x68;
				 *((intOrPtr*)( *((intOrPtr*)(_t134 + 0x290)) + 0x878)) =  *((intOrPtr*)(_t134 + 0x114));
				 *((intOrPtr*)(_t134 + 0x170)) = E00408047( *((intOrPtr*)(_t134 + 0x114)), _t167);
				_t112 =  *((intOrPtr*)(_t134 + 0x29c));
				if( *((intOrPtr*)(_t112 + 0x30)) <= 0) {
					_t144 = 0x40f469;
				} else {
					if( *((intOrPtr*)(_t112 + 0x1c)) <= 0) {
						_t144 = 0;
					} else {
						_t144 =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)))) +  *((intOrPtr*)(_t112 + 0x10));
					}
				}
				_push("/noloadsettings");
				_push(_t144);
				L0040107A();
				if(_t112 == 0) {
					E0040385F();
				}
				if(E004087A8( *((intOrPtr*)(_t134 + 0x29c)), "/nosavereg") >= 0) {
					 *(_t134 + 0x17c) = 1;
				}
				E00403DEE(_t134, 0); // executed
				_t169 = _t134;
				E00403CEC(_t169);
				 *((intOrPtr*)( *((intOrPtr*)(_t169 + 0x28c)))) = 1;
				E004054FF( *((intOrPtr*)(_t169 + 0x290)));
				_t162 = _t169 + 0x180;
				_t119 = E00409D54();
				 *((intOrPtr*)(_t171 + 0x74)) = _t119;
				_t85 = _t119 + 1; // 0x1
				_t151 = _t85;
				do {
					_t147 =  *_t119;
					_t119 = _t119 + 1;
				} while (_t147 != 0);
				if(_t119 - _t151 + 0xc >= 0x104) {
					 *_t162 = 0;
				} else {
					E00409ADF(_t162,  *((intOrPtr*)(_t171 + 0x74)), "report.html");
					_pop(_t147);
				}
				E00405688( *((intOrPtr*)(_t169 + 0x290)), 0x30, 1);
				E00403A4F(_t169);
				 *((intOrPtr*)(_t169 + 0x294)) = RegisterWindowMessageA("commdlg_FindReplace");
				E004040C5(0, _t147, _t169);
				return E00403870(_t169);
			}

0x004047b6
0x004047b7
0x004047c1
0x004047ca
0x004047ce
0x004047d1
0x004047d4
0x004047d7
0x004047da
0x004047e0
0x004047e1
0x004047e2
0x004047e9
0x004047f0
0x004047f4
0x004047f7
0x004047fa
0x00404802
0x00404803
0x00404804
0x0040480b
0x00404812
0x00404816
0x00404819
0x0040481c
0x00404824
0x00404825
0x00404826
0x0040482d
0x00404834
0x00404838
0x0040483b
0x0040483e
0x00404846
0x00404847
0x00404848
0x0040484f
0x00404856
0x0040485a
0x0040485d
0x00404860
0x00404868
0x00404869
0x0040486a
0x00404871
0x00404878
0x0040487c
0x0040487f
0x00404882
0x0040488a
0x0040488b
0x0040488c
0x0040488f
0x00404896
0x0040489a
0x0040489d
0x004048a0
0x004048a8
0x004048a9
0x004048aa
0x004048b1
0x004048b8
0x004048bc
0x004048bf
0x004048c2
0x004048c5
0x004048ce
0x004048d1
0x004048d2
0x004048d8
0x004048e0
0x004048fa
0x0040490c
0x00404912
0x00404943
0x0040494a
0x0040497b
0x0040498a
0x00404995
0x004049a0
0x004049b3
0x004049b4
0x004049bf
0x004049c5
0x004049ce
0x004049e3
0x004049d0
0x004049d3
0x004049df
0x004049d5
0x004049da
0x004049da
0x004049d3
0x004049e8
0x004049ed
0x004049ee
0x004049f7
0x004049f9
0x004049f9
0x00404a10
0x00404a12
0x00404a12
0x00404a1d
0x00404a22
0x00404a24
0x00404a32
0x00404a3a
0x00404a3f
0x00404a45
0x00404a4a
0x00404a4d
0x00404a4d
0x00404a50
0x00404a50
0x00404a52
0x00404a53
0x00404a61
0x00404a75
0x00404a63
0x00404a6d
0x00404a72
0x00404a72
0x00404a81
0x00404a88
0x00404a9a
0x00404aa0
0x00404ab3

APIs

Part of subcall function 00408047: LoadMenuA.USER32 ref: 0040804F

Part of subcall function 0040D65F: KiUserCallbackDispatcher.NTDLL(?,?,004048E5), ref: 0040D66B

#6.COMCTL32(50000000,0040F469,?,00000101), ref: 004048FA
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 00404912

Part of subcall function 00409923: GetModuleHandleA.KERNEL32(00000000,0040492D,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 00409925
Part of subcall function 00409923: LoadImageA.USER32 ref: 00409939

CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 00404943
GetModuleHandleA.KERNEL32(00000000), ref: 00404950
CreateWindowExA.USER32 ref: 0040497B

Part of subcall function 0040B452: GetModuleHandleA.KERNEL32(00000000,?,004049A5,00000000,00000001), ref: 0040B45C
Part of subcall function 0040B452: LoadIconA.USER32(00000000,00000066), ref: 0040B465
Part of subcall function 0040B452: ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040B474

_stricmp.MSVCRT(0040F469,/noloadsettings,00000000,00000001), ref: 004049EE
RegisterWindowMessageA.USER32(commdlg_FindReplace,00000030,00000001,00000000,/nosavereg,00000000,00000001), ref: 00404A92

Strings

/noloadsettings, xrefs: 004049E8
SysListView32, xrefs: 00404975
/nosavereg, xrefs: 00404A04
commdlg_FindReplace, xrefs: 00404A8D
report.html, xrefs: 00404A66

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: HandleLoadModule$CreateIconImageMessageWindow$CallbackDispatcherList_MenuRegisterReplaceSendToolbarUser_stricmp
String ID: /noloadsettings$/nosavereg$SysListView32$commdlg_FindReplace$report.html
API String ID: 3242087448-1039663613
Opcode ID: c6e68bdaabeb019ec5d0643ccfab1f25574304fe8519e35c04f5005505400366
Instruction ID: 0e8a5125ad51f1b816e76ce34d49f9e35a9deb2930445265d707596dacd4574b
Opcode Fuzzy Hash: c6e68bdaabeb019ec5d0643ccfab1f25574304fe8519e35c04f5005505400366
Instruction Fuzzy Hash: 5091C171604388EFEB11DF78C885BDA3FA1AF55304F04447DFA44AB292C7B99948CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010E0 Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr* _t70;
				int _t71;
				void* _t72;
				intOrPtr _t80;

				_t66 = __edx;
				_push(0x70);
				_push(0x40f3f0);
				E004012D0(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t72 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t72 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t72 - 4) = 0;
				__set_app_type(2);
				 *0x412ebc =  *0x412ebc | 0xffffffff;
				 *0x412ec0 =  *0x412ec0 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x41217c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x412178; // 0x0
				 *_t36 = _t63;
				 *0x412eb8 =  *_adjust_fdiv;
				_t39 = E004012CA();
				_t80 =  *0x412000; // 0x1
				if(_t80 == 0) {
					__setusermatherr(E004012CA);
					_pop(_t63);
				}
				E004012B8(_t39);
				_push(0x40f3c8);
				_push(0x40f3c4);
				L004012B2();
				_t41 =  *0x412174; // 0x0
				 *(_t72 - 0x20) = _t41;
				 *(_t72 - 0x30) = __getmainargs(_t72 - 0x2c, _t72 - 0x28, _t72 - 0x24,  *0x412170, _t72 - 0x20);
				_push(0x40f3c0);
				_push(0x40f394); // executed
				L004012B2(); // executed
				_t70 =  *_acmdln;
				 *((intOrPtr*)(_t72 - 0x34)) = _t70;
				if( *_t70 != 0x22) {
					while(1) {
						__eflags =  *_t70 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t70 = _t70 + 1;
						 *((intOrPtr*)(_t72 - 0x34)) = _t70;
					}
				} else {
					do {
						_t70 = _t70 + 1;
						 *((intOrPtr*)(_t72 - 0x34)) = _t70;
						_t55 =  *_t70;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t70 == 0x22) {
						L16:
						_t70 = _t70 + 1;
						 *((intOrPtr*)(_t72 - 0x34)) = _t70;
					}
				}
				L17:
				_t48 =  *_t70;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t72 - 0x4c) = 0;
				GetStartupInfoA(_t72 - 0x78);
				_t88 =  *(_t72 - 0x4c) & 0x00000001;
				if(( *(_t72 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t72 - 0x48) & 0x0000ffff;
				}
				_t52 = E00404E27(_t63, _t66, _t88, GetModuleHandleA(0), 0, _t70, _t50); // executed
				_t71 = _t52;
				 *(_t72 - 0x7c) = _t71;
				if( *(_t72 - 0x1c) == 0) {
					exit(_t71);
				}
				__imp___cexit();
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				return E00401309(_t71);
			}

0x004010e0
0x004010e0
0x004010e2
0x004010e7
0x004010f5
0x004010fc
0x0040111d
0x0040111d
0x004010fe
0x00401101
0x00401109
0x00000000
0x0040110b
0x0040110b
0x00401114
0x00401135
0x00401139
0x00000000
0x0040113b
0x0040113b
0x0040113d
0x00000000
0x0040113d
0x00401116
0x0040111b
0x00401122
0x00401129
0x00000000
0x0040112b
0x0040112b
0x0040112d
0x00401143
0x00401143
0x00401143
0x00401146
0x00401146
0x00000000
0x00000000
0x00000000
0x0040111b
0x00401114
0x00401109
0x00401149
0x0040114e
0x00401155
0x0040115c
0x00401163
0x00401169
0x0040116f
0x00401171
0x00401177
0x0040117d
0x00401186
0x0040118b
0x00401190
0x00401196
0x0040119d
0x004011a3
0x004011a3
0x004011a4
0x004011a9
0x004011ae
0x004011b3
0x004011b8
0x004011bd
0x004011dc
0x004011df
0x004011e4
0x004011e9
0x004011f6
0x004011f8
0x004011fe
0x0040123a
0x0040123a
0x0040123d
0x00000000
0x00000000
0x0040123f
0x00401240
0x00401240
0x00401200
0x00401200
0x00401200
0x00401201
0x00401204
0x00401206
0x00401211
0x00401213
0x00401213
0x00401214
0x00401214
0x00401211
0x00401217
0x00401217
0x0040121b
0x00000000
0x00000000
0x00401221
0x00401228
0x0040122e
0x00401232
0x00401247
0x00401234
0x00401234
0x00401234
0x0040124f
0x00401254
0x00401256
0x0040125c
0x0040125f
0x0040125f
0x00401265
0x0040129a
0x004012a5

APIs

GetModuleHandleA.KERNEL32(00000000,0040F3F0,00000070), ref: 004010F5
__set_app_type.MSVCRT ref: 0040114E
__p__fmode.MSVCRT ref: 00401163
__p__commode.MSVCRT ref: 00401171
__setusermatherr.MSVCRT ref: 0040119D
_initterm.MSVCRT ref: 004011B3
__getmainargs.MSVCRT ref: 004011D6
_initterm.MSVCRT ref: 004011E9
GetStartupInfoA.KERNEL32(?), ref: 00401228
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040124C
exit.MSVCRT ref: 0040125F
_cexit.MSVCRT ref: 00401265

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: f33d7c5d1d16797c1bae12c4f7a21bf94294873571fa73cb12498cd8bb01800b
Instruction ID: 3526d41b544f5bcebf3a1e734330deeb32a70226eb28397dfd7ddac2b227193d
Opcode Fuzzy Hash: f33d7c5d1d16797c1bae12c4f7a21bf94294873571fa73cb12498cd8bb01800b
Instruction Fuzzy Hash: 1A416C70C40204DFCB24DFA4D988AA97BB4BB09325F24417FE961F76E1D3784886CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDBF Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040BDBF(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void* __esi;
				long _t44;
				void* _t54;
				void* _t65;
				void* _t72;
				void* _t73;
				void* _t75;

				_t65 = __ecx;
				_v8 = 0;
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				sprintf( &_v788, "%s\\Registration", _a12);
				_t73 = _t72 + 0x18;
				_t44 = RegOpenKeyExA(_a8,  &_v788, 0, 0x20019,  &_v8); // executed
				if(_t44 == 0) {
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					E00402134( &_v532, _a8, _a12, "InstallDir", 0x104);
					E0040B753(_t65, _a4, _v8, _a12,  &_v532);
					_v12 = 0;
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_t54 = E00401EC5(0xff, _v8, 0,  &_v268);
					_t75 = _t73 + 0x34;
					while(_t54 == 0) {
						_a8 = 0;
						if(RegOpenKeyExA(_v8,  &_v268, 0, 0x20019,  &_a8) == 0) {
							E0040B753(_t65, _a4, _a8, _a12,  &_v532);
							RegCloseKey(_a8);
						}
						_v12 = _v12 + 1;
						_t54 = E00401EC5(0xff, _v8, _v12,  &_v268);
						_t75 = _t75 + 0xc;
					}
					return RegCloseKey(_v8);
				}
				return _t44;
			}

0x0040bdbf
0x0040bdda
0x0040bddd
0x0040bde3
0x0040bdf7
0x0040bdfc
0x0040be13
0x0040be1b
0x0040be2e
0x0040be34
0x0040be4b
0x0040be5f
0x0040be6d
0x0040be70
0x0040be76
0x0040be88
0x0040be93
0x0040beed
0x0040beac
0x0040beb7
0x0040bec9
0x0040bed1
0x0040bed1
0x0040bed3
0x0040bee5
0x0040beea
0x0040beea
0x00000000
0x0040bef6
0x0040befa

APIs

memset.MSVCRT ref: 0040BDE3
sprintf.MSVCRT ref: 0040BDF7
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?), ref: 0040BE13
memset.MSVCRT ref: 0040BE34

Part of subcall function 00402134: RegCloseKey.KERNELBASE(?,000003FF), ref: 0040216E

Part of subcall function 0040B753: memset.MSVCRT ref: 0040B773

memset.MSVCRT ref: 0040BE76

Part of subcall function 00401EC5: RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040BEAF
RegCloseKey.ADVAPI32(?), ref: 0040BED1
RegCloseKey.ADVAPI32(?), ref: 0040BEF4

Strings

InstallDir, xrefs: 0040BE3A
%s\Registration, xrefs: 0040BDF1

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$Close$Open$Enumsprintf
String ID: %s\Registration$InstallDir
API String ID: 592545096-1170865778
Opcode ID: 7831669a2025019af229ad70793520924726913a11168384c264a7c77efd1c1f
Instruction ID: ce1667ac2714ca1ebab7d24492391edfcef0557958508a8d9178513886d9adbd
Opcode Fuzzy Hash: 7831669a2025019af229ad70793520924726913a11168384c264a7c77efd1c1f
Instruction Fuzzy Hash: 0231387690011CBBCF219F95DC81EEEBB7CEB48304F0444B6BA18A2162D7759F949BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C53D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 68
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040C53D(void* __ebx, void* __esi, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				intOrPtr _v12;
				void _v311;
				char _v312;
				void _v575;
				char _v576;
				long _t21;
				void* _t40;

				_t21 = atof(_a12);
				asm("fistp qword [ebp-0x8]");
				_t41 = _v12;
				_pop(_t40);
				if(_v12 > 8) {
					_v312 = 0;
					memset( &_v311, 0, 0x12b);
					_v576 = 0;
					memset( &_v575, 0, 0x104);
					sprintf( &_v312, "%s\\Common\\InstallRoot", _a12);
					E00402134( &_v576, _a8,  &_v312, "Path", 0x104); // executed
					sprintf( &_v312, "%s\\Registration", _a12);
					_t21 = RegOpenKeyExA(_a8,  &_v312, 0, 0x20019,  &_v8); // executed
					if(_t21 == 0) {
						E0040C06D(_t40, _a4, _v8, _t41,  &_v576);
						return RegCloseKey(_v8);
					}
				}
				return _t21;
			}

0x0040c54a
0x0040c54f
0x0040c552
0x0040c558
0x0040c559
0x0040c570
0x0040c576
0x0040c589
0x0040c58f
0x0040c5a3
0x0040c5be
0x0040c5d2
0x0040c5ee
0x0040c5f8
0x0040c608
0x00000000
0x0040c610
0x0040c5f8
0x0040c618

APIs

atof.MSVCRT ref: 0040C54A
memset.MSVCRT ref: 0040C576
memset.MSVCRT ref: 0040C58F
sprintf.MSVCRT ref: 0040C5A3

Part of subcall function 00402134: RegCloseKey.KERNELBASE(?,000003FF), ref: 0040216E

sprintf.MSVCRT ref: 0040C5D2
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?), ref: 0040C5EE

Part of subcall function 0040C06D: memset.MSVCRT ref: 0040C08A
Part of subcall function 0040C06D: RegOpenKeyExA.KERNELBASE(?,ProductID,00000000,000F003F,?,?,?), ref: 0040C0D1
Part of subcall function 0040C06D: RegOpenKeyExA.ADVAPI32(?,DigitalProductID,00000000,000F003F,?,?,?), ref: 0040C0E5
Part of subcall function 0040C06D: RegCloseKey.ADVAPI32(?,?,?), ref: 0040C110
Part of subcall function 0040C06D: RegCloseKey.ADVAPI32(?,?,?), ref: 0040C119
Part of subcall function 0040C06D: memset.MSVCRT ref: 0040C136

RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040C610

Strings

%s\Common\InstallRoot, xrefs: 0040C59D
Path, xrefs: 0040C5A9
%s\Registration, xrefs: 0040C5CC

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Closememset$Open$sprintf$atof
String ID: %s\Common\InstallRoot$%s\Registration$Path
API String ID: 2435959710-693043179
Opcode ID: 1133dbba29eed74e74e862956469d8ddbc79ef93eb13eb2e4e46bdbc54963eb8
Instruction ID: ed5f932e63c39f812747897d316acb67fb9b024130e5cc55aad5ef4b0aebc27f
Opcode Fuzzy Hash: 1133dbba29eed74e74e862956469d8ddbc79ef93eb13eb2e4e46bdbc54963eb8
Instruction Fuzzy Hash: 16210B7290115CBADF20AF91DD85EDE7B7DEB44348F1004B6B904B20A1D339AF58DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B074 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040B074(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36, intOrPtr _a40) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v159;
				char _v420;
				char _v549;
				char _v678;
				char _v807;
				char _v936;
				char _v948;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t63;
				intOrPtr _t68;
				intOrPtr _t71;
				void* _t74;
				char* _t75;
				char* _t76;
				void* _t94;
				void* _t97;
				void* _t100;
				int _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t126;
				void* _t127;

				_v8 = _v8 & 0x00000000;
				E0040A80B( &_v948);
				E00409476(0x80,  &_v936, _a8);
				E00409476(0x104,  &_v420, _a28);
				E00409476(0x80,  &_v159, _a32);
				_t63 = _a36;
				if(_t63 != 0) {
					_v28 =  *_t63;
					_v24 =  *((intOrPtr*)(_t63 + 4));
				}
				if(_a40 != 4) {
					if(_a20 != 0x10) {
						if(_a20 < 0x44) {
							L12:
							if( *_a12 == 0) {
								L14:
								_v12 = _a24;
								_t68 = E00409476(0x80,  &_v549, _a4 + 0x768);
								_t126 = _a4;
								_t116 = 0;
								_pop(_t100);
								if( *((intOrPtr*)(_t126 + 0x2c)) <= 0) {
									L21:
									if(_v8 == 0) {
										L24:
										return _t68;
									}
									_t71 = E00405DE7(_t126, _t100,  &_v948); // executed
									_t117 = _t71;
									_t56 = _t117 + 0x10e; // 0x10e
									_t68 = _t56;
									_push("BBBBB-BBBBB-BBBBB-BBBBB-BBBBB");
									_push(_t68);
									 *((intOrPtr*)(_t126 + 0x1f4)) = _t117;
									L00401086();
									if(_t68 != 0) {
										goto L24;
									}
									 *((intOrPtr*)(_t126 + 0x1f0)) = _t117;
									return _t68;
								} else {
									goto L15;
								}
								do {
									L15:
									_t127 = E00405532(_t126, _t116);
									_push( &_v549);
									_t44 = _t127 + 0x18f; // 0x18f
									_t74 = _t44;
									L0040107A();
									_t100 = _t74;
									if(_t74 == 0) {
										_t75 =  &_v678;
										_push(_t75);
										_t46 = _t127 + 0x10e; // 0x10e
										_t94 = _t46;
										L0040107A();
										_t100 = _t94;
										if(_t75 == 0) {
											_t76 =  &_v678;
											_push(_t76);
											L0040107A();
											_t100 = _t94;
											if(_t76 == 0 &&  *((intOrPtr*)(_t127 + 0x3a8)) == _v12) {
												_v8 = _v8 & 0x00000000;
											}
										}
									}
									_t68 = _a4;
									_t116 = _t116 + 1;
									_t126 = _t68;
								} while (_t116 <  *((intOrPtr*)(_t68 + 0x2c)));
								goto L21;
							}
							L13:
							_v8 = 1;
							E00409476(0x80,  &_v807, _a12);
							goto L14;
						}
						_t119 = _a16;
						_v8 = 1;
						E0040A877( &_v678, _t119 + 0x34);
						if( *_a12 != 0) {
							goto L13;
						}
						_push(_t119 + 8);
						_t97 = 0x20;
						E00409476(_t97,  &_v807);
						L11:
						goto L12;
					}
					_v8 = 1;
					E0040A877( &_v678, _a16);
					goto L11;
				}
				if(_a20 < 0x338) {
					goto L12;
				}
				_t122 = _a16;
				_v8 = 1;
				E0040A877( &_v678, _t122 + 0x328);
				if( *_a12 != 0) {
					goto L13;
				}
				WideCharToMultiByte(0, 0, _t122 + 8, 0xffffffff,  &_v807, 0x20, 0, 0);
				goto L12;
			}

0x0040b07d
0x0040b08a
0x0040b09f
0x0040b0b2
0x0040b0c2
0x0040b0c7
0x0040b0cf
0x0040b0d6
0x0040b0d9
0x0040b0d9
0x0040b0e0
0x0040b135
0x0040b152
0x0040b189
0x0040b18f
0x0040b1a9
0x0040b1ac
0x0040b1c0
0x0040b1c5
0x0040b1c8
0x0040b1cd
0x0040b1ce
0x0040b237
0x0040b23b
0x0040b274
0x0040b274
0x0040b274
0x0040b246
0x0040b24b
0x0040b24d
0x0040b24d
0x0040b253
0x0040b258
0x0040b259
0x0040b25f
0x0040b268
0x00000000
0x00000000
0x0040b26a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b1d0
0x0040b1d0
0x0040b1d6
0x0040b1de
0x0040b1df
0x0040b1df
0x0040b1e6
0x0040b1ee
0x0040b1ef
0x0040b1f1
0x0040b1f7
0x0040b1f8
0x0040b1f8
0x0040b1ff
0x0040b207
0x0040b208
0x0040b20a
0x0040b210
0x0040b212
0x0040b21a
0x0040b21b
0x0040b228
0x0040b228
0x0040b21b
0x0040b208
0x0040b22c
0x0040b22f
0x0040b233
0x0040b233
0x00000000
0x0040b1d0
0x0040b191
0x0040b19c
0x0040b1a3
0x00000000
0x0040b1a8
0x0040b154
0x0040b161
0x0040b168
0x0040b174
0x00000000
0x00000000
0x0040b179
0x0040b17c
0x0040b183
0x0040b188
0x00000000
0x0040b188
0x0040b140
0x0040b147
0x00000000
0x0040b147
0x0040b0e9
0x00000000
0x00000000
0x0040b0ef
0x0040b0ff
0x0040b106
0x0040b112
0x00000000
0x00000000
0x0040b129
0x00000000

APIs

Part of subcall function 0040A80B: memset.MSVCRT ref: 0040A827

Part of subcall function 00409476: memcpy.MSVCRT ref: 00409496

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000020,00000000,00000000), ref: 0040B129
_stricmp.MSVCRT(0000018F,?,00000000), ref: 0040B1E6
_stricmp.MSVCRT(0000010E,?,00000000), ref: 0040B1FF
_stricmp.MSVCRT(0000010E,?,00000000), ref: 0040B212
_mbsicmp.MSVCRT ref: 0040B25F

Part of subcall function 0040A877: memset.MSVCRT ref: 0040A8A2
Part of subcall function 0040A877: memset.MSVCRT ref: 0040A9A9
Part of subcall function 0040A877: memcpy.MSVCRT ref: 0040A9BA

Strings

BBBBB-BBBBB-BBBBB-BBBBB-BBBBB, xrefs: 0040B253
D, xrefs: 0040B14E

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: _stricmpmemset$memcpy$ByteCharMultiWide_mbsicmp
String ID: BBBBB-BBBBB-BBBBB-BBBBB-BBBBB$D
API String ID: 1462258883-2179375097
Opcode ID: b5bf7b64d9b46d8c9195b61299b8bee05336ff5067ea744eee82584c5ca7a521
Instruction ID: df699da2307093237189341cb777bfb5d23401d34c32f8727aa4b00fdb1d6329
Opcode Fuzzy Hash: b5bf7b64d9b46d8c9195b61299b8bee05336ff5067ea744eee82584c5ca7a521
Instruction Fuzzy Hash: 50518D72A00209AFDB11DF61D844BDF73A8EF44354F1000AAF849B7292D778AE85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E0040CFC7(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v12;
				int _v16;
				int _v20;
				char _v24;
				void _v287;
				char _v288;
				intOrPtr _v296;
				char _v962;
				char _v1220;
				char _v1232;
				char _v2200;
				void _v2255;
				char _v2256;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t29;
				char _t34;
				void* _t57;
				void* _t58;
				int _t61;
				void* _t64;

				_t54 = __ecx;
				E0040A7B6(__ecx, _a4);
				_t61 = 0x20019;
				if(E00408B42(_t54, GetCurrentProcess()) != 0) {
					_t61 = 0x20119;
				}
				_t29 = RegOpenKeyExA(0x80000002, "Software", 0, _t61,  &_v12); // executed
				if(_t29 == 0) {
					_v288 = 0;
					memset( &_v287, 0, 0x104);
					_t64 = _t64 + 0xc;
					E004091EC( &_v288);
					_pop(_t58);
					E0040CAFC(_t58, _a4, _v12,  &_v288); // executed
					RegCloseKey(_v12);
				}
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v2256 = 0;
				memset( &_v2255, 0, 0x3ff);
				_t34 = E00409DF6( &_v24,  &_v2256);
				if(_t34 > 0x38) {
					_t34 = _v2200;
					if(_t34 >= 0x61 && _t34 <= 0x7a) {
						L11:
						E0040A80B( &_v1232);
						E00409476(0x80,  &_v962,  &_v2200);
						E00409476(0x80,  &_v1220, E00407C3F(0x7d1));
						_pop(_t57);
						_v296 = 1;
						return E00405DE7(_a4, _t57,  &_v1232);
					}
					if(_t34 >= 0x41 && _t34 <= 0x5a) {
						goto L11;
					}
					if(_t34 >= 0x30 && _t34 <= 0x39) {
						goto L11;
					}
				}
				return _t34;
			}

0x0040cfc7
0x0040cfd6
0x0040cfdb
0x0040cfef
0x0040cff1
0x0040cff1
0x0040d008
0x0040d010
0x0040d01f
0x0040d025
0x0040d030
0x0040d034
0x0040d039
0x0040d047
0x0040d04f
0x0040d04f
0x0040d062
0x0040d065
0x0040d068
0x0040d06b
0x0040d071
0x0040d083
0x0040d08b
0x0040d08d
0x0040d095
0x0040d0ab
0x0040d0b1
0x0040d0ca
0x0040d0e3
0x0040d0e8
0x0040d0f3
0x00000000
0x0040d0fd
0x0040d09d
0x00000000
0x00000000
0x0040d0a5
0x00000000
0x00000000
0x0040d0a5
0x0040d106

APIs

Part of subcall function 0040A7B6: GetComputerNameA.KERNEL32 ref: 0040A7CE

GetCurrentProcess.KERNEL32 ref: 0040CFE0

Part of subcall function 00408B42: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00408B54
Part of subcall function 00408B42: GetProcAddress.KERNEL32(00000000), ref: 00408B5B

RegOpenKeyExA.KERNELBASE(80000002,Software,00000000,00020019,?), ref: 0040D008
memset.MSVCRT ref: 0040D025
RegCloseKey.ADVAPI32(?), ref: 0040D04F
memset.MSVCRT ref: 0040D071

Strings

Software, xrefs: 0040CFFE

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$AddressCloseComputerCurrentHandleModuleNameOpenProcProcess
String ID: Software
API String ID: 527347678-2393246361
Opcode ID: 638622e4a4ce547630301f39cf173de8db1fa1c190fdcd1af68593db282d8bc5
Instruction ID: 728bec28de1998f0db0da52364eac1917539ebc98261409a6dee968ab94316d4
Opcode Fuzzy Hash: 638622e4a4ce547630301f39cf173de8db1fa1c190fdcd1af68593db282d8bc5
Instruction Fuzzy Hash: F0319271D0011C6ADB20AB95DC45BDEB7BDAF05304F4040BBE64CB2192DA385E8A8FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403965 Relevance: 9.1, APIs: 6, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403965(void* __edi) {
				struct HDWP__* _v8;
				int _v12;
				int _v16;
				struct tagRECT _v32;
				void* _t26;
				int _t30;
				int _t40;
				int _t43;

				if( *((intOrPtr*)(__edi + 0x140)) != 0) {
					GetClientRect( *(__edi + 0x108),  &_v32);
					_v12 = E0040D696(__edi);
					_t30 = E0040D672(__edi);
					_t43 = _v32.right - _v32.left;
					_v16 = _t30;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__edi + 0x118), 0, 0, 0, _t43, _v16, 4);
					DeferWindowPos(_v8,  *(__edi + 0x114), 0, 0, _v32.bottom - _v12 + 1, _t43, _v12, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__edi + 0x290)) + 0x190), 0, 0, _v16, _t43, _v32.bottom - _v32.top - _v16 - _v12, 4);
					_t40 = EndDeferWindowPos(_v8); // executed
					return _t40;
				}
				return _t26;
			}

0x00403972
0x00403984
0x00403991
0x00403994
0x0040399f
0x004039a7
0x004039b5
0x004039c7
0x004039e8
0x00403a0e
0x00403a17
0x00000000
0x00403a1e
0x00403a20

APIs

GetClientRect.USER32 ref: 00403984

Part of subcall function 0040D696: GetWindowRect.USER32 ref: 0040D6A9

Part of subcall function 0040D672: GetWindowRect.USER32 ref: 0040D685

BeginDeferWindowPos.USER32 ref: 004039AA
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004039C7
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004039E8
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 00403A0E
KiUserCallbackDispatcher.NTDLL(?), ref: 00403A17

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Window$Defer$Rect$BeginCallbackClientDispatcherUser
String ID:
API String ID: 466569379-0
Opcode ID: 3639b7cbe27ba7c4e648dacbc40f91d7a7b1184fefeaa190cdc13b6764be2fb4
Instruction ID: 627d5c0f42b4538ef7562c728db4d9480c0b49ddde14cd9d31dacdfe74534590
Opcode Fuzzy Hash: 3639b7cbe27ba7c4e648dacbc40f91d7a7b1184fefeaa190cdc13b6764be2fb4
Instruction Fuzzy Hash: 59218072900209FFEB119BE8DE49FEEBB79FB08700F104165FA15B61A0C7752E549B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D99C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0040D99C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t26;
				signed int _t29;
				intOrPtr* _t40;
				void* _t42;

				_push(0x10);
				_push(0x410818);
				E004012D0(__ebx, __edi, __esi);
				if( *(_t42 + 0xc) == 1) {
					_t32 =  *( *(_t42 + 0x14));
					_t37 =  *(_t42 + 8);
					 *( *( *(_t42 + 0x14)) + 0x108) =  *(_t42 + 8);
					E0040847C(0x412124, _t32, _t37);
				}
				_t40 = E00408342(0x412124,  *(_t42 + 8));
				 *((intOrPtr*)(_t42 - 0x20)) = _t40;
				if(_t40 == 0) {
					_t26 = DefWindowProcA( *(_t42 + 8),  *(_t42 + 0xc),  *(_t42 + 0x10),  *(_t42 + 0x14)); // executed
				} else {
					 *(_t42 - 0x1c) =  *(_t42 - 0x1c) & 0x00000000;
					 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
					_t29 =  *((intOrPtr*)( *_t40))( *(_t42 + 0xc),  *(_t42 + 0x10),  *(_t42 + 0x14)); // executed
					 *(_t42 - 0x1c) = _t29;
					 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
					if( *(_t42 + 0xc) == 2) {
						E0040836E(0x412124, _t40);
					}
					_t26 =  *(_t42 - 0x1c);
				}
				return E00401309(_t26);
			}

0x0040d99c
0x0040d99e
0x0040d9a3
0x0040d9ac
0x0040d9b1
0x0040d9b3
0x0040d9b6
0x0040d9c3
0x0040d9c3
0x0040d9d5
0x0040d9d7
0x0040d9dc
0x0040da3c
0x0040d9de
0x0040d9de
0x0040d9e2
0x0040d9f3
0x0040d9f5
0x0040d9f8
0x0040da1e
0x0040da26
0x0040da26
0x0040da2b
0x0040da2b
0x0040da47

APIs

KiUserCallbackDispatcher.NTDLL(00000001,?,?,?,?,?,?,?,?,00410818,00000010), ref: 0040D9F3

Part of subcall function 0040847C: ??2@YAPAXI@Z.MSVCRT ref: 004084B1
Part of subcall function 0040847C: memset.MSVCRT ref: 004084C2
Part of subcall function 0040847C: memcpy.MSVCRT ref: 004084CE
Part of subcall function 0040847C: ??3@YAXPAX@Z.MSVCRT ref: 004084DB

Strings

$!A, xrefs: 0040DA21
$!A, xrefs: 0040D9CB
$!A, xrefs: 0040D9BE

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@??3@CallbackDispatcherUsermemcpymemset
String ID: $!A$$!A$$!A
API String ID: 1389461279-1179211498
Opcode ID: 38fcb589930a946565b5d63972170345bba8eebeed9bd9c63f9be120238b0cb3
Instruction ID: 71ee5c206ec63a89738b0f005ccb17fb78b7d67ab1475d6e5f4411d71129de79
Opcode Fuzzy Hash: 38fcb589930a946565b5d63972170345bba8eebeed9bd9c63f9be120238b0cb3
Instruction Fuzzy Hash: D3115731A00209EFCF11DF94C905AAE3BB1FF08320F10806AF955B62A1C77989609F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8BD Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E0040B8BD(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				signed int _v24;
				void* _v39;
				char _v40;
				void _v175;
				char _v176;
				void _v439;
				char _v440;
				char _v448;
				char _v449;
				char _v450;
				void* _v2444;
				void _v2495;
				char _v2496;
				void* __esi;
				void* _t72;
				void* _t78;
				char _t83;
				void* _t90;
				void* _t93;
				char* _t102;

				_t90 = __ecx;
				_v176 = 0;
				memset( &_v175, 0, 0x80);
				_v440 = 0;
				memset( &_v439, 0, 0x104);
				_v2496 = 0;
				memset( &_v2495, 0, 0x800);
				_v16 = _v16 & 0x00000000;
				_v12 = 0x800;
				if(_a12 != 0) {
					E00401F0A(0x80, _t90,  &_v176, _a12, _a16); // executed
					_pop(_t90);
				}
				if(_a28 == 4) {
					_t102 =  &_v440;
					E00401F0A(0x104, _t90, _t102, _a20, "SQLPath");
					_pop(_t90);
					_a32 = _t102;
				}
				if(_a20 == 0) {
					L12:
					_v12 = _v12 & 0x00000000;
					goto L13;
				} else {
					_v12 = 0x800;
					_t78 = E00401EEC(_t90, _a20, _a24,  &_v2496,  &_v12); // executed
					if(_t78 == 0) {
						_v16 = 1;
					}
					_v40 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					if(_v12 >= 0x34) {
						_t93 = 0xf;
						asm("repe cmpsb");
						if(0 == 0) {
							_v12 = 0x800;
							_t83 = E00401EEC(_t93, _a20, _a40,  &_v2496,  &_v12); // executed
							if(_t83 == 0) {
								_a44 = 4;
								_v16 = 1;
								_v448 = _t83;
								_v449 = _t83;
								_v450 = _t83;
							}
						}
					}
					if(_v16 != 0) {
						L13:
						_v24 = _v24 & 0x00000000;
						_t117 = _a20;
						asm("stosd");
						if(_a20 == 0) {
							__eflags = _a12;
							if(__eflags == 0) {
								L18:
								_t72 = E0040B074(_t117, _a4, _a8,  &_v176,  &_v2496, _v12, _a28, _a32, _a36,  &_v24, _a44); // executed
								return _t72;
							}
							_push( &_v24);
							_push(_a12);
							L17:
							E00401DEC();
							goto L18;
						}
						_push( &_v24);
						_push(_a20);
						goto L17;
					} else {
						goto L12;
					}
				}
			}

0x0040b8bd
0x0040b8d8
0x0040b8df
0x0040b8f3
0x0040b8fa
0x0040b90e
0x0040b915
0x0040b91a
0x0040b925
0x0040b928
0x0040b938
0x0040b93e
0x0040b93e
0x0040b943
0x0040b94f
0x0040b955
0x0040b95d
0x0040b95e
0x0040b95e
0x0040b965
0x0040b9fe
0x0040b9fe
0x00000000
0x0040b96b
0x0040b979
0x0040b97f
0x0040b989
0x0040b98b
0x0040b98b
0x0040b998
0x0040b99f
0x0040b9a0
0x0040b9a1
0x0040b9a2
0x0040b9a4
0x0040b9a8
0x0040b9b4
0x0040b9b6
0x0040b9c6
0x0040b9cc
0x0040b9d6
0x0040b9d8
0x0040b9df
0x0040b9e6
0x0040b9ec
0x0040b9f2
0x0040b9f2
0x0040b9d6
0x0040b9b6
0x0040b9fc
0x0040ba02
0x0040ba02
0x0040ba08
0x0040ba0e
0x0040ba0f
0x0040ba1a
0x0040ba1e
0x0040ba2e
0x0040ba55
0x0040ba5e
0x0040ba5e
0x0040ba23
0x0040ba24
0x0040ba27
0x0040ba27
0x00000000
0x0040ba2d
0x0040ba14
0x0040ba15
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b9fc

APIs

memset.MSVCRT ref: 0040B8DF
memset.MSVCRT ref: 0040B8FA
memset.MSVCRT ref: 0040B915

Part of subcall function 00401F0A: RegQueryValueExA.KERNELBASE(?,d!@,00000000,?,?,000003FF,?,?,?,00402164,?,000003FF,000003FF), ref: 00401F23

Strings

SQLPath, xrefs: 0040B945
4, xrefs: 0040B994

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$QueryValue
String ID: 4$SQLPath
API String ID: 4175430599-707170241
Opcode ID: 6bdae49af9b41f76278810b277e957c1db4dae0b68e0f7af77f900c663d3bb2e
Instruction ID: 795865a80cf41a6a5ced10dc1a6cadd4e61db1a38a8d89a72c20709a76336584
Opcode Fuzzy Hash: 6bdae49af9b41f76278810b277e957c1db4dae0b68e0f7af77f900c663d3bb2e
Instruction Fuzzy Hash: 7351307290021DAFEF11DF95CC41BDE7BB8EB14314F1044AAF904B2191D7759A98CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2B2(void* __ecx, intOrPtr _a4, void* _a8) {
				void* _v8;
				void _v263;
				char _v264;
				long _t15;
				void* _t20;
				long _t25;
				void* _t27;
				void* _t29;
				void* _t34;
				void* _t35;

				_t27 = __ecx;
				_v8 = 0;
				_t15 = RegOpenKeyExA(_a8, "Microsoft\\VisualStudio", 0, 0x20019,  &_v8); // executed
				if(_t15 == 0) {
					_t29 = 0;
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					_t20 = E00401EC5(0xff, _v8, 0,  &_v264); // executed
					_t35 = _t34 + 0x18;
					while(_t20 == 0) {
						E0040BDBF(_t27, _a4, _v8,  &_v264); // executed
						_t29 = _t29 + 1;
						_t20 = E00401EC5(0xff, _v8, _t29,  &_v264); // executed
						_t35 = _t35 + 0xc;
					}
					_t25 = RegCloseKey(_v8); // executed
					return _t25;
				}
				return _t15;
			}

0x0040c2b2
0x0040c2d0
0x0040c2d3
0x0040c2db
0x0040c2ed
0x0040c2ef
0x0040c2f5
0x0040c307
0x0040c30c
0x0040c339
0x0040c31e
0x0040c32a
0x0040c331
0x0040c336
0x0040c336
0x0040c340
0x00000000
0x0040c347
0x0040c34a

APIs

RegOpenKeyExA.KERNELBASE(?,Microsoft\VisualStudio,00000000,00020019,?), ref: 0040C2D3
memset.MSVCRT ref: 0040C2F5

Part of subcall function 00401EC5: RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

RegCloseKey.KERNELBASE(?), ref: 0040C340

Strings

Microsoft\VisualStudio, xrefs: 0040C2C8

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseEnumOpenmemset
String ID: Microsoft\VisualStudio
API String ID: 42195315-2818195782
Opcode ID: 06443bf2749e695d2a55dbfd166c2e373fc6cfda460260038d3561efd8b90f66
Instruction ID: d1245358e997f8cd8fcbce29fd4ffd21369f85dbe1b80007c8d43278ce16d132
Opcode Fuzzy Hash: 06443bf2749e695d2a55dbfd166c2e373fc6cfda460260038d3561efd8b90f66
Instruction Fuzzy Hash: 4601C4B6A00118FBDB20DF95DD81EDEB7BCEF54344F0040B2BA04F2191E6748F599AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6A7(void* __ebx, intOrPtr _a4, void* _a8) {
				void _v259;
				char _v260;
				void* __esi;
				long _t14;
				void* _t19;
				long _t24;
				void* _t25;
				int _t27;
				void* _t32;
				void* _t33;

				_t25 = __ebx;
				_t14 = RegOpenKeyExA(_a8, "Microsoft\\Office", 0, 0x20019,  &_a8); // executed
				if(_t14 == 0) {
					_t27 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t19 = E00401EC5(0xff, _a8, 0,  &_v260); // executed
					_t33 = _t32 + 0x18;
					while(_t19 == 0) {
						E0040C53D(_t25, 0xff, _a4, _a8,  &_v260); // executed
						_t27 = _t27 + 1;
						_t19 = E00401EC5(0xff, _a8, _t27,  &_v260); // executed
						_t33 = _t33 + 0xc;
					}
					_t24 = RegCloseKey(_a8); // executed
					return _t24;
				}
				return _t14;
			}

0x0040c6a7
0x0040c6c3
0x0040c6cb
0x0040c6d5
0x0040c6df
0x0040c6e6
0x0040c6f8
0x0040c6fd
0x0040c72a
0x0040c70f
0x0040c71b
0x0040c722
0x0040c727
0x0040c727
0x0040c731
0x00000000
0x0040c738
0x0040c73a

APIs

RegOpenKeyExA.KERNELBASE(?,Microsoft\Office,00000000,00020019,?), ref: 0040C6C3
memset.MSVCRT ref: 0040C6E6

Part of subcall function 00401EC5: RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

RegCloseKey.KERNELBASE(?), ref: 0040C731

Strings

Microsoft\Office, xrefs: 0040C6BB

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseEnumOpenmemset
String ID: Microsoft\Office
API String ID: 42195315-3910434081
Opcode ID: 3b82f7eb1ac85d066e520f540034e5f67d453d2e877e0dc33c862ac240e5e00f
Instruction ID: c68fad35f9fd40fba05eddd2a15fb6c8c2a2e2b72dc6aea4dbe2eebcac5165f8
Opcode Fuzzy Hash: 3b82f7eb1ac85d066e520f540034e5f67d453d2e877e0dc33c862ac240e5e00f
Instruction Fuzzy Hash: 6801D236600019BADB31AF12DC45FEE7B7CEF98710F008076BD08E5092E7749A45DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C61B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040C61B(void* __ecx, intOrPtr _a4, void* _a8) {
				void _v259;
				char _v260;
				long _t13;
				void* _t18;
				void* _t23;
				int _t24;
				void* _t26;
				void* _t27;

				_t23 = __ecx;
				_t13 = RegOpenKeyExA(_a8, "Microsoft\\Microsoft SQL Server", 0, 0x20019,  &_a8); // executed
				if(_t13 == 0) {
					_t24 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t27 = _t26 + 0xc;
					_push( &_v260);
					_push(0);
					while(1) {
						_push(_a8);
						_t18 = E00401EC5(0xff);
						_t27 = _t27 + 0xc;
						if(_t18 != 0) {
							break;
						}
						E0040C34D(_t23, _a4, _a8,  &_v260);
						_t24 = _t24 + 1;
						_push( &_v260);
						_push(_t24);
					}
					return RegCloseKey(_a8);
				}
				return _t13;
			}

0x0040c61b
0x0040c639
0x0040c641
0x0040c649
0x0040c653
0x0040c65a
0x0040c65f
0x0040c668
0x0040c669
0x0040c687
0x0040c687
0x0040c68c
0x0040c691
0x0040c696
0x00000000
0x00000000
0x0040c679
0x0040c684
0x0040c685
0x0040c686
0x0040c686
0x00000000
0x0040c69b
0x0040c6a4

APIs

RegOpenKeyExA.KERNELBASE(?,Microsoft\Microsoft SQL Server,00000000,00020019,?), ref: 0040C639
memset.MSVCRT ref: 0040C65A

Part of subcall function 00401EC5: RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

RegCloseKey.ADVAPI32(?), ref: 0040C69B

Strings

Microsoft\Microsoft SQL Server, xrefs: 0040C631

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseEnumOpenmemset
String ID: Microsoft\Microsoft SQL Server
API String ID: 42195315-2662195110
Opcode ID: 6fa4e6ceb6d037ab56ca6903b97cdba4b88b3b7d7454f9f281a44a680ec66391
Instruction ID: bccda2c155679a8b1b9773621c0d9873c31b607589cf98ade5e2eae6ac71f9f2
Opcode Fuzzy Hash: 6fa4e6ceb6d037ab56ca6903b97cdba4b88b3b7d7454f9f281a44a680ec66391
Instruction Fuzzy Hash: 6001D475500018BADB319F11EC41FEB3BBCEF94700F004176BC48E1091E7759A58DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004043A7 Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004043A7(intOrPtr* __eax, void* __edi) {
				void* __esi;
				intOrPtr _t12;
				intOrPtr _t13;
				struct HICON__* _t15;
				void* _t22;
				intOrPtr* _t25;

				_t22 = __edi;
				_t25 = __eax;
				_push(0x59c);
				 *((intOrPtr*)(__eax + 0x140)) = 0;
				 *__eax = 0x410250;
				 *((intOrPtr*)(__eax + 0x298)) = 0;
				L004010A4();
				_t26 = __eax;
				if(__eax == 0) {
					_t12 = 0;
					__eflags = 0;
				} else {
					_t12 = E0040A85F(__eax, _t26);
				}
				_push(0x880);
				 *((intOrPtr*)(_t25 + 0x28c)) = _t12;
				L004010A4(); // executed
				_t27 = _t12;
				if(_t12 == 0) {
					_t13 = 0;
					__eflags = 0;
				} else {
					_push(_t22);
					_t13 = E0040BBF2(_t12, _t27);
				}
				 *((intOrPtr*)(_t25 + 0x290)) = _t13;
				 *((intOrPtr*)(_t25 + 0x294)) = 0;
				 *((intOrPtr*)(_t25 + 0x178)) = 0;
				 *((intOrPtr*)(_t25 + 0x174)) = 0;
				 *((intOrPtr*)(_t25 + 0x170)) = 0;
				 *((intOrPtr*)(_t25 + 0x17c)) = 0;
				 *((intOrPtr*)(_t25 + 0x288)) = 0;
				_t15 = LoadIconA(GetModuleHandleA(0), 0x65); // executed
				E0040D856(_t25, _t15);
				return _t25;
			}

0x004043a7
0x004043a9
0x004043ad
0x004043b2
0x004043b8
0x004043be
0x004043c4
0x004043c9
0x004043cc
0x004043d7
0x004043d7
0x004043ce
0x004043d0
0x004043d0
0x004043d9
0x004043de
0x004043e4
0x004043e9
0x004043ec
0x004043f9
0x004043f9
0x004043ee
0x004043ee
0x004043f1
0x004043f6
0x004043fc
0x00404402
0x00404408
0x0040440e
0x00404414
0x0040441a
0x00404420
0x0040442f
0x00404436
0x0040443f

APIs

??2@YAPAXI@Z.MSVCRT ref: 004043C4
??2@YAPAXI@Z.MSVCRT ref: 004043E4
GetModuleHandleA.KERNEL32(00000000,?,00000000,00404E86,?,00000000), ref: 00404426
LoadIconA.USER32(00000000,00000065), ref: 0040442F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@$HandleIconLoadModule
String ID:
API String ID: 4294683033-0
Opcode ID: e9a61a22fe9a943eb8acf6a146dbc507791da4c8ef5dada01a30413f3a1f9bd5
Instruction ID: 825f705ed21fec8e26d263cb1f521bea60573315257563d4bc7fc3ad909d8734
Opcode Fuzzy Hash: e9a61a22fe9a943eb8acf6a146dbc507791da4c8ef5dada01a30413f3a1f9bd5
Instruction Fuzzy Hash: 09015EB1A057008BD7606F7A98896D7F6E4BF48305F90493FE29ED6281DB7898414B48

Uniqueness

Uniqueness Score: -1.00%

Function 00409425 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409425(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x00409425
0x00409426
0x0040942a
0x00409475
0x0040942c
0x0040942d
0x0040942f
0x00409433
0x00409435
0x00409437
0x00409441
0x00409449
0x0040944b
0x0040944f
0x00409459
0x0040945e
0x00409462
0x00409467
0x00409471
0x00409471

APIs

malloc.MSVCRT ref: 00409441
memcpy.MSVCRT ref: 00409459
free.MSVCRT(00000000,00000000,00000000,0040857D,00000001,?,?,00000000,0040894C,00408AA2,?,74714DE0,?,00000000), ref: 00409462

Strings

Mqt, xrefs: 0040943B, 00409451, 00409440, 00409456

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: freemallocmemcpy
String ID: Mqt
API String ID: 3056473165-844227191
Opcode ID: 5754e7e4bfc5c79033083ccfbfd169179e7367b3c7869c257f586f2e0fb1c4c2
Instruction ID: 289d377e5f73869b7caff960fb681cd9ce381e10f4fd76e1c8cda2eb9c808e0f
Opcode Fuzzy Hash: 5754e7e4bfc5c79033083ccfbfd169179e7367b3c7869c257f586f2e0fb1c4c2
Instruction Fuzzy Hash: D6F0E97260D2229FC708DB75A88184BB3ADAF44314711483FF445E32D2D738DC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAFC(void* __ecx, char _a4, void* _a8, intOrPtr* _a12) {
				void* _v8;
				long _t12;

				E0040C73D(_a4, _a8, _a12); // executed
				_t12 = RegOpenKeyExA(_a8, "Wow6432Node", 0, 0x20019,  &_v8); // executed
				if(_t12 == 0) {
					E0040C73D(_a4, _v8, _a12); // executed
					return RegCloseKey(_v8);
				}
				return _t12;
			}

0x0040cb09
0x0040cb21
0x0040cb29
0x0040cb34
0x00000000
0x0040cb3c
0x0040cb43

APIs

Part of subcall function 0040C73D: RegOpenKeyExA.KERNELBASE(?,Microsoft\Windows NT\CurrentVersion,00000000,00020019,?), ref: 0040C767
Part of subcall function 0040C73D: memset.MSVCRT ref: 0040C789
Part of subcall function 0040C73D: memset.MSVCRT ref: 0040C7A0
Part of subcall function 0040C73D: memset.MSVCRT ref: 0040C7BB
Part of subcall function 0040C73D: memset.MSVCRT ref: 0040C85A
Part of subcall function 0040C73D: memset.MSVCRT ref: 0040C871

RegOpenKeyExA.KERNELBASE(?,Wow6432Node,00000000,00020019,?), ref: 0040CB21

Part of subcall function 0040C73D: GetPrivateProfileStringA.KERNEL32(Product Specification,Product,0040F469,?,00000080,?), ref: 0040C8C9
Part of subcall function 0040C73D: RegCloseKey.KERNELBASE(?), ref: 0040C920
Part of subcall function 0040C73D: RegOpenKeyExA.ADVAPI32(?,Microsoft\Windows NT\CurrentVersion\DefaultProductKey,00000000,00020019,?), ref: 0040C955
Part of subcall function 0040C73D: RegCloseKey.ADVAPI32(?), ref: 0040C99A
Part of subcall function 0040C73D: RegOpenKeyExA.ADVAPI32(?,Microsoft\Windows\CurrentVersion,00000000,00020019,?), ref: 0040C9BF
Part of subcall function 0040C73D: memset.MSVCRT ref: 0040C9D8

RegCloseKey.ADVAPI32(?), ref: 0040CB3C

Strings

Wow6432Node, xrefs: 0040CB19

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$Open$Close$PrivateProfileString
String ID: Wow6432Node
API String ID: 4162235261-3433321875
Opcode ID: 4331d51e3f19d49408c60aaa5a96547b5c8e0da2c0d4f074541140cc666a4dd1
Instruction ID: b2a21aeda2b3f5abf1583417472ef8e3245cec51ed79abbd54f67cff4fa402bc
Opcode Fuzzy Hash: 4331d51e3f19d49408c60aaa5a96547b5c8e0da2c0d4f074541140cc666a4dd1
Instruction Fuzzy Hash: D4E0C935100209FBDF219F91ED46E9D7B79BB14744F108136BA04750B1D7769A24BB54

Uniqueness

Uniqueness Score: -1.00%

Function 004046C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046C8(void* __esi) {
				struct HINSTANCE__* _t4;
				struct HWND__* _t7;

				E0040DA4A(__esi);
				_t4 = GetModuleHandleA(0);
				_t7 = CreateWindowExA(0, "ProduKey", "ProduKey", 0xcf0000, 0x80000000, 0x80000000, 0x280, 0x1e0, 0, 0, _t4, __esi); // executed
				 *(__esi + 0x108) = _t7;
				return _t7;
			}

0x004046ca
0x004046d1
0x004046fc
0x00404702
0x00404708

APIs

Part of subcall function 0040DA4A: GetModuleHandleA.KERNEL32(00000000,74714DE0,?), ref: 0040DA67
Part of subcall function 0040DA4A: RegisterClassA.USER32 ref: 0040DA90

GetModuleHandleA.KERNEL32(00000000,00404F3B,/deleteregkey,/savelangfile,?,?,?,00000000), ref: 004046D1
CreateWindowExA.USER32 ref: 004046FC

Strings

ProduKey, xrefs: 004046F3, 004046F8, 004046F9

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: ProduKey
API String ID: 2678498856-3483297114
Opcode ID: 93393d1ac61038d1ad10487e55b5d54c7996abf937b1b43556b961cf02ccf31c
Instruction ID: 6e5801d3909d3767904a12ef67d4d3394731ecc852b40ab1dfdb807e6540619b
Opcode Fuzzy Hash: 93393d1ac61038d1ad10487e55b5d54c7996abf937b1b43556b961cf02ccf31c
Instruction Fuzzy Hash: E8E06CB4389210BAF2A056A48D0AFBB295CDB54B06F204035BE49FD5D4CAF46C484AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B715 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B715(void* __ecx, intOrPtr _a4, void* _a8) {
				void* _v8;
				long _t9;

				_v8 = _v8 & 0x00000000;
				_t9 = RegOpenKeyExA(_a8, "Autodesk", 0, 0x20019,  &_v8); // executed
				_t14 = _t9;
				if(_t9 == 0) {
					E0040AEF5(_a4, _t14, _v8, _t9);
					return RegCloseKey(_v8);
				}
				return _t9;
			}

0x0040b719
0x0040b730
0x0040b736
0x0040b738
0x0040b741
0x00000000
0x0040b749
0x0040b750

APIs

RegOpenKeyExA.KERNELBASE(?,Autodesk,00000000,00020019,00000000), ref: 0040B730

Part of subcall function 0040AEF5: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000), ref: 0040AF4E
Part of subcall function 0040AEF5: RegCloseKey.ADVAPI32(00000000), ref: 0040B042

RegCloseKey.ADVAPI32(00000000), ref: 0040B749

Strings

Autodesk, xrefs: 0040B728

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseOpen
String ID: Autodesk
API String ID: 47109696-2445194919
Opcode ID: 6ad3c0b4acd562bcb3f630935ad7e175566819283e3014371350e88f4b62c351
Instruction ID: 31259e3e5a5e60c004f176c86ebac66b8ee43041345a5abcc467b94dc22bf34a
Opcode Fuzzy Hash: 6ad3c0b4acd562bcb3f630935ad7e175566819283e3014371350e88f4b62c351
Instruction Fuzzy Hash: AEE01A35640208BBDB20EF50ED06F9E776DEB50709F208035B504B50A1D7749A18ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D54() {
				void* __esi;
				signed char _t4;

				if( *0x412da8 == 0) {
					E00409C03(0x412da8);
					_t4 = GetFileAttributesA(0x412da8); // executed
					if((_t4 & 0x00000001) != 0) {
						GetTempPathA(0x104, 0x412da8);
					}
				}
				return 0x412da8;
			}

0x00409d61
0x00409d63
0x00409d69
0x00409d71
0x00409d79
0x00409d79
0x00409d71
0x00409d82

APIs

GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,?,00404A4A,00000000,/nosavereg,00000000,00000001), ref: 00409D69
GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00404A4A,00000000,/nosavereg,00000000,00000001), ref: 00409D79

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00409D54, 00409D5C, 00409D68, 00409D73

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AttributesFilePathTemp
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3199926297-3081826266
Opcode ID: 03ee38a574b8811611f3ed7be439ae2fdd3607a53681e8ebcb69c443d2e2b5b6
Instruction ID: ee73eeecbc2c19658a65ae5a3afedc161ce82e3f8e73b22d406f002233615bd9
Opcode Fuzzy Hash: 03ee38a574b8811611f3ed7be439ae2fdd3607a53681e8ebcb69c443d2e2b5b6
Instruction Fuzzy Hash: 7BD02230A824607BE2702328FF0DFC72A444F92310F040073F889F2292C2B80C4182EC

Uniqueness

Uniqueness Score: -1.00%

Function 0040781B Relevance: 5.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040781B() {
				void* _t13;
				signed int _t15;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x412b68;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x412b68 = 0x8000;
					 *0x412b6c = 0x100;
					 *0x412b70 = 0x1000; // executed
					L004010A4(); // executed
					 *0x412b50 = 0x8000;
					_t15 =  *0x412b6c; // 0x100
					_t27 = 4;
					_t16 = _t15 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004010A4();
					 *0x412b58 = _t16;
					_t17 =  *0x412b6c; // 0x100
					_t29 = 4;
					_t18 = _t17 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004010A4();
					_push( *0x412b70);
					 *0x412b5c = _t18;
					L004010A4();
					 *0x412b54 = _t18;
					return _t18;
				}
				return _t13;
			}

0x0040781b
0x00407822
0x00407829
0x0040782a
0x0040782f
0x00407839
0x00407843
0x00407848
0x0040784d
0x00407856
0x00407857
0x00407860
0x00407861
0x00407866
0x0040786b
0x00407874
0x00407875
0x0040787e
0x0040787f
0x00407884
0x0040788a
0x0040788f
0x00407897
0x00000000
0x00407897
0x0040789c

APIs

??2@YAPAXI@Z.MSVCRT ref: 00407843
??2@YAPAXI@Z.MSVCRT ref: 00407861
??2@YAPAXI@Z.MSVCRT ref: 0040787F
??2@YAPAXI@Z.MSVCRT ref: 0040788F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: ee9f617b7fe656d3f584eb10a124b69bf03d05b41e7542abfcc17f71b64ee2a3
Instruction ID: 58f842bd4eed1399df72b29ec1e688766f804122cee06fd2624d10eb490c3055
Opcode Fuzzy Hash: ee9f617b7fe656d3f584eb10a124b69bf03d05b41e7542abfcc17f71b64ee2a3
Instruction Fuzzy Hash: 11F0ECB5D092809EE7549F34EE1679537E0A748304F44C53FA245DA2F0EBF964A5CB0C

Uniqueness

Uniqueness Score: -1.00%

Function 00405108 Relevance: 4.6, APIs: 3, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405108(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t24;
				signed int _t28;
				intOrPtr _t38;
				signed int* _t53;
				intOrPtr _t54;
				void* _t55;
				void* _t56;

				_t48 = __ecx;
				_t54 = _a4;
				_t56 = _t54 - 0x415;
				_t55 = __ecx;
				if(_t56 > 0) {
					_t21 = _t54 - 0x416;
					__eflags = _t21;
					if(_t21 == 0) {
						E004045E1(__ecx);
						L23:
						E004040C5(0, _t48, _t55);
						L24:
						_t24 =  *((intOrPtr*)(_t55 + 0x294));
						if(_t54 == _t24 && _t24 != 0) {
							E00406F34(_a12,  *((intOrPtr*)(_t55 + 0x290)));
						}
						return E0040D8DC(_t55, _t54, _a8, _a12);
					}
					_t28 = _t21 - 3;
					__eflags = _t28;
					if(_t28 == 0) {
						__eflags = E00403A66(__ecx, __ecx);
						if(__eflags != 0) {
							L14:
							E0040460A(_t55, __eflags);
							goto L23;
						}
						__eflags =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x28c)) + 0x578)) - 1;
						if(__eflags == 0) {
							goto L14;
						}
						E00405092(__ecx, __eflags);
						goto L24;
					}
					__eflags = _t28 == 3;
					if(_t28 == 3) {
						SetFocus( *(__ecx + 0x288));
					}
					goto L24;
				}
				if(_t56 == 0) {
					goto L14;
				}
				if(_t54 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t55 + 0x288)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0); // executed
					}
					goto L24;
				}
				if(_t54 == 0x7b) {
					_t38 =  *((intOrPtr*)(__ecx + 0x290));
					_t51 = _a8;
					__eflags = _a8 -  *((intOrPtr*)(_t38 + 0x190));
					if(_a8 ==  *((intOrPtr*)(_t38 + 0x190))) {
						E00404440(__ecx, _t51);
					}
					goto L24;
				}
				if(_t54 == 0x113) {
					_t41 = __ecx + 0x290;
					_t53 =  *(__ecx + 0x290) + 0x87c;
					__eflags =  *_t53;
					if( *_t53 != 0) {
						 *_t53 =  *_t53 & 0x00000000;
						E004066BE( *_t41, _t53);
					}
					goto L24;
				}
				if(_t54 != 0x402) {
					goto L24;
				} else {
					 *(__ecx + 0x174) =  *(__ecx + 0x174) & 0x00000000;
					E00404020(_t54, __ecx);
					goto L23;
				}
			}

0x00405108
0x0040510e
0x00405116
0x00405118
0x0040511a
0x004051d2
0x004051d2
0x004051d7
0x00405213
0x00405218
0x0040521a
0x0040521f
0x0040521f
0x00405227
0x00405236
0x00405236
0x0040524d
0x0040524d
0x004051d9
0x004051d9
0x004051dc
0x004051f7
0x004051f9
0x004051c7
0x004051c9
0x00000000
0x004051c9
0x00405201
0x00405208
0x00000000
0x00000000
0x0040520c
0x00000000
0x0040520c
0x004051de
0x004051e1
0x004051e9
0x004051e9
0x00000000
0x004051e1
0x00405120
0x00000000
0x00000000
0x00405129
0x0040519f
0x004051a2
0x004051bf
0x004051a4
0x004051b1
0x004051b1
0x00000000
0x004051a2
0x0040512e
0x0040517c
0x00405182
0x00405185
0x0040518b
0x00405193
0x00405193
0x00000000
0x0040518b
0x00405136
0x00405156
0x0040515e
0x00405164
0x00405167
0x0040516d
0x00405172
0x00405172
0x00000000
0x00405167
0x0040513e
0x00000000
0x00405144
0x00405144
0x0040514c
0x00000000
0x0040514c

APIs

PostMessageA.USER32 ref: 004051B1

Part of subcall function 00404020: sprintf.MSVCRT ref: 0040404A
Part of subcall function 00404020: sprintf.MSVCRT ref: 00404074

SetFocus.USER32(?), ref: 004051E9

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: sprintf$FocusMessagePost
String ID:
API String ID: 1237675211-0
Opcode ID: 5da913d7ac876365127fe555b7165ea9638fa46120996a214cbb2d1a5a90a135
Instruction ID: 39ef1a041ae1b5f2144299f5d89d8638fb1484d53cc0abbde19ca4bcf46c7c55
Opcode Fuzzy Hash: 5da913d7ac876365127fe555b7165ea9638fa46120996a214cbb2d1a5a90a135
Instruction Fuzzy Hash: 5931C635210A049BC7247A78C948BAB37A1EFA4314F10047FE6167B6D1CB3C9C419E6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B452 Relevance: 4.5, APIs: 3, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B452(void* __eax) {
				void* __esi;
				void* _t6;
				int _t7;
				void* _t9;

				_t9 = __eax;
				E004062A6(__eax);
				_t6 = LoadIconA(GetModuleHandleA(0), 0x66); // executed
				_t7 = ImageList_ReplaceIcon( *(_t9 + 0x198), 0, _t6); // executed
				if( *((intOrPtr*)(_t9 + 0x1c4)) != 0) {
					return E004063D1(_t9);
				}
				return _t7;
			}

0x0040b453
0x0040b455
0x0040b465
0x0040b474
0x0040b481
0x00000000
0x0040b483
0x0040b489

APIs

Part of subcall function 004062A6: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000000,?), ref: 004062C9
Part of subcall function 004062A6: ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 004062D7
Part of subcall function 004062A6: SendMessageA.USER32(?,00001003,00000001,?), ref: 004062E9
Part of subcall function 004062A6: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001,00000000,?), ref: 00406302
Part of subcall function 004062A6: ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00406310
Part of subcall function 004062A6: SendMessageA.USER32(?,00001003,00000000,?), ref: 00406322
Part of subcall function 004062A6: GetModuleHandleA.KERNEL32(00000010,00000010,00000019,00000001,00000001,00000000,?), ref: 00406333
Part of subcall function 004062A6: GetModuleHandleA.KERNEL32(00000000), ref: 00406343
Part of subcall function 004062A6: LoadImageA.USER32 ref: 0040635A
Part of subcall function 004062A6: GetModuleHandleA.KERNEL32(00000000), ref: 00406362
Part of subcall function 004062A6: LoadImageA.USER32 ref: 00406375
Part of subcall function 004062A6: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00406381
Part of subcall function 004062A6: GetSysColor.USER32(0000000F), ref: 00406385
Part of subcall function 004062A6: ImageList_AddMasked.COMCTL32(?,00000001,00000000), ref: 0040639E
Part of subcall function 004062A6: ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 004063A8
Part of subcall function 004062A6: DeleteObject.GDI32(?), ref: 004063B4
Part of subcall function 004062A6: DeleteObject.GDI32(00000000), ref: 004063B7

GetModuleHandleA.KERNEL32(00000000,?,004049A5,00000000,00000001), ref: 0040B45C
LoadIconA.USER32(00000000,00000066), ref: 0040B465
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040B474

Part of subcall function 004063D1: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000004,00000001,00000000,0040B488), ref: 004063F0
Part of subcall function 004063D1: ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 004063FF
Part of subcall function 004063D1: ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00406420
Part of subcall function 004063D1: ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00406434
Part of subcall function 004063D1: SendMessageA.USER32(?,00001003,00000002,?), ref: 00406449

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Image$List_$CountHandleMaskedModule$CreateLoadMessageSend$DeleteIconObject$ColorReplace
String ID:
API String ID: 1621792927-0
Opcode ID: da9844ca0ba146859d01c0b230f5acecf7462ef5641570e4e8e5a36020338564
Instruction ID: cb29005802ab213a12419ec21d94c9512647165d00ca8a51e2cbb4a74ff12b24
Opcode Fuzzy Hash: da9844ca0ba146859d01c0b230f5acecf7462ef5641570e4e8e5a36020338564
Instruction Fuzzy Hash: 0BD05E31444210ABE6703BB4FD0EFCA3659AB04311F01047AF606B54E1CBB958948668

Uniqueness

Uniqueness Score: -1.00%

Function 00401F0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F0A(int __eax, void* __ecx, char* __esi, void* _a4, char _a8) {
				int _v8;
				int _v12;
				long _t12;

				_v8 = __eax;
				_t4 =  &_a8; // 0x402164
				_t12 = RegQueryValueExA(_a4,  *_t4, 0,  &_v12, __esi,  &_v8); // executed
				if(_t12 == 0) {
					 *(_v8 + __esi - 1) = _t12;
					return _t12;
				}
				return _t12;
			}

0x00401f0f
0x00401f1d
0x00401f23
0x00401f2b
0x00401f30
0x00000000
0x00401f30
0x00401f35

APIs

RegQueryValueExA.KERNELBASE(?,d!@,00000000,?,?,000003FF,?,?,?,00402164,?,000003FF,000003FF), ref: 00401F23

Strings

d!@, xrefs: 00401F1D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: QueryValue
String ID: d!@
API String ID: 3660427363-1255992989
Opcode ID: 7dbbef57c1e06dd486a3d0535f27dfad0d7df95b8f11c36d8141193ac136d34d
Instruction ID: ab836887f28d53c15001e4a0fd2480bc6afb191a597140aa7bfd751029efc1b5
Opcode Fuzzy Hash: 7dbbef57c1e06dd486a3d0535f27dfad0d7df95b8f11c36d8141193ac136d34d
Instruction Fuzzy Hash: 84E0B675505208BADF11CB90DD01EEE7BBCEB04644F1041A9B901A6151E672AB059B64

Uniqueness

Uniqueness Score: -1.00%

Function 00409396 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409396(char _a4) {
				long _t4;

				_t1 =  &_a4; // 0x407de3, executed
				_t4 = GetFileAttributesA( *_t1); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x00409396
0x0040939a
0x004093aa

APIs

GetFileAttributesA.KERNELBASE(}@,0040791C,00000000,?,00407DE3), ref: 0040939A

Strings

}@, xrefs: 00409396

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AttributesFile
String ID: }@
API String ID: 3188754299-142398135
Opcode ID: 4a9406b6a1f673c38b210abde541ecdde58844cac8b02e254dd3267c38294842
Instruction ID: 3efb14ddee2388d2957894822ef5ae626d6f552a82693211c1f6ed8afbd6af18
Opcode Fuzzy Hash: 4a9406b6a1f673c38b210abde541ecdde58844cac8b02e254dd3267c38294842
Instruction Fuzzy Hash: DEB012752210008BCB1807349D5904D35507F44631720073DB033D14F0E730CC60FA00

Uniqueness

Uniqueness Score: -1.00%

Function 00409E38 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E38(signed int __eax, struct HWND__* _a4, intOrPtr _a8) {
				signed int _t5;
				long _t6;
				long _t7;
				signed int _t8;

				_t8 = __eax;
				_t5 = SendMessageA(_a4, 0x1037, 0, 0);
				if(_a8 == 0) {
					_t6 = _t5 &  !_t8;
				} else {
					_t6 = _t5 | _t8;
				}
				_t7 = SendMessageA(_a4, 0x1036, 0, _t6); // executed
				return _t7;
			}

0x00409e4d
0x00409e4f
0x00409e56
0x00409e5e
0x00409e58
0x00409e58
0x00409e58
0x00409e6c
0x00409e70

APIs

SendMessageA.USER32(?,00001037,00000000,00000000), ref: 00409E4F
SendMessageA.USER32(?,00001036,00000000,00000000), ref: 00409E6C

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 641253b7e1eeb101a1e09a135542526accfabee5e346ded97b1cc29f82893c4d
Instruction ID: b331cb060716864cd7a742bf2e802c7139fd2011c295487df5d51733bbda92d3
Opcode Fuzzy Hash: 641253b7e1eeb101a1e09a135542526accfabee5e346ded97b1cc29f82893c4d
Instruction Fuzzy Hash: BDE02B36BC435076E5318A15EC05F9B7E99E7D4BE0F240436B280B61E1C2F49C86C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 00401FF1 Relevance: 3.0, APIs: 2, Instructions: 23timeCOMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040200B
___crtGetTimeFormatEx.LIBCMT ref: 00402020

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FormatPrivateProfileStringTimeWrite___crt
String ID:
API String ID: 1420052194-0
Opcode ID: ef90ee35996496e51417851c6fe9cfc7fa3389d6f4f48c09103f0480ebf01405
Instruction ID: 08f568e0aab9429a05310f9470ca6de1b51ed1551e68cd2036e7856e37d01f6b
Opcode Fuzzy Hash: ef90ee35996496e51417851c6fe9cfc7fa3389d6f4f48c09103f0480ebf01405
Instruction Fuzzy Hash: 05E0ED3A00020DBBCF119F90DD04E963B69AB48304F54C465BA08590A2D777C666EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D722 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0040D722(void* __eax) {
				int _t5;
				struct HWND__** _t6;

				_t6 = __eax + 0x108;
				if( *((intOrPtr*)(__eax + 0x14c)) != 3) {
					_push(5);
				} else {
					_push(3);
				}
				ShowWindow( *_t6, ??); // executed
				_t5 = UpdateWindow( *_t6); // executed
				return _t5;
			}

0x0040d72a
0x0040d730
0x0040d736
0x0040d732
0x0040d732
0x0040d732
0x0040d73a
0x0040d742
0x0040d749

APIs

ShowWindow.USER32(?,00000005,?,00404F42,/deleteregkey,/savelangfile,?,?,?,00000000), ref: 0040D73A
KiUserCallbackDispatcher.NTDLL(?), ref: 0040D742

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CallbackDispatcherShowUserWindow
String ID:
API String ID: 82835404-0
Opcode ID: c171b60c3a786ecbc27896c6c711e64ce8f1472cd6f63de75d0c763b6d2cb475
Instruction ID: 44fe3e4b903ec0d2a0a21ed3ca86e14094ac3ef84b81a3df52c0b5a67a95a5cb
Opcode Fuzzy Hash: c171b60c3a786ecbc27896c6c711e64ce8f1472cd6f63de75d0c763b6d2cb475
Instruction Fuzzy Hash: 87D09235845110EADA719F40ED1CAD576A4EB20342F1200B6F1857A0B8967219499E86

Uniqueness

Uniqueness Score: -1.00%

Function 00409923 Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409923() {
				void* _t2;

				_t2 = LoadImageA(GetModuleHandleA(0), 0x68, 0, 0, 0, 0x9060); // executed
				return _t2;
			}

0x00409939
0x0040993f

APIs

GetModuleHandleA.KERNEL32(00000000,0040492D,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 00409925
LoadImageA.USER32 ref: 00409939

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: HandleImageLoadModule
String ID:
API String ID: 2603579926-0
Opcode ID: aa446924e9ae46ff8ed199e72f09be8f861c39595815cd31f4e19c36ee667997
Instruction ID: 12486bb556b26b266545ceb203e5ee89eb66b0891fb66153bfd4dacf567af68d
Opcode Fuzzy Hash: aa446924e9ae46ff8ed199e72f09be8f861c39595815cd31f4e19c36ee667997
Instruction Fuzzy Hash: EBC092787C4300BAFDB067A1AE0FF0425285714F02F200470B705BC4D18AF12018C61C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5FD Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5FD(intOrPtr _a4) {
				struct HACCEL__* _t4;

				_t4 = LoadAcceleratorsA(GetModuleHandleA(0), 0x67); // executed
				 *(_a4 + 0x120) = _t4;
				return _t4;
			}

0x0040d608
0x0040d612
0x0040d618

APIs

GetModuleHandleA.KERNEL32(00000000,00404F4A,?,/deleteregkey,/savelangfile,?,?,?,00000000), ref: 0040D5FF
LoadAcceleratorsA.USER32 ref: 0040D608

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AcceleratorsHandleLoadModule
String ID:
API String ID: 3304241783-0
Opcode ID: a62cdd0d74553a51bdc35f2366d323287b22b6b79ec08d58a6963bedb7714514
Instruction ID: 7f64b0a10c24d88ab377ff8321fa22cdfb245feee9d2b03632c5547b5979dabc
Opcode Fuzzy Hash: a62cdd0d74553a51bdc35f2366d323287b22b6b79ec08d58a6963bedb7714514
Instruction Fuzzy Hash: 3AC08C79108200DBC2109B60DA0CB4536A4AB58702F008038BA499A281CB720810CA18

Uniqueness

Uniqueness Score: -1.00%

Function 0040A171 Relevance: 1.5, APIs: 1, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A171(intOrPtr* __eax, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr* _t18;
				long _t20;
				intOrPtr _t25;
				void* _t26;

				_t18 = __eax;
				_v36 = __ecx;
				_v28 = _a16;
				_v32 = _a12;
				_v24 = __eax;
				if(__eax != 0) {
					_t26 = __eax + 1;
					do {
						_t25 =  *_t18;
						_t18 = _t18 + 1;
					} while (_t25 != 0);
					_v20 = _t18 - _t26;
				}
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t20 = SendMessageA(_a4, 0x101b, _a8,  &_v36); // executed
				return _t20;
			}

0x0040a171
0x0040a179
0x0040a17f
0x0040a185
0x0040a188
0x0040a18b
0x0040a18d
0x0040a190
0x0040a190
0x0040a192
0x0040a193
0x0040a199
0x0040a199
0x0040a19c
0x0040a1a0
0x0040a1a4
0x0040a1b7
0x0040a1be

APIs

SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 0040A1B7

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4a646dd824a1434e92fbf119822c7a6e55d9768b2b3cb61e16bb407f86eeeb03
Instruction ID: d8c8eb49a35bd4b0650a41503097de75dc46ccd38f86cbb98d38e45381fc3db8
Opcode Fuzzy Hash: 4a646dd824a1434e92fbf119822c7a6e55d9768b2b3cb61e16bb407f86eeeb03
Instruction Fuzzy Hash: 91F017B4C0020AAFDF05CF95D954BEEBBF5BF08305F008069E854A6290E7788615CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00402134 Relevance: 1.5, APIs: 1, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402134(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				void* _v8;
				void* __ecx;
				void* _t12;
				void* _t14;
				void* _t18;

				_push(_t14);
				_t18 = 0;
				if(E00401F5D(_a4, _a8,  &_v8, 0x20019) == 0) {
					_t12 = E00401F0A(_a16, _t14, __esi, _v8, _a12); // executed
					if(_t12 == 0) {
						_t18 = 1;
					}
					RegCloseKey(_v8); // executed
				}
				return _t18;
			}

0x00402137
0x00402145
0x00402154
0x0040215f
0x00402168
0x0040216a
0x0040216a
0x0040216e
0x0040216e
0x00402178

APIs

Part of subcall function 00401F5D: RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,00000000,?,0040214F,?,?,?,00020019,?,?,?,004019BF,80000000,http\shell\open\command), ref: 00401F6F

Part of subcall function 00401F0A: RegQueryValueExA.KERNELBASE(?,d!@,00000000,?,?,000003FF,?,?,?,00402164,?,000003FF,000003FF), ref: 00401F23

RegCloseKey.KERNELBASE(?,000003FF), ref: 0040216E

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 39ef9214a4bbc39a589c3ac41ff62d875ea33cbdb3ba3aad493ef93dd6797a57
Instruction ID: 42db503181f7d11c8ccf5e1327975531709675a0c196322be2aabd5e4b029017
Opcode Fuzzy Hash: 39ef9214a4bbc39a589c3ac41ff62d875ea33cbdb3ba3aad493ef93dd6797a57
Instruction Fuzzy Hash: 12E06D71600209BBEF119F56DE0AC9F7BB9EB84318B100075FE04A51A1E771DE10A614

Uniqueness

Uniqueness Score: -1.00%

Function 00402179 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32 ref: 004021A0

Part of subcall function 00401F93: memset.MSVCRT ref: 00401FB1
Part of subcall function 00401F93: _itoa.MSVCRT ref: 00401FC8
Part of subcall function 00401F93: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 00401FD7

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 8a68bbf644abb5d44d60de43b5c7e1df7c55df95ee88ecdfc72f4919ea230b2d
Instruction ID: e9f89080816bc2bcc59e67a33ed3b00210a23e40ffd8dddc1828376fca90fdc3
Opcode Fuzzy Hash: 8a68bbf644abb5d44d60de43b5c7e1df7c55df95ee88ecdfc72f4919ea230b2d
Instruction Fuzzy Hash: 41E0B632000209AFCF125F90ED05AA97FA6FF04314F148469F95C14571D33295B0AB45

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 1.5, APIs: 1, Instructions: 18
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401EC5(int __eax, void* _a4, int _a8, char* _a12) {
				int _v8;
				struct _FILETIME _v16;
				long _t11;

				_v8 = __eax;
				_t11 = RegEnumKeyExA(_a4, _a8, _a12,  &_v8, 0, 0, 0,  &_v16); // executed
				return _t11;
			}

0x00401ecb
0x00401ee4
0x00401eeb

APIs

RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 1d2982a5234ff3ad1f2956bb5490e8e3c25f80115bc81954109239b0ffdf8a7c
Instruction ID: 2c83204679d6201717fb1a7b7ce65a81b4c6ac802224762fc8e3916444a79168
Opcode Fuzzy Hash: 1d2982a5234ff3ad1f2956bb5490e8e3c25f80115bc81954109239b0ffdf8a7c
Instruction Fuzzy Hash: 72D067B680010DFFDF01DFA0DD05CEF7BBDEB44204B008171B911D6110E631DA15ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409EC9 Relevance: 1.5, APIs: 1, Instructions: 16
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409EC9(intOrPtr __eax, struct HWND__* _a4, int _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* _v44;
				long _t13;

				_v36 = __eax;
				_v20 = _a16;
				_v24 = _a12;
				_t13 = SendMessageA(_a4, 0x102d, _a8,  &_v44); // executed
				return _t13;
			}

0x00409ecf
0x00409ed5
0x00409edb
0x00409eed
0x00409ef4

APIs

SendMessageA.USER32(?,0000102D,?,?), ref: 00409EED

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 946e5f03cb46406b8b2400ba3adca3cfef12c1d897526695cbeeadf8492f5707
Instruction ID: e433e23515aff7448425a065c2ae2b77eb2c0011313e47abc414fcfb5c7cbedb
Opcode Fuzzy Hash: 946e5f03cb46406b8b2400ba3adca3cfef12c1d897526695cbeeadf8492f5707
Instruction Fuzzy Hash: CCE02DB994120EAFCF01DFA8E9458DE7BB8BB08204F004525E915F6250E7719A558BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF6 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00409DF6(struct HINSTANCE__** __eax, intOrPtr _a4) {
				void* __esi;
				intOrPtr* _t5;
				void* _t7;
				struct HINSTANCE__** _t9;

				_t9 = __eax;
				E00409DB8(__eax);
				_t5 =  *((intOrPtr*)(_t9 + 8));
				if(_t5 == 0) {
					return 0;
				}
				_t7 =  *_t5(0x41435049, 0x4d44534d, _a4, 0x400); // executed
				return _t7;
			}

0x00409df7
0x00409df9
0x00409dfe
0x00409e04
0x00000000
0x00409e1d
0x00409e19
0x00000000

APIs

Part of subcall function 00409DB8: GetModuleHandleA.KERNEL32(kernel32.dll,?,00409DFE,00020019,0040D088,?), ref: 00409DC3
Part of subcall function 00409DB8: GetProcAddress.KERNEL32(00000000,EnumSystemFirmwareTables), ref: 00409DD7
Part of subcall function 00409DB8: GetProcAddress.KERNEL32(?,GetSystemFirmwareTable), ref: 00409DE3

GetSystemFirmwareTable.KERNELBASE(41435049,4D44534D,0040D088,00000400,0040D088,?), ref: 00409E19

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressProc$FirmwareHandleModuleSystemTable
String ID:
API String ID: 227725366-0
Opcode ID: 1714beba3eaf873f253e8b80d92f3b7143881c772c5b757661562748ad53d5c8
Instruction ID: 95a429a6300d35b589037232fcc7258777f47fce88d18a24066592b89bc846dc
Opcode Fuzzy Hash: 1714beba3eaf873f253e8b80d92f3b7143881c772c5b757661562748ad53d5c8
Instruction Fuzzy Hash: 17D02271205210B6D60091B1CC02E8B92D84FC4300F048C3A7210F21C3D378DC602BDC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A208 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A208(intOrPtr __eax, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v48;
				long _t10;

				_v32 = __eax;
				_v36 = _a12;
				_t10 = SendMessageA(_a4, 0x102b, _a8,  &_v48); // executed
				return _t10;
			}

0x0040a20e
0x0040a214
0x0040a226
0x0040a22d

APIs

SendMessageA.USER32(00000000,0000102B,000000FF,?), ref: 0040A226

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6a97b007e9e75faf7fa9d058f0f925b2cab3dae633f5c586ea8645b932cc2d2c
Instruction ID: 16507cf1ae40ea50913097fe49752bf7251f07d0266011d533b2402de74a8a23
Opcode Fuzzy Hash: 6a97b007e9e75faf7fa9d058f0f925b2cab3dae633f5c586ea8645b932cc2d2c
Instruction Fuzzy Hash: 7CD0927994020DAFCF01AFA9EC458DE7BB8FB08304F008135F915E6250E771D5568FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401EEC Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401EEC(void* __ecx, void* _a4, char* _a8, char* _a12, int* _a16) {
				int _v8;
				long _t7;

				_t7 = RegQueryValueExA(_a4, _a8, 0,  &_v8, _a12, _a16); // executed
				return _t7;
			}

0x00401f02
0x00401f09

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 00401F02

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f1e049ac91f55d9db44804a0c7744853d86a365aca791268e7cd08e790d99e9b
Instruction ID: 149b854331e5da3576aec0a549c73aa4df8f9bf2fc405360c7fc02885dfe43db
Opcode Fuzzy Hash: f1e049ac91f55d9db44804a0c7744853d86a365aca791268e7cd08e790d99e9b
Instruction Fuzzy Hash: E3D0C93110020EBFDF028F80DD05E9A3B69FB04244F004020BA0465060D272EA21AB64

Uniqueness

Uniqueness Score: -1.00%

Function 00403870 Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403870(void* __eax) {
				int _t4;

				 *((intOrPtr*)(__eax + 0x178)) = 1;
				_t4 = SetTimer( *(__eax + 0x108), 1, 0x3e8, 0); // executed
				return _t4;
			}

0x00403881
0x00403887
0x0040388d

APIs

SetTimer.USER32(?,00000001,000003E8,00000000), ref: 00403887

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: e83bd4fbf6b4463496155961242e57436beb69a18681abf906d81b9ad5a44fe9
Instruction ID: a0726496f4722c18b9340672b1a90b5104f2d2f548739068a324c895f556545c
Opcode Fuzzy Hash: e83bd4fbf6b4463496155961242e57436beb69a18681abf906d81b9ad5a44fe9
Instruction Fuzzy Hash: 69C04C706943409FEE994B20CA4FFB53574D710702F4501BEA18E591E19DB154408900

Uniqueness

Uniqueness Score: -1.00%

Function 00401F5D Relevance: 1.5, APIs: 1, Instructions: 7
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F5D(void* _a4, char* _a8, void** _a12, int _a16) {
				long _t5;

				_t5 = RegOpenKeyExA(_a4, _a8, 0, _a16, _a12); // executed
				return _t5;
			}

0x00401f6f
0x00401f75

APIs

RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,00000000,?,0040214F,?,?,?,00020019,?,?,?,004019BF,80000000,http\shell\open\command), ref: 00401F6F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7989f145f92a336114807b4751515da6ed361536bfb9fd55c28d22adbfda428a
Instruction ID: 47fe800b6052ed67d00124f192e898e6da7d96f50201a3ad7b56d723bd74c210
Opcode Fuzzy Hash: 7989f145f92a336114807b4751515da6ed361536bfb9fd55c28d22adbfda428a
Instruction Fuzzy Hash: 2BC00C75548201AFDE129F51EF05B0ABBA2BBC5B11F104868B2956447186729828EB27

Uniqueness

Uniqueness Score: -1.00%

Function 00408C45 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408C45(struct HWND__* _a4, int _a8) {
				long _t3;

				_t3 = SendMessageA(_a4, 0xb, _a8, 0); // executed
				return _t3;
			}

0x00408c51
0x00408c57

APIs

SendMessageA.USER32(?,0000000B,?,00000000), ref: 00408C51

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 37910b6323c2cb4ea90511e40d6aea8b3f1677ff3672a4f0db04ec05884eefdf
Instruction ID: aedddd97314f06e05f0d123828412265e791970771d7f135517dc88052aa2e9f
Opcode Fuzzy Hash: 37910b6323c2cb4ea90511e40d6aea8b3f1677ff3672a4f0db04ec05884eefdf
Instruction Fuzzy Hash: 61B012381C4300BFDE324F40DD05F0A7B62BBC0700F008C78B250640F083724014DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0040D83B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D83B(void* __ecx, int _a4, int _a8, long _a12) {
				long _t5;

				_t5 = DefWindowProcA( *(__ecx + 0x108), _a4, _a8, _a12); // executed
				return _t5;
			}

0x0040d84d
0x0040d853

APIs

DefWindowProcA.USER32(?,?,?,?,0040D996,?,?,?), ref: 0040D84D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 6eebf7aca66c2fa0f51cf01e8272ef7946687bd8ae81690e2175f24bc8418977
Instruction ID: 8b9909e8b875f4162d5b4d933cec06c2fc5f9b70b481239f90607cd75c446504
Opcode Fuzzy Hash: 6eebf7aca66c2fa0f51cf01e8272ef7946687bd8ae81690e2175f24bc8418977
Instruction Fuzzy Hash: FEC0483A008200FFCA024B80CD08D4ABBA2ABA8320F00C87CB2A84403187338062EB02

Uniqueness

Uniqueness Score: -1.00%

Function 0040D62E Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D62E(void* __eax, int _a4) {
				int _t4;

				_t4 = PostMessageA( *(__eax + 0x108), _a4, 0, 0); // executed
				return _t4;
			}

0x0040d63c
0x0040d642

APIs

PostMessageA.USER32 ref: 0040D63C

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 37c24b1380eb569a964a4ca75b7a0b85f4689a6e26b70cd4d130cb417451a819
Instruction ID: 0efac51e16cf544aa8701aa43e584df60bacf9e56adc6abc275013eae93ccd4c
Opcode Fuzzy Hash: 37c24b1380eb569a964a4ca75b7a0b85f4689a6e26b70cd4d130cb417451a819
Instruction Fuzzy Hash: 40B01231144200FFDA214B00CD09F457F61AB60700F21C070B3846C0F087B11464FF0C

Uniqueness

Uniqueness Score: -1.00%

Function 00409370 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409370(CHAR* _a4) {
				long _t2;

				_t2 = GetModuleFileNameA(0, _a4, 0x104); // executed
				return _t2;
			}

0x0040937b
0x00409381

APIs

GetModuleFileNameA.KERNELBASE(00000000,?,00000104,00407D89,00000000,74714DE0,?,00407DD8), ref: 0040937B

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 366bbf10f02cd4765a263b556c1eb370cde5645851f33f2e8979308c14decca0
Instruction ID: c2208a7898666418c09ee92196ca5ebccbfeb6c30a7520eab7f044036f1f00c6
Opcode Fuzzy Hash: 366bbf10f02cd4765a263b556c1eb370cde5645851f33f2e8979308c14decca0
Instruction Fuzzy Hash: 6EA0247014C30077DD004750CD05F443F505740701F004030F34C544F0C1F000C4C701

Uniqueness

Uniqueness Score: -1.00%

Function 0040D65F Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D65F(void* __eax) {
				int _t4;

				_t4 = SetMenu( *(__eax + 0x108),  *(__eax + 0x11c)); // executed
				return _t4;
			}

0x0040d66b
0x0040d671

APIs

KiUserCallbackDispatcher.NTDLL(?,?,004048E5), ref: 0040D66B

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6c31237deb0ed68a55961fe4111bcecc944de7b324785ca608ed5bc27cbfb90c
Instruction ID: cd96e9ca0aab6b55f5e24d9c1a3e61bf1fc22d95bd1e4faa5fd2e34ab30e5fe4
Opcode Fuzzy Hash: 6c31237deb0ed68a55961fe4111bcecc944de7b324785ca608ed5bc27cbfb90c
Instruction Fuzzy Hash: 0CB001364440049FDE569B50DE0DEE43AA2BB55301F1A40F4A6995A4328B7204A6EB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401ACF Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 75
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401ACF() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t13;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;

				_t1 = LoadLibraryA("advapi32.dll");
				 *0x412b20 = _t1;
				if(_t1 == 0) {
					L11:
					return 1;
				} else {
					 *0x412b24 = GetProcAddress(_t1, "OpenSCManagerA");
					 *0x412b28 = GetProcAddress( *0x412b20, "OpenServiceA");
					 *0x412b2c = GetProcAddress( *0x412b20, "ChangeServiceConfigA");
					 *0x412b30 = GetProcAddress( *0x412b20, "CloseServiceHandle");
					 *0x412b34 = GetProcAddress( *0x412b20, "QueryServiceConfigA");
					 *0x412b38 = GetProcAddress( *0x412b20, "QueryServiceConfig2A");
					 *0x412b3c = GetProcAddress( *0x412b20, "ControlService");
					 *0x412b40 = GetProcAddress( *0x412b20, "EnumServicesStatusA");
					 *0x412b44 = GetProcAddress( *0x412b20, "StartServiceA");
					_t13 = GetProcAddress( *0x412b20, "QueryServiceStatus");
					_t20 =  *0x412b24; // 0x0
					 *0x412b48 = _t13;
					if(_t20 == 0) {
						L10:
						return 0;
					} else {
						_t21 =  *0x412b28; // 0x0
						if(_t21 == 0) {
							goto L10;
						} else {
							_t22 =  *0x412b2c; // 0x0
							if(_t22 == 0) {
								goto L10;
							} else {
								_t23 =  *0x412b30; // 0x0
								if(_t23 == 0) {
									goto L10;
								} else {
									_t24 =  *0x412b34; // 0x0
									if(_t24 == 0) {
										goto L10;
									} else {
										_t25 =  *0x412b3c; // 0x0
										if(_t25 == 0) {
											goto L10;
										} else {
											_t26 =  *0x412b40; // 0x0
											if(_t26 == 0) {
												goto L10;
											} else {
												_t27 =  *0x412b44; // 0x0
												if(_t27 == 0 || _t13 == 0) {
													goto L10;
												} else {
													goto L11;
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00401ad5
0x00401adf
0x00401ae4
0x00401be9
0x00401bed
0x00401aea
0x00401b04
0x00401b16
0x00401b28
0x00401b3a
0x00401b4c
0x00401b5e
0x00401b70
0x00401b82
0x00401b94
0x00401b99
0x00401b9b
0x00401ba1
0x00401ba7
0x00401be5
0x00401be8
0x00401ba9
0x00401ba9
0x00401baf
0x00000000
0x00401bb1
0x00401bb1
0x00401bb7
0x00000000
0x00401bb9
0x00401bb9
0x00401bbf
0x00000000
0x00401bc1
0x00401bc1
0x00401bc7
0x00000000
0x00401bc9
0x00401bc9
0x00401bcf
0x00000000
0x00401bd1
0x00401bd1
0x00401bd7
0x00000000
0x00401bd9
0x00401bd9
0x00401bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bdf
0x00401bd7
0x00401bcf
0x00401bc7
0x00401bbf
0x00401bb7
0x00401baf
0x00401ba7

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00401CCD,00401D1F,?), ref: 00401AD5
GetProcAddress.KERNEL32(00000000,OpenSCManagerA), ref: 00401AF7
GetProcAddress.KERNEL32(OpenServiceA), ref: 00401B09
GetProcAddress.KERNEL32(ChangeServiceConfigA), ref: 00401B1B
GetProcAddress.KERNEL32(CloseServiceHandle), ref: 00401B2D
GetProcAddress.KERNEL32(QueryServiceConfigA), ref: 00401B3F
GetProcAddress.KERNEL32(QueryServiceConfig2A), ref: 00401B51
GetProcAddress.KERNEL32(ControlService), ref: 00401B63
GetProcAddress.KERNEL32(EnumServicesStatusA), ref: 00401B75
GetProcAddress.KERNEL32(StartServiceA), ref: 00401B87
GetProcAddress.KERNEL32(QueryServiceStatus), ref: 00401B99

Strings

QueryServiceConfigA, xrefs: 00401B2F
EnumServicesStatusA, xrefs: 00401B65
CloseServiceHandle, xrefs: 00401B1D
ControlService, xrefs: 00401B53
ChangeServiceConfigA, xrefs: 00401B0B
QueryServiceStatus, xrefs: 00401B89
QueryServiceConfig2A, xrefs: 00401B41
StartServiceA, xrefs: 00401B77
OpenServiceA, xrefs: 00401AF9
advapi32.dll, xrefs: 00401AD0
OpenSCManagerA, xrefs: 00401AF1

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ChangeServiceConfigA$CloseServiceHandle$ControlService$EnumServicesStatusA$OpenSCManagerA$OpenServiceA$QueryServiceConfig2A$QueryServiceConfigA$QueryServiceStatus$StartServiceA$advapi32.dll
API String ID: 2238633743-3119926377
Opcode ID: bf1bd3dfa6be9226d94423ac26b0ce1afbc649b2159dff0d93ee81f0f973e503
Instruction ID: 29ecb8122060b0810a3eae0c2f2a49010dee65feeaf817c6736d024ff6693c0c
Opcode Fuzzy Hash: bf1bd3dfa6be9226d94423ac26b0ce1afbc649b2159dff0d93ee81f0f973e503
Instruction Fuzzy Hash: 7321F878948714EACB229FA5AF945967FF2F6587143208937E404E62B0E3F974A0CF0C

Uniqueness

Uniqueness Score: -1.00%

Function 0040180A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040180A(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x00401811
0x00401819
0x00401821
0x00401829
0x00401836
0x00401836
0x00401839
0x00401843

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,?,775D48C0,0040E61B,00000000), ref: 00401813
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00401821
FreeLibrary.KERNEL32(00000000,?,775D48C0,0040E61B,00000000), ref: 00401839

Strings

SHAutoComplete, xrefs: 0040181B
shlwapi.dll, xrefs: 0040180C

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 36a6584b44a98245668995b2017f28a1bd2ed28a44707be7fcb7e8d86be41feb
Instruction ID: 4ae96949a77f2b0da97fbddaa6dd0191d11c515f6cd7e720bf20bc8f9797e570
Opcode Fuzzy Hash: 36a6584b44a98245668995b2017f28a1bd2ed28a44707be7fcb7e8d86be41feb
Instruction Fuzzy Hash: 8AD02B313012206BD3305722ED08EEF2995DFD13627050031F804E2250CBB44C8AC16C

Uniqueness

Uniqueness Score: -1.00%

Function 0040867D Relevance: 3.1, APIs: 2, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040867D(void** __eax, void* __ecx) {
				signed int _v8;
				void** _v12;
				void* __esi;
				void* _t20;
				int _t21;
				void** _t22;
				void* _t29;
				void** _t31;
				void* _t35;
				void* _t36;
				void** _t42;
				void* _t43;
				void** _t45;
				void** _t48;
				void** _t49;
				void** _t50;

				_t48 = __eax;
				_t20 =  *__eax;
				if(_t20 != 0xffffffff) {
					_t21 = FindNextFileA(_t20,  &(__eax[0x52]));
					_v8 = _t21;
					if(_t21 != 0) {
						goto L5;
					} else {
						E004083DB(_t48);
						goto L4;
					}
				} else {
					_t29 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52]));
					 *_t48 = _t29;
					_v8 = 0 | _t29 != 0xffffffff;
					L4:
					if(_v8 != 0) {
						L5:
						_t42 =  &(_t48[0xf3]);
						_t31 =  &(_t48[0xa2]);
						_t22 =  &(_t48[0x5d]);
						_v12 = _t42;
						_t49 =  &(_t42[0]);
						do {
							_t35 =  *_t42;
							_t42 =  &(_t42[0]);
						} while (_t35 != 0);
						_t43 = _t42 - _t49;
						_t50 = _t22;
						_t45 =  &(_t50[0]);
						do {
							_t36 =  *_t50;
							_t50 =  &(_t50[0]);
						} while (_t36 != 0);
						if(_t50 - _t45 + _t43 + 1 >= 0x143) {
							 *_t31 = 0;
						} else {
							E00409ADF(_t31, _v12, _t22);
						}
					}
				}
				return _v8;
			}

0x00408683
0x00408685
0x0040868a
0x004086b4
0x004086bc
0x004086bf
0x00000000
0x004086c1
0x004086c1
0x00000000
0x004086c1
0x0040868c
0x00408697
0x004086a5
0x004086a7
0x004086c6
0x004086ca
0x004086cc
0x004086cc
0x004086d3
0x004086d9
0x004086df
0x004086e2
0x004086e5
0x004086e5
0x004086e7
0x004086e8
0x004086ec
0x004086ee
0x004086f1
0x004086f4
0x004086f4
0x004086f6
0x004086f7
0x00408708
0x00408718
0x0040870a
0x00408710
0x00408715
0x0040871b
0x004086ca
0x00408721

APIs

FindFirstFileA.KERNEL32(?,?), ref: 00408697
FindNextFileA.KERNEL32(?,?), ref: 004086B4

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 5bcc1ea45a3f37c8921b7c6839e43af2c05acf34090211bcde2f3b7c6e544677
Instruction ID: 086f8102b2cc6972c0ce453810dbea7a9d332b2ba5458a327b9a26daa53302aa
Opcode Fuzzy Hash: 5bcc1ea45a3f37c8921b7c6839e43af2c05acf34090211bcde2f3b7c6e544677
Instruction Fuzzy Hash: 5D11B472400205DFCB25CF78D984AEBB7E8AB44310F204A7ED4DBE3280EB756A448B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040455B Relevance: 1.5, APIs: 1, Instructions: 22
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040455B(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				void* _t18;

				_t18 = __esi;
				_push(__ecx);
				if(E00406B4D( *((intOrPtr*)(__esi + 0x290)), __ecx, __edi, __eflags,  &_v8) != 0 && OpenClipboard( *(__esi + 0x108)) != 0) {
					E004094FE(_v8 + 0x10e);
				}
				return E004054FF( *((intOrPtr*)(_t18 + 0x290)));
			}

0x0040455b
0x0040455e
0x00404570
0x0040458b
0x00404590
0x0040459d

APIs

OpenClipboard.USER32(?), ref: 00404578

Part of subcall function 004094FE: EmptyClipboard.USER32(?,?,00404590,?), ref: 00409506
Part of subcall function 004094FE: GlobalAlloc.KERNEL32(00002000,?,?,?,?,?,00404590,?), ref: 00409529
Part of subcall function 004094FE: GlobalLock.KERNEL32 ref: 00409536
Part of subcall function 004094FE: memcpy.MSVCRT ref: 0040953F
Part of subcall function 004094FE: GlobalUnlock.KERNEL32(00000000), ref: 00409548
Part of subcall function 004094FE: SetClipboardData.USER32 ref: 00409551
Part of subcall function 004094FE: CloseClipboard.USER32 ref: 00409561

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockmemcpy
String ID:
API String ID: 1107540621-0
Opcode ID: 2031c62112e80f5e5796f680882c8a5b14734faa713b46f8e7e82ef379f4b379
Instruction ID: 02c95b43c9ba60480caf94e3eecde025093c679f28c6020ee4969b0c68e7b7b0
Opcode Fuzzy Hash: 2031c62112e80f5e5796f680882c8a5b14734faa713b46f8e7e82ef379f4b379
Instruction Fuzzy Hash: 02E0E671204609BBDB10EB6ADD85B8BB3EDAF44348F00047AB69AF2591DA78FD449718

Uniqueness

Uniqueness Score: -1.00%

Function 004092C5 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004092C5() {

				if( *0x412704 == 0) {
					0x412700->dwOSVersionInfoSize = 0x94;
					GetVersionExA(0x412700);
				}
				return 0x412700;
			}

0x004092d2
0x004092d5
0x004092df
0x004092df
0x004092e8

APIs

GetVersionExA.KERNEL32(00412700,00410500,00409B3A,0040B3B5,?,?,00403E9E,?,00000001,00000000), ref: 004092DF

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 07a6dfe9e970191e177825cff1b67b36fdf4804b08e6be314bac40c2b755cb8b
Instruction ID: 34381bf79c3577fb6e3eeede89c30b4a4b8a04c2a810ec268e6400cc11749217
Opcode Fuzzy Hash: 07a6dfe9e970191e177825cff1b67b36fdf4804b08e6be314bac40c2b755cb8b
Instruction Fuzzy Hash: 31C002355111219BD6615BD8BE08BD67698E70A335F118076E614E2291C3F80C698A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004023E5 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 262
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004023E5(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, intOrPtr _a8, signed int _a12, long _a16, char* _a20, signed int _a24, signed int _a28, intOrPtr _a32, struct HDC__* _a36, int _a40, struct tagRECT _a44, intOrPtr _a48, intOrPtr _a52, char _a56, struct tagRECT _a60, intOrPtr _a64, intOrPtr _a68, char _a72, struct tagRECT _a76, intOrPtr _a80, struct tagRECT _a88, intOrPtr _a92, intOrPtr _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, long _a112, struct tagSIZE _a116, struct tagRECT _a120, intOrPtr _a124, intOrPtr _a132, char _a328) {
				signed int _v0;
				struct HWND__* _v4;
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v36;
				intOrPtr _v40;
				struct HWND__* _v48;
				intOrPtr _v60;
				intOrPtr* _v64;
				struct HWND__* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				struct HDC__* _t170;
				struct HWND__* _t172;
				signed int _t223;
				void* _t224;
				CHAR* _t229;
				signed int _t234;
				struct HWND__* _t236;
				void* _t238;
				CHAR* _t263;
				char _t267;
				intOrPtr* _t275;
				signed int _t276;
				signed int _t277;

				_t275 = __esi;
				_t277 = _t276 & 0xfffffff8;
				E0040EAD0(0x2198, __ecx);
				_a8 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1c0));
				_t236 = GetDlgItem( *(__esi + 4), 0x3e9);
				_v4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a24 = GetWindowLongA(_t236, 0xfffffff0);
				_a12 = GetWindowLongA(_v4, 0xfffffff0);
				_a112 = GetWindowLongA(_t236, 0xffffffec);
				_a16 = GetWindowLongA(_v4, 0xffffffec);
				GetWindowRect(_t236,  &_a76);
				GetWindowRect(_v4,  &_a60);
				E004023D4(__esi,  &_a76);
				E004023D4(__esi,  &_a56);
				_t238 = _a76.left - _a68;
				_v12 = _v12 & 0x00000000;
				_a24 = _a60.left - _a52;
				_a100 = _a80 - _a72;
				_a32 = _a64 - _a56;
				_t170 = GetDC( *(__esi + 4));
				_a28 = _t170;
				if(_t170 == 0) {
					L11:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x10)) + 0x1bc)) <= 0) {
						L14:
						_t172 = GetDlgItem( *(_t275 + 4), 1);
						_a16 = _t172;
						GetWindowRect(_t172,  &_a44);
						E004023D4(_t275,  &_a44);
						GetClientRect( *(_t275 + 4),  &_a120);
						GetWindowRect( *(_t275 + 4),  &_a88);
						SetWindowPos( *(_t275 + 4), 0, 0, 0, _a96 - _a88.left + 1, _a124 - _a132 - _a44.left - _a92 + _a52 + _a100 + _v8 + 0x15, 0x206);
						GetClientRect( *(_t275 + 4),  &_a88);
						return SetWindowPos(_a12, 0, _a40, _a44.left - _a52 - _a92 + _a100 - 5, _a48 - _a40 + 1, _a52 - _a44.left + 1, 0x204);
					}
					_a24 = _a24 | 0x10000000;
					_a12 = _a12 | 0x10000000;
					_a4 = _a8 + 0x10;
					do {
						 *((intOrPtr*)( *_t275 + 0x1c))(_v0);
						_v16 = E0040DAE9(_t275, _a108, "STATIC", _a20, _a72, _v8 + _a76.left, _t238, _a104);
						_v60 = E0040DAE9(_t275, _v20, "EDIT", _v24, _a24, _v40 + _a28, _v4,  *(_t275 + 0x14) * _a4);
						sprintf( &_a72, "%s:",  *_v64);
						_t277 = _t277 + 0xc;
						SetWindowTextA(_v48,  &_a72);
						SetWindowTextA(_v68,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t275 + 0xc))))))(_v68,  &_a328));
						_v72 = _v72 + 0x14;
						_v80 = _v80 +  *(_t275 + 0x14) * _v36 +  *((intOrPtr*)(_t275 + 0x18));
						_v76 = _v76 + 1;
					} while (_v76 <  *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x10)) + 0x1bc)));
					goto L14;
				}
				_t223 = 0;
				_a28 = _a28 & 0;
				_a4 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1bc)) <= 0) {
					L10:
					_t224 = _t223 - _t238;
					_a32 = _a32 - _t224;
					_a60.left = _a60.left + _t224;
					_t238 = _t238 + _t224;
					ReleaseDC( *(_t275 + 4), _a36);
					goto L11;
				}
				_v0 = _a8 + 0x10;
				do {
					_t263 =  *_v0;
					_t229 = _t263;
					_a20 =  &(_t229[1]);
					do {
						_t267 =  *_t229;
						_t229 =  &(_t229[1]);
					} while (_t267 != 0);
					if(GetTextExtentPoint32A(_a36, _t263, _t229 - _a20,  &_a116) != 0) {
						_t234 = _a100 + 0xa;
						if(_t234 > _v12) {
							_v12 = _t234;
						}
					}
					_a12 =  &(_a12->i);
					_v16 = _v16 + 0x14;
				} while (_a12 <  *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x10)) + 0x1bc)));
				_t223 = _v12;
				goto L10;
			}

0x004023e5
0x004023e8
0x004023f0
0x0040240e
0x0040241c
0x00402429
0x00402435
0x0040243e
0x0040244a
0x00402459
0x00402463
0x0040246e
0x00402477
0x00402483
0x00402497
0x0040249b
0x004024a0
0x004024ac
0x004024b8
0x004024bc
0x004024c4
0x004024c8
0x00402569
0x0040256c
0x00402578
0x00402684
0x00402689
0x00402695
0x00402699
0x004026a2
0x004026b8
0x004026c2
0x00402708
0x00402712
0x00402754
0x00402754
0x00402589
0x0040259a
0x0040259e
0x004025a2
0x004025aa
0x004025db
0x0040260a
0x00402621
0x00402626
0x00402635
0x00402653
0x00402664
0x00402669
0x0040266d
0x00402678
0x00000000
0x004025a2
0x004024d1
0x004024d3
0x004024dd
0x004024e1
0x00402550
0x00402554
0x00402559
0x0040255d
0x00402561
0x00402563
0x00000000
0x00402563
0x004024ea
0x004024ee
0x004024f2
0x004024f4
0x004024f9
0x004024fd
0x004024fd
0x004024ff
0x00402500
0x0040251e
0x00402527
0x0040252e
0x00402530
0x00402530
0x0040252e
0x00402534
0x0040253f
0x00402544
0x0040254c
0x00000000

APIs

GetDlgItem.USER32 ref: 00402412
GetDlgItem.USER32 ref: 0040241E
GetWindowLongA.USER32 ref: 0040242D
GetWindowLongA.USER32 ref: 00402439
GetWindowLongA.USER32 ref: 00402442
GetWindowLongA.USER32 ref: 00402451
GetWindowRect.USER32 ref: 00402463
GetWindowRect.USER32 ref: 0040246E
GetDC.USER32(?), ref: 004024BC
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00402516
ReleaseDC.USER32 ref: 00402563
sprintf.MSVCRT ref: 00402621
SetWindowTextA.USER32(?,?), ref: 00402635
SetWindowTextA.USER32(?,00000000), ref: 00402653
GetDlgItem.USER32 ref: 00402689
GetWindowRect.USER32 ref: 00402699
GetClientRect.USER32 ref: 004026B8
GetWindowRect.USER32 ref: 004026C2
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00402708
GetClientRect.USER32 ref: 00402712
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040274D

Strings

EDIT, xrefs: 004025FB
%s:, xrefs: 0040261B
STATIC, xrefs: 004025C5

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Window$Rect$Long$ItemText$Client$ExtentPoint32Releasesprintf
String ID: %s:$EDIT$STATIC
API String ID: 2417084822-3046471546
Opcode ID: e4ee7dc6c116e34781058ab9e6c655eb5266348201ca296e9373e0718df351e7
Instruction ID: b26deb6e0db11c0c99bdd80cc40bad539230ac6ca156b2682db7e00d63175fce
Opcode Fuzzy Hash: e4ee7dc6c116e34781058ab9e6c655eb5266348201ca296e9373e0718df351e7
Instruction Fuzzy Hash: C0B1DE71108341AFD720DF68C985A6BBBE9FB88314F004A2EF599D32A1DB75E944CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0040C34D Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C34D(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				void* _v8;
				void _v315;
				char _v316;
				void* __ebx;
				void* _t66;
				void* _t83;

				_t83 = __ecx;
				_v316 = 0;
				memset( &_v315, 0, 0x12b);
				sprintf( &_v316, "%s\\Registration", _a12);
				if(RegOpenKeyExA(_a8,  &_v316, 0, 0x20019,  &_v8) == 0) {
					E0040BF30(_a4, E00407C3F(0x898), _v8);
					RegCloseKey(_v8);
				}
				sprintf( &_v316, "%s\\ProductID", _a12);
				if(RegOpenKeyExA(_a8,  &_v316, 0, 0x20019,  &_v8) == 0) {
					E0040BF30(_a4, E00407C3F(0x898), _v8);
					RegCloseKey(_v8);
				}
				sprintf( &_v316, "%s\\Tools\\Setup", _a12);
				if(RegOpenKeyExA(_a8,  &_v316, 0, 0x20019,  &_v8) == 0) {
					E0040B8BD(_t83, _a4, E00407C3F(0x898), _v8, "ProductID", _v8, "DigitalProductID", 4, 0x40f469, 0x40f469, 0x40f469, 1);
					RegCloseKey(_v8);
				}
				sprintf( &_v316, "%s\\Setup", _a12);
				if(RegOpenKeyExA(_a8,  &_v316, 0, 0x20019,  &_v8) == 0) {
					E0040B8BD(_t83, _a4, E00407C3F(0x898), _v8, "ProductID", _v8, "DigitalProductID", 4, 0x40f469, 0x40f469, 0x40f469, 1);
					RegCloseKey(_v8);
				}
				_t66 = E00401F5D(_a8, _a12,  &_v8, 0x20019);
				if(_t66 == 0) {
					E0040BF30(_a4, E00407C3F(0x898), _v8);
					return RegCloseKey(_v8);
				}
				return _t66;
			}

0x0040c34d
0x0040c367
0x0040c36e
0x0040c385
0x0040c3b7
0x0040c3c5
0x0040c3cd
0x0040c3cd
0x0040c3de
0x0040c3ff
0x0040c40d
0x0040c415
0x0040c415
0x0040c426
0x0040c44c
0x0040c46e
0x0040c476
0x0040c476
0x0040c487
0x0040c4ac
0x0040c4ce
0x0040c4d6
0x0040c4d6
0x0040c4e7
0x0040c4f1
0x0040c4ff
0x00000000
0x0040c507
0x0040c50d

APIs

memset.MSVCRT ref: 0040C36E
sprintf.MSVCRT ref: 0040C385
RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?), ref: 0040C3A8
RegCloseKey.ADVAPI32(?), ref: 0040C3CD
sprintf.MSVCRT ref: 0040C3DE
RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?), ref: 0040C3FB
RegCloseKey.ADVAPI32(?), ref: 0040C415
sprintf.MSVCRT ref: 0040C426
RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?), ref: 0040C443
RegCloseKey.ADVAPI32(?), ref: 0040C476
sprintf.MSVCRT ref: 0040C487
RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?), ref: 0040C4A4
RegCloseKey.ADVAPI32(?), ref: 0040C4D6

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,?,004074B9,?,00000000), ref: 00407C68
Part of subcall function 00407C3F: LoadStringA.USER32 ref: 00407CF2
Part of subcall function 00407C3F: memcpy.MSVCRT ref: 00407D31

Part of subcall function 0040BF30: memset.MSVCRT ref: 0040BF53
Part of subcall function 0040BF30: RegEnumValueA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?), ref: 0040BF8A
Part of subcall function 0040BF30: _strnicmp.MSVCRT ref: 0040BFAB
Part of subcall function 0040BF30: memset.MSVCRT ref: 0040BFC4

RegCloseKey.ADVAPI32(?), ref: 0040C507

Strings

%s\Setup, xrefs: 0040C481
%s\ProductID, xrefs: 0040C3D8
ProductID, xrefs: 0040C462, 0040C4C2
DigitalProductID, xrefs: 0040C45A, 0040C4BA
%s\Tools\Setup, xrefs: 0040C420
%s\Registration, xrefs: 0040C37F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Close$Opensprintf$memset$EnumHandleLoadModuleStringValue_strnicmpmemcpy
String ID: %s\ProductID$%s\Registration$%s\Setup$%s\Tools\Setup$DigitalProductID$ProductID
API String ID: 772435431-3621475174
Opcode ID: cf937d245fdbcbe4b484a9e2c7198a5cd5d7e2b57483a7b00467a84e9ee46a27
Instruction ID: 39a95b94f143818cea47ff5659df46396f0b6565f199a10ec340ff912934c094
Opcode Fuzzy Hash: cf937d245fdbcbe4b484a9e2c7198a5cd5d7e2b57483a7b00467a84e9ee46a27
Instruction Fuzzy Hash: 09415E7194021CBADF21ABA1DD42FEE7B2DEF14744F100076BA08B10E1D7759B54EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403535 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 189
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00403535(void* __ecx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, signed short _a12, void _a264, void _a265, void _a520, void _a521, char _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				void* _v4;
				void* __ebx;
				void* _t42;
				void* _t56;
				int _t57;
				int _t59;
				int _t75;
				intOrPtr* _t76;
				int _t97;
				int _t99;
				signed short _t111;
				signed int _t112;
				signed int _t113;
				void* _t119;

				_t113 = _t112 & 0xfffffff8;
				E0040EAD0(0x1424, __ecx);
				_t42 = _a8 - 0x110;
				if(_t42 == 0) {
					E00409A28(_a4);
					 *_t113 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t119 = _t113 + 0x48;
					_t56 = GetCurrentProcess();
					_t95 =  &_a520;
					_v4 = _t56;
					_t57 = ReadProcessMemory(_t56,  *0x41224c,  &_a520, 0x80, 0);
					__eflags = _t57;
					if(_t57 != 0) {
						E00408E4E( &_a1056,  &_a520, 4);
						_t119 = _t119 + 0xc;
					}
					_t59 = ReadProcessMemory(_v4,  *0x412240,  &_a264, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E00408E4E( &_a2080,  &_a264, 0);
						_t119 = _t119 + 0xc;
					}
					__eflags = E00402D3F();
					if(__eflags == 0) {
						L16:
						sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x412458,  *0x412464,  &_v0,  *0x412238,  *0x41222c,  *0x412234,  *0x412230,  *0x412228,  *0x412224,  *0x41223c,  *0x41224c,  *0x412240,  &_a1056,  &_a2080);
						SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
						SetFocus(GetDlgItem(_a4, 0x3ea));
						L17:
						return 0;
					} else {
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t75 = E00402D6A(_t95, __eflags, GetCurrentProcessId(),  *0x412464,  &_a776);
						_t119 = _t119 + 0x18;
						__eflags = _t75;
						if(_t75 == 0) {
							goto L16;
						}
						_t76 = E00409317( &_a784);
						_t99 =  &_v0 - _t76;
						__eflags = _t99;
						do {
							_t97 =  *_t76;
							 *((char*)(_t99 + _t76)) = _t97;
							_t76 = _t76 + 1;
							__eflags = _t97;
						} while (_t97 != 0);
						goto L16;
					}
				}
				if(_t42 == 1) {
					_t111 = _a12;
					if(_t111 >> 0x10 == 0) {
						if(_t111 == 1 || _t111 == 2) {
							EndDialog(_a4, _t111 & 0x0000ffff);
						}
						if(_t111 == 3) {
							E00403507(GetDlgItem(_a4, 0x3ea));
						}
					}
				}
				goto L17;
			}

0x00403538
0x00403540
0x00403548
0x00403550
0x004035aa
0x004035b1
0x004035c1
0x004035c8
0x004035d6
0x004035da
0x004035e6
0x004035e8
0x004035ff
0x00403606
0x00403618
0x0040361f
0x00403636
0x0040363d
0x0040364f
0x00403656
0x0040365b
0x0040365e
0x00403671
0x0040367f
0x00403684
0x00403686
0x00403688
0x0040369c
0x004036a1
0x004036a1
0x004036b8
0x004036ba
0x004036bc
0x004036cf
0x004036d4
0x004036d4
0x004036dc
0x004036de
0x0040373a
0x0040379e
0x004037b7
0x004037c8
0x004037ce
0x004037d6
0x004036e0
0x004036ee
0x004036f5
0x00403712
0x00403717
0x0040371a
0x0040371c
0x00000000
0x00000000
0x00403725
0x0040372e
0x0040372e
0x00403730
0x00403730
0x00403732
0x00403735
0x00403736
0x00403736
0x00000000
0x00403730
0x004036de
0x00403553
0x00403559
0x00403564
0x0040356e
0x0040357d
0x0040357d
0x00403587
0x0040359d
0x0040359d
0x00403587
0x00403564
0x00000000

APIs

EndDialog.USER32(?,?), ref: 0040357D
GetDlgItem.USER32 ref: 00403595
memset.MSVCRT ref: 004035C8
memset.MSVCRT ref: 004035E8
memset.MSVCRT ref: 00403606
memset.MSVCRT ref: 0040361F
memset.MSVCRT ref: 0040363D
memset.MSVCRT ref: 00403656
GetCurrentProcess.KERNEL32 ref: 0040365E
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00403684
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 004036B8
memset.MSVCRT ref: 004036F5
GetCurrentProcessId.KERNEL32(?), ref: 0040370B
sprintf.MSVCRT ref: 0040379E
SetDlgItemTextA.USER32 ref: 004037B7
GetDlgItem.USER32 ref: 004037C1
SetFocus.USER32(00000000), ref: 004037C8

Strings

{Unknown}, xrefs: 004035CD
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 00403798

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$Process$Item$CurrentMemoryRead$DialogFocusTextsprintf
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 955384824-3474136107
Opcode ID: c05994200bfd6b670d6d8ec55e2416f0f8e2694d95102f659c2f8c18640872df
Instruction ID: f46141ed16033347230814c317ca42c0e9ef5a0c76a65517c55da975750c5127
Opcode Fuzzy Hash: c05994200bfd6b670d6d8ec55e2416f0f8e2694d95102f659c2f8c18640872df
Instruction Fuzzy Hash: 9161DBB2504248AFD7219F55DD45EDB7BDCFB48300F04483AF988E3161E6799A18CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE42 Relevance: 31.7, APIs: 21, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040DE42(void* __ecx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __edi;
				void* _t42;
				struct HBRUSH__* _t54;
				void* _t59;
				unsigned int _t60;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t84;
				struct HWND__* _t86;
				struct HWND__* _t88;
				struct HWND__* _t89;
				struct tagPOINT _t95;
				struct tagPOINT _t97;

				_push(__ecx);
				_push(__ecx);
				_t42 = _a4 - 0x110;
				_t104 = __ecx;
				if(_t42 == 0) {
					__eflags =  *0x412930;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x412930);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t104 + 4), 0x3ee), 0);
					}
					E0040DBFF(_t104);
					E0040DB6B(_t104, 0x3ea, _t104 + 0xc);
					E0040DB6B(_t104, 0x3ec, _t104 + 0x10b);
					E0040DDF6(_t104, __eflags);
					E00409A28( *(_t104 + 4));
					goto L29;
				} else {
					_t59 = _t42 - 1;
					if(_t59 == 0) {
						_t60 = _a8;
						__eflags = _t60 - 1;
						if(_t60 != 1) {
							goto L29;
						} else {
							__eflags = _t60 >> 0x10;
							if(_t60 >> 0x10 != 0) {
								goto L29;
							} else {
								E0040DB26(__ecx, 1);
								E0040DD94(__ecx);
								goto L8;
							}
						}
					} else {
						_t67 = _t59 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x412970;
								if( *0x412970 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t104 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t54 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t95 = _t73 & 0x0000ffff;
								_v12.x = _t95;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t104 + 4), _t95);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x412970;
									if( *0x412970 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t104 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t104 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA(GetModuleHandleA(0), 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t54 = 0;
									__eflags = 0;
								} else {
									_t84 = _a12;
									_t97 = _t84 & 0x0000ffff;
									_v12.x = _t97;
									_v12.y = _t84 >> 0x10;
									_t86 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t86;
									if(ChildWindowFromPoint( *(_t104 + 4), _t97) != _a8) {
										__eflags =  *0x412970;
										if( *0x412970 == 0) {
											goto L29;
										} else {
											_t88 = GetDlgItem( *(_t104 + 4), 0x3ee);
											_push(_v12.y);
											_t89 = ChildWindowFromPoint( *(_t104 + 4), _v12);
											__eflags = _t89 - _t88;
											if(_t89 != _t88) {
												goto L29;
											} else {
												_push(0x412970);
												goto L7;
											}
										}
									} else {
										_push(_t104 + 0x10b);
										L7:
										_push( *(_t104 + 4));
										E00408F52();
										L8:
										_t54 = 1;
									}
								}
							}
						}
					}
				}
				return _t54;
			}

0x0040de45
0x0040de46
0x0040de4a
0x0040de52
0x0040de54
0x0040e00b
0x0040e012
0x0040e04d
0x0040e014
0x0040e02d
0x0040e03c
0x0040e03c
0x0040e055
0x0040e065
0x0040e078
0x0040e07d
0x0040e085
0x00000000
0x0040de5a
0x0040de5a
0x0040de5b
0x0040dfdd
0x0040dfe0
0x0040dfe4
0x00000000
0x0040dfea
0x0040dfed
0x0040dff0
0x00000000
0x0040dff6
0x0040dffa
0x0040e001
0x00000000
0x0040e001
0x0040dff0
0x0040de61
0x0040de61
0x0040de64
0x0040df8e
0x0040df90
0x0040df93
0x0040dfbb
0x0040dfc2
0x00000000
0x0040dfc8
0x0040dfd0
0x0040dfd2
0x0040dfd5
0x00000000
0x0040dfdb
0x00000000
0x0040dfdb
0x0040dfd5
0x0040df95
0x0040df95
0x0040df9a
0x0040dfa8
0x0040dfb0
0x0040dfb0
0x0040de6a
0x0040de6a
0x0040de6f
0x0040deff
0x0040df08
0x0040df16
0x0040df19
0x0040df1c
0x0040df1e
0x0040df21
0x0040df2e
0x0040df30
0x0040df33
0x0040df52
0x0040df59
0x00000000
0x0040df5f
0x0040df67
0x0040df69
0x0040df74
0x0040df76
0x0040df78
0x00000000
0x0040df7e
0x00000000
0x0040df7e
0x0040df78
0x0040df35
0x0040df35
0x0040df47
0x00000000
0x0040df47
0x0040de75
0x0040de77
0x0040e08b
0x0040e08b
0x0040e08b
0x0040de7d
0x0040de7d
0x0040de86
0x0040de94
0x0040de97
0x0040de9a
0x0040de9c
0x0040de9f
0x0040deb1
0x0040decc
0x0040ded3
0x00000000
0x0040ded9
0x0040dee1
0x0040dee3
0x0040deee
0x0040def0
0x0040def2
0x00000000
0x0040def8
0x0040def8
0x00000000
0x0040def8
0x0040def2
0x0040deb3
0x0040deb9
0x0040deba
0x0040deba
0x0040debd
0x0040dec4
0x0040dec6
0x0040dec6
0x0040deb1
0x0040de77
0x0040de6f
0x0040de64
0x0040de5b
0x0040e091

APIs

GetDlgItem.USER32 ref: 0040DE9A
ChildWindowFromPoint.USER32 ref: 0040DEAC
GetDlgItem.USER32 ref: 0040DEE1
ChildWindowFromPoint.USER32 ref: 0040DEEE
GetDlgItem.USER32 ref: 0040DF1C
ChildWindowFromPoint.USER32 ref: 0040DF2E
GetModuleHandleA.KERNEL32(00000000,?,?), ref: 0040DF37
LoadCursorA.USER32 ref: 0040DF40
SetCursor.USER32(00000000,?,?), ref: 0040DF47
GetDlgItem.USER32 ref: 0040DF67
ChildWindowFromPoint.USER32 ref: 0040DF74
GetDlgItem.USER32 ref: 0040DF8E
SetBkMode.GDI32(?,00000001), ref: 0040DF9A
SetTextColor.GDI32(?,00C00000), ref: 0040DFA8
GetSysColorBrush.USER32(0000000F), ref: 0040DFB0
GetDlgItem.USER32 ref: 0040DFD0
GetDlgItem.USER32 ref: 0040E024
ShowWindow.USER32(00000000), ref: 0040E02D
GetDlgItem.USER32 ref: 0040E039
ShowWindow.USER32(00000000), ref: 0040E03C
SetDlgItemTextA.USER32 ref: 0040E04D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Item$Window$ChildFromPoint$ColorCursorShowText$BrushHandleLoadModeModule
String ID:
API String ID: 3867407936-0
Opcode ID: 10249b85a8e355ae9aa926841566aafcd15d2eaee965fec5e88dba55a0847797
Instruction ID: 5262a15f62f93bfe80ba1738d2e77b45fd3be770c7bf6a93cb16edab12745759
Opcode Fuzzy Hash: 10249b85a8e355ae9aa926841566aafcd15d2eaee965fec5e88dba55a0847797
Instruction Fuzzy Hash: 2C51D575900115FBDB129F64CE85B6E7B65FB04310F008636F904BA6E0C7B99D65DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040389D Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040389D(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L0040107A();
				if(__eax != 0) {
					_push("/sverhtml");
					L0040107A();
					if(__eax != 0) {
						_push("/sxml");
						L0040107A();
						if(__eax != 0) {
							_push("/stab");
							L0040107A();
							if(__eax != 0) {
								_push("/scomma");
								L0040107A();
								if(__eax != 0) {
									_push("/stabular");
									L0040107A();
									if(__eax != 0) {
										_push("/sjson");
										L00401086();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}

0x0040389e
0x004038a3
0x004038ac
0x004038b3
0x004038b8
0x004038c1
0x004038c8
0x004038cd
0x004038d6
0x004038dd
0x004038e2
0x004038eb
0x004038f2
0x004038f7
0x00403900
0x00403907
0x0040390c
0x00403915
0x0040391c
0x00403921
0x00403928
0x00403932
0x00403917
0x00403919
0x0040391a
0x0040391a
0x00403902
0x00403904
0x00403905
0x00403905
0x004038ed
0x004038ef
0x004038f0
0x004038f0
0x004038d8
0x004038da
0x004038db
0x004038db
0x004038c3
0x004038c5
0x004038c6
0x004038c6
0x004038ae
0x004038b0
0x004038b1
0x004038b1

APIs

_stricmp.MSVCRT(/shtml,00000000,00404BF2,00000000,00000000,74714DE0,?,00000000,?,?,00000000), ref: 004038A3
_stricmp.MSVCRT(/sverhtml,00000000,00404BF2,00000000,00000000,74714DE0,?,00000000,?,?,00000000), ref: 004038B8

Strings

/stab, xrefs: 004038DD
/sverhtml, xrefs: 004038B3
/shtml, xrefs: 0040389E
/sjson, xrefs: 0040391C
/scomma, xrefs: 004038F2
/stabular, xrefs: 00403907
/sxml, xrefs: 004038C8

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: _stricmp
String ID: /scomma$/shtml$/sjson$/stab$/stabular$/sverhtml$/sxml
API String ID: 2884411883-1636461792
Opcode ID: 3133bf17417b5b64f9396f564197433a4c5c9e145a8e610fd7fc9e9dc7274182
Instruction ID: 66b82687e40d6ef911e3a7ae516b89404358880832d8eb6ae21766801d9d2f71
Opcode Fuzzy Hash: 3133bf17417b5b64f9396f564197433a4c5c9e145a8e610fd7fc9e9dc7274182
Instruction Fuzzy Hash: A7011A7378931138F92821666C17F870B898B51B7BF34547BF880E80D5EFAE91C050AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040286A Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040286A() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x412b14 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x4125d4 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x4125cc = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x4125c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x4126f4 = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x4125d0 = _t2;
									if(_t2 != 0) {
										 *0x412b14 = 1;
									}
								}
							}
						}
					}
					if( *0x412b14 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}

0x00402871
0x00402901
0x00402901
0x0040287d
0x00402883
0x00402887
0x00402900
0x00000000
0x00402889
0x00402896
0x0040289a
0x0040289f
0x004028a7
0x004028ab
0x004028b0
0x004028b8
0x004028bc
0x004028c1
0x004028c9
0x004028cd
0x004028d2
0x004028da
0x004028de
0x004028e3
0x004028e5
0x004028e5
0x004028e3
0x004028d2
0x004028c1
0x004028b0
0x004028f7
0x004028fa
0x004028fa
0x00000000
0x004028f7

APIs

LoadLibraryA.KERNEL32(psapi.dll,00000080,00402D4D,004036DC), ref: 0040287D
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00402896
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004028A7
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 004028B8
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004028C9
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004028DA
FreeLibrary.KERNEL32(00000000), ref: 004028FA

Strings

psapi.dll, xrefs: 00402878
EnumProcessModules, xrefs: 004028A1
EnumProcesses, xrefs: 004028C3
GetModuleInformation, xrefs: 004028D4
GetModuleFileNameExA, xrefs: 004028B2
GetModuleBaseNameA, xrefs: 00402890

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: 344c79fe987b578d57bb1da44b86a42f2c48e6210b7299a95826269c643423a4
Instruction ID: 217c089c90b919cac0153b6a7f84a945ec2b1e4bff1499a1315237dae27fb9dd
Opcode Fuzzy Hash: 344c79fe987b578d57bb1da44b86a42f2c48e6210b7299a95826269c643423a4
Instruction Fuzzy Hash: 3A01B531641205AEDB506B24EF88FA73AE4A754B41B10803BE504F12D8EBFC84919B7D

Uniqueness

Uniqueness Score: -1.00%

Function 00401443 Relevance: 22.6, APIs: 9, Strings: 6, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401443(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				intOrPtr _v256;
				void _v259;
				int _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t48;
				intOrPtr* _t51;
				void* _t58;
				char _t65;
				intOrPtr _t66;
				void* _t72;
				intOrPtr* _t75;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t72 = __ecx;
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t79 = _t78 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v772, " bgcolor=\"%s\"", E004013F6(_a16,  &_v1284));
					_t79 = _t79 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v1028, "<font color=\"%s\">", E004013F6(_a20,  &_v1284));
					_t65 = "</font>"; // 0x6f662f3c
					_v260 = _t65;
					_t66 =  *0x410760; // 0x3e746e
					_t79 = _t79 + 0x14;
					_v256 = _t66;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v772);
				E004096D5(_t72, _a4,  &_v2308);
				_t48 = _a12;
				_t80 = _t79 + 0x14;
				if(_t48 > 0) {
					_t75 = _a8 + 4;
					_a16 = _t48;
					do {
						_v516 = 0;
						memset( &_v515, 0, 0xfe);
						_t51 =  *_t75;
						_t81 = _t80 + 0xc;
						if( *_t51 == 0) {
							_v516 = 0;
						} else {
							sprintf( &_v516, " width=\"%s\"", _t51);
							_t81 = _t81 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v516,  &_v1028,  *((intOrPtr*)(_t75 - 4)),  &_v260);
						_t58 = E004096D5(_t72, _a4,  &_v2308);
						_t80 = _t81 + 0x20;
						_t75 = _t75 + 8;
						_t35 =  &_a16;
						 *_t35 = _a16 - 1;
					} while ( *_t35 != 0);
					return _t58;
				}
				return _t48;
			}

0x00401443
0x0040145e
0x00401464
0x00401472
0x00401478
0x00401486
0x0040148c
0x00401491
0x00401498
0x004014b6
0x004014bb
0x004014bb
0x004014c2
0x004014e0
0x004014e5
0x004014ea
0x004014f0
0x004014f5
0x004014f8
0x004014f8
0x00401511
0x00401520
0x00401525
0x00401528
0x0040152d
0x00401537
0x0040153a
0x0040153d
0x00401546
0x0040154c
0x00401551
0x00401553
0x00401558
0x00401571
0x0040155a
0x00401567
0x0040156c
0x0040156c
0x0040159b
0x004015aa
0x004015af
0x004015b2
0x004015b5
0x004015b5
0x004015b5
0x00000000
0x004015ba
0x004015be

APIs

memset.MSVCRT ref: 00401464
memset.MSVCRT ref: 00401478
memset.MSVCRT ref: 0040148C
sprintf.MSVCRT ref: 004014B6
sprintf.MSVCRT ref: 004014E0
sprintf.MSVCRT ref: 00401511
memset.MSVCRT ref: 0040154C
sprintf.MSVCRT ref: 00401567
sprintf.MSVCRT ref: 0040159B

Part of subcall function 004013F6: sprintf.MSVCRT ref: 00401415

Strings

<font color="%s">, xrefs: 004014DA
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040150B
<th%s>%s%s%s, xrefs: 00401595
width="%s", xrefs: 00401561
bgcolor="%s", xrefs: 004014B0
</font>, xrefs: 004014E5

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: sprintf$memset
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 1679753483-3842416460
Opcode ID: 9d7a8ef25289f72f2e749bf8d61b3dad6572740c4a62b3f6065fb75a35507f06
Instruction ID: feb25d6c748d1ce852a697f0815ad6c6f9fd7b6504d8b29b38ccdfa577624f79
Opcode Fuzzy Hash: 9d7a8ef25289f72f2e749bf8d61b3dad6572740c4a62b3f6065fb75a35507f06
Instruction Fuzzy Hash: 3A4180B290115DAEDB21DB55CC81FEA777CAF04348F0401BBB519B21A2E6389F948F65

Uniqueness

Uniqueness Score: -1.00%

Function 004057D8 Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004057D8(intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v12;
				char* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v80;
				void _v83;
				int _v84;
				void _v135;
				char _v136;
				void _v187;
				char _v188;
				char _v240;
				void _v495;
				char _v496;
				void* __ebx;
				void* _t88;
				signed int _t92;
				void* _t103;
				char* _t105;
				intOrPtr* _t106;
				void* _t107;
				signed int _t121;
				signed int _t123;
				intOrPtr _t128;
				char _t139;
				intOrPtr _t140;
				char _t145;
				intOrPtr _t146;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t160;
				void* _t162;

				_t121 = 0;
				_v496 = 0;
				memset( &_v495, 0, 0xfe);
				_t123 = 0xc;
				memcpy( &_v240, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t123 << 2);
				asm("movsb");
				_v136 = 0;
				memset( &_v135, 0, 0x31);
				_v188 = 0;
				memset( &_v187, 0, 0x31);
				_v84 = 0;
				memset( &_v83, 0, 0x31);
				_t158 = _a4;
				_t162 = _t160 + 0x3c;
				_t88 =  *((intOrPtr*)( *_t158 + 0x10))();
				_t126 =  *((intOrPtr*)(_t158 + 0x1c0));
				_v16 =  *((intOrPtr*)(_t158 + 0x1c0));
				if(_t88 != 0xffffffff) {
					_t126 =  &_v496;
					sprintf( &_v136, " bgcolor=\"%s\"", E004013F6(_t88,  &_v496));
					_t162 = _t162 + 0x14;
				}
				E004096D5(_t126, _a8, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_pop(_t128);
				_v12 = _t121;
				if( *((intOrPtr*)(_t158 + 0x24)) > _t121) {
					while(1) {
						_t92 = _v12;
						_t153 =  *( *((intOrPtr*)(_t158 + 0x28)) + _t92 * 4);
						if( *((intOrPtr*)((_t153 << 4) +  *((intOrPtr*)(_t158 + 0x38)) + 4)) != _t121) {
							_t145 = " nowrap"; // 0x776f6e20
							_v84 = _t145;
							_t146 =  *0x40fec8; // 0x706172
							_v80 = _t146;
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t121;
						 *((intOrPtr*)( *_t158 + 0x30))(5, _t92, _a12,  &_v32);
						E004013F6(_v32,  &_v188);
						E00401387( *((intOrPtr*)(_t158 + 0x58)),  *((intOrPtr*)( *_a12))(_t153,  *(_t158 + 0x54)));
						 *((intOrPtr*)( *_t158 + 0x48))( *((intOrPtr*)(_t158 + 0x58)), _a12, _t153);
						_t103 =  *((intOrPtr*)( *_t158 + 0x14))();
						_t154 = _t153 * 0x14;
						if(_t103 == 0xffffffff) {
							goto L9;
						}
						_push( *((intOrPtr*)(_t154 + _v16 + 0x10)));
						_push(E004013F6(_t103,  &_v496));
						sprintf( *(_t158 + 0x5c), "<font color=\"%s\">%s</font>");
						_t162 = _t162 + 0x10;
						L11:
						_t106 =  *((intOrPtr*)(_t158 + 0x58));
						_t140 =  *_t106;
						if(_t140 == _t121 || _t140 == 0x20) {
							_t107 = _t106 - 1;
							do {
								_t128 =  *((intOrPtr*)(_t107 + 1));
								_t107 = _t107 + 1;
							} while (_t128 != _t121);
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t158 = _a4;
						}
						E004015BF( &_v32,  *((intOrPtr*)(_t158 + 0x60)),  *((intOrPtr*)(_t158 + 0x58)));
						sprintf( *(_t158 + 0x54),  &_v240,  &_v136,  *(_t158 + 0x5c),  &_v188,  &_v84,  *((intOrPtr*)(_t158 + 0x60)));
						E004096D5(_t128, _a8,  *(_t158 + 0x54));
						_t162 = _t162 + 0x2c;
						_v12 = _v12 + 1;
						if(_v12 <  *((intOrPtr*)(_t158 + 0x24))) {
							_t121 = 0;
							continue;
						}
						goto L17;
						L9:
						_t155 =  *((intOrPtr*)(_t154 + _v16 + 0x10));
						_t105 =  *(_t158 + 0x5c);
						do {
							_t139 =  *_t155;
							_t155 = _t155 + 1;
							 *_t105 = _t139;
							_t105 =  &(_t105[1]);
						} while (_t139 != _t121);
						goto L11;
					}
				}
				L17:
				E004096D5(_t128, _a8, "</table><p>");
				return E004096D5(_t128, _a8, "\r\n");
			}

0x004057e4
0x004057f3
0x004057f9
0x00405800
0x0040580c
0x00405818
0x00405819
0x0040581f
0x0040582e
0x00405834
0x00405840
0x00405843
0x00405848
0x0040584d
0x00405852
0x00405858
0x0040585e
0x00405861
0x00405863
0x0040587d
0x00405882
0x00405882
0x0040588d
0x00405896
0x00405897
0x0040589a
0x004058a4
0x004058a7
0x004058aa
0x004058b9
0x004058bb
0x004058c1
0x004058c4
0x004058ca
0x004058ca
0x004058cf
0x004058d3
0x004058d7
0x004058e7
0x004058ea
0x004058f7
0x0040590e
0x0040591e
0x00405925
0x00405928
0x0040592e
0x00000000
0x00000000
0x00405933
0x00405946
0x0040594f
0x00405954
0x0040596d
0x0040596d
0x00405970
0x00405974
0x0040597b
0x0040597c
0x0040597c
0x0040597f
0x00405980
0x0040598b
0x0040598c
0x0040598e
0x0040598f
0x0040598f
0x0040599b
0x004059c2
0x004059cd
0x004059d2
0x004059d5
0x004059de
0x004058a2
0x00000000
0x004058a2
0x00000000
0x00405959
0x0040595c
0x00405960
0x00405963
0x00405963
0x00405965
0x00405966
0x00405968
0x00405969
0x00000000
0x00405963
0x004058a4
0x004059e4
0x004059ec
0x00405a05

APIs

memset.MSVCRT ref: 004057F9
memset.MSVCRT ref: 0040581F
memset.MSVCRT ref: 00405834
memset.MSVCRT ref: 00405843
sprintf.MSVCRT ref: 0040587D
sprintf.MSVCRT ref: 0040594F

Part of subcall function 004013F6: sprintf.MSVCRT ref: 00401415

sprintf.MSVCRT ref: 004059C2

Strings

<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 00405801
 , xrefs: 00405986
nowrap, xrefs: 004058BB
<table border="1" cellpadding="5">, xrefs: 00405885
<font color="%s">%s</font>, xrefs: 00405947
</table><p>, xrefs: 004059E4
bgcolor="%s", xrefs: 00405877

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memsetsprintf
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 4041149307-601624466
Opcode ID: 3cbb0ee0592f9727debd6ea0743596826fb770f4f8134f2240006f178ca05d86
Instruction ID: bd2f7b2927322c3c7e6169080418333b93865647938ed6a495bebaf89e0a7d3e
Opcode Fuzzy Hash: 3cbb0ee0592f9727debd6ea0743596826fb770f4f8134f2240006f178ca05d86
Instruction Fuzzy Hash: 0E61EE31900208AFDB20DF55C841AAFBBB9EF08324F10457AF856A76E1D738AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00402902 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402902() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x412b10 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x4125c8 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x4125c0 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x4125bc = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x412454 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x4125b4 = _t2;
								if(_t2 != 0) {
									 *0x412b10 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x00402909
0x00402985
0x00402985
0x00402911
0x00402917
0x0040291b
0x00402984
0x00000000
0x00402984
0x0040292a
0x0040292e
0x00402933
0x0040293b
0x0040293f
0x00402944
0x0040294c
0x00402950
0x00402955
0x0040295d
0x00402961
0x00402966
0x0040296e
0x00402972
0x00402977
0x00402979
0x00402979
0x00402977
0x00402966
0x00402955
0x00402944
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000080,00402D54,004036DC), ref: 00402911
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040292A
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040293B
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040294C
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040295D
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040296E

Strings

Process32Next, xrefs: 00402968
CreateToolhelp32Snapshot, xrefs: 00402924
kernel32.dll, xrefs: 0040290C
Module32First, xrefs: 00402935
Module32Next, xrefs: 00402946
Process32First, xrefs: 00402957

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: b680712c30a427f4f3561d1e6768f78a7ff5aa4b0d9143a8c722c10e77033dcc
Instruction ID: 2afadc6d7b1a62aa00a0387305a68baa0d067eabbde59b9677db4cf2209c1d39
Opcode Fuzzy Hash: b680712c30a427f4f3561d1e6768f78a7ff5aa4b0d9143a8c722c10e77033dcc
Instruction Fuzzy Hash: 60F06270700217ABC3105B24AF84BAB6EA9A745F40B18413BEC00F12D4EBF894928E6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D33F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040D33F(intOrPtr _a4) {
				signed int _v12;
				long _v16;
				char _v277;
				char _v278;
				void _v279;
				char _v280;
				void _v543;
				char _v544;
				void _v807;
				char _v808;
				char _v1132;
				char _v1456;
				char _v2100;
				signed int _v2104;
				void* __esi;
				int _t56;
				char* _t63;
				char* _t65;
				intOrPtr* _t68;
				char* _t72;
				void* _t81;
				intOrPtr _t83;
				void* _t88;
				void* _t89;

				_v16 = GetLogicalDrives();
				_v12 = 2;
				do {
					if((_v16 & 1 << _v12) == 0) {
						goto L16;
					}
					_v808 = 0;
					memset( &_v807, 0, 0x104);
					E00409225( &_v808);
					_pop(_t81);
					memset( &_v279, 0, 0x104);
					_v280 = _v12 + 0x41;
					_t89 = _t89 + 0x18;
					_v279 = 0x3a;
					_v278 = 0x5c;
					_v277 = 0;
					_t56 = GetDriveTypeA( &_v280);
					if(_t56 == 2) {
						L4:
						_v2104 = _v2104 | 0xffffffff;
						_v2100 = 0;
						_v1132 = 0;
						_v1456 = 0;
						E00408722( &_v2104, _t81, _t94,  &_v280);
						while(E0040867D( &_v2104, _t81) != 0) {
							_t63 = E00408512( &_v2104);
							__eflags = _t63;
							if(_t63 == 0) {
								continue;
							}
							_push( &_v808);
							_t65 =  &_v1456;
							L0040107A();
							__eflags = _t65;
							_t81 = _t65;
							if(_t65 == 0) {
								continue;
							}
							_v544 = 0;
							memset( &_v543, 0, 0x104);
							_t68 =  &_v1456;
							_t89 = _t89 + 0xc;
							_t88 = _t68 + 1;
							do {
								_t83 =  *_t68;
								_t68 = _t68 + 1;
								__eflags = _t83;
							} while (_t83 != 0);
							__eflags = _t68 - _t88 + 0x10 - 0x104;
							if(_t68 - _t88 + 0x10 >= 0x104) {
								_v544 = 0;
							} else {
								E00409ADF( &_v544,  &_v1456, "system32\\config");
							}
							_t72 = E00409396( &_v544);
							__eflags = _t72;
							_pop(_t81);
							if(_t72 != 0) {
								E0040D109(_a4,  &_v1456);
							}
						}
						E004083DB( &_v2104);
						goto L16;
					}
					_t94 = _t56 - 3;
					if(_t56 != 3) {
						goto L16;
					}
					goto L4;
					L16:
					_v12 = _v12 + 1;
				} while (_v12 < 0x20);
				return 0;
			}

0x0040d351
0x0040d354
0x0040d362
0x0040d36f
0x00000000
0x00000000
0x0040d37e
0x0040d384
0x0040d393
0x0040d398
0x0040d3a2
0x0040d3ac
0x0040d3b2
0x0040d3bc
0x0040d3c3
0x0040d3ca
0x0040d3d0
0x0040d3d9
0x0040d3e4
0x0040d3e4
0x0040d3f8
0x0040d3fe
0x0040d404
0x0040d40a
0x0040d4af
0x0040d41a
0x0040d41f
0x0040d421
0x00000000
0x00000000
0x0040d42d
0x0040d42e
0x0040d435
0x0040d43a
0x0040d43d
0x0040d43e
0x00000000
0x00000000
0x0040d449
0x0040d44f
0x0040d454
0x0040d45a
0x0040d45d
0x0040d460
0x0040d460
0x0040d462
0x0040d463
0x0040d463
0x0040d46c
0x0040d46e
0x0040d489
0x0040d470
0x0040d481
0x0040d486
0x0040d496
0x0040d49b
0x0040d49d
0x0040d49e
0x0040d4aa
0x0040d4aa
0x0040d49e
0x0040d4c8
0x00000000
0x0040d4c8
0x0040d3db
0x0040d3de
0x00000000
0x00000000
0x00000000
0x0040d4cd
0x0040d4cd
0x0040d4d0
0x0040d4e0

APIs

GetLogicalDrives.KERNEL32 ref: 0040D34B
memset.MSVCRT ref: 0040D384

Part of subcall function 00409225: GetWindowsDirectoryA.KERNEL32(00412B88,00000104,?,00402A6C,00000000,?,00000000,00000104), ref: 0040923A

memset.MSVCRT ref: 0040D3A2
GetDriveTypeA.KERNEL32(?), ref: 0040D3D0
_stricmp.MSVCRT(?,?), ref: 0040D435
memset.MSVCRT ref: 0040D44F

Strings

, xrefs: 0040D4D0
:, xrefs: 0040D3BC
system32\config, xrefs: 0040D470
\, xrefs: 0040D3C3

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$DirectoryDriveDrivesLogicalTypeWindows_stricmp
String ID: $:$\$system32\config
API String ID: 132563618-2809694175
Opcode ID: 1e24a9947093709c3fe60f78e73973d85afc855c8af9a5ef3779cdae3bf5a6fc
Instruction ID: 6382f7b931f21d70a1174caf659fd9be9e68f0d6f8dce2cefffbd5d06a0edbea
Opcode Fuzzy Hash: 1e24a9947093709c3fe60f78e73973d85afc855c8af9a5ef3779cdae3bf5a6fc
Instruction Fuzzy Hash: B6419E7190115C9ACB20D6658C45ADEBBB8AF55304F0440FAE589F2182EA389B8DCF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB46 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040CB46(intOrPtr _a4, void* _a8) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t30;
				long _t34;
				long _t37;
				char* _t45;
				void* _t54;
				char* _t56;
				char* _t57;
				char* _t58;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v12 = 0;
				_t56 =  &_v276;
				E00409476(0x104, _t56, _a8);
				_t30 = strrchr(_t56, 0x5c);
				_pop(_t54);
				if(_t30 != 0) {
					 *_t30 = 0;
					_t45 = strrchr(_t56, 0x5c);
					_pop(_t54);
					if(_t45 != 0) {
						 *_t45 = 0;
						_t58 =  &_v540;
						E00409476(0x104, _t58, _t56);
						_pop(_t54);
						_v12 = _t58;
					}
				}
				E0040A7B6(_t54, _a4);
				if(E00409B5D() != 0) {
					_t11 =  &_v8;
					_v8 = _v8 & 0x00000000;
					E00402FB0( *_t11,  &_v8);
					E00402E64( &_v8);
				}
				_t57 = "$$PRODUCKEY_TEMP_HIVE$$";
				RegUnLoadKeyA(0x80000002, _t57);
				_t34 = RegLoadKeyA(0x80000002, _t57, _a8);
				_v8 = _t34;
				if(_t34 == 0) {
					_t37 = RegOpenKeyExA(0x80000002, _t57, 0, 0x20019,  &_a8);
					_v8 = _t37;
					if(_t37 == 0) {
						E0040CAFC(_t54, _a4, _a8, _v12);
						RegCloseKey(_a8);
					}
					RegUnLoadKeyA(0x80000002, _t57);
				}
				return _v8;
			}

0x0040cb62
0x0040cb68
0x0040cb79
0x0040cb7f
0x0040cb8a
0x0040cb8f
0x0040cb95
0x0040cba0
0x0040cba8
0x0040cba9
0x0040cbab
0x0040cbb3
0x0040cbbb
0x0040cbbc
0x0040cbbe
0x0040cbc4
0x0040cbca
0x0040cbd1
0x0040cbd2
0x0040cbd2
0x0040cbbc
0x0040cbd8
0x0040cbe4
0x0040cbe6
0x0040cbe6
0x0040cbee
0x0040cbf6
0x0040cbf6
0x0040cc01
0x0040cc0d
0x0040cc14
0x0040cc1c
0x0040cc1f
0x0040cc2e
0x0040cc36
0x0040cc39
0x0040cc44
0x0040cc4c
0x0040cc4c
0x0040cc54
0x0040cc54
0x0040cc5d

APIs

memset.MSVCRT ref: 0040CB68
memset.MSVCRT ref: 0040CB7F

Part of subcall function 00409476: memcpy.MSVCRT ref: 00409496

strrchr.MSVCRT ref: 0040CBA0
strrchr.MSVCRT ref: 0040CBB3
RegUnLoadKeyA.ADVAPI32(80000002,$$PRODUCKEY_TEMP_HIVE$$), ref: 0040CC0D
RegLoadKeyA.ADVAPI32(80000002,$$PRODUCKEY_TEMP_HIVE$$,?), ref: 0040CC14
RegOpenKeyExA.ADVAPI32(80000002,$$PRODUCKEY_TEMP_HIVE$$,00000000,00020019,?), ref: 0040CC2E
RegCloseKey.ADVAPI32(?), ref: 0040CC4C
RegUnLoadKeyA.ADVAPI32(80000002,$$PRODUCKEY_TEMP_HIVE$$), ref: 0040CC54

Strings

$$PRODUCKEY_TEMP_HIVE$$, xrefs: 0040CC01, 0040CC06, 0040CC12, 0040CC2C, 0040CC52

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Load$memsetstrrchr$CloseOpenmemcpy
String ID: $$PRODUCKEY_TEMP_HIVE$$
API String ID: 2415994382-4012694985
Opcode ID: 87eb7532a99d52fd244a8280536f629a4df418aea5cfceb0827b58f064d778e2
Instruction ID: 784516e6dca9c1608afa2149188d804e3feb09765de8019ca0a4e038e20016b4
Opcode Fuzzy Hash: 87eb7532a99d52fd244a8280536f629a4df418aea5cfceb0827b58f064d778e2
Instruction Fuzzy Hash: B7316371A00218BEDB21ABA69C45FCF7BBCEF55314F10407AF504F6192DA789E458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0A9 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040E0A9(void* __eax) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				char _v277;
				char _v278;
				void _v279;
				char _v280;
				void _v543;
				char _v544;
				int _t40;
				intOrPtr _t46;
				void* _t62;
				void* _t67;
				void* _t68;

				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					return __eax;
				} else {
					 *((intOrPtr*)(__eax + 0xc)) = 1;
					_v12 = GetDlgItem( *(__eax + 4), 0x3ef);
					_v16 = GetLogicalDrives();
					_v544 = 0;
					memset( &_v543, 0, 0x104);
					E00409225( &_v544);
					_t68 = _t67 + 0x10;
					_v8 = 2;
					do {
						_t40 = 1 << _v8;
						if((_v16 & 1) == 0) {
							goto L10;
						}
						memset( &_v279, 0, 0x104);
						_v280 = _v8 + 0x41;
						_t68 = _t68 + 0xc;
						_v279 = 0x3a;
						_v278 = 0x5c;
						_v277 = 0;
						_t40 = GetDriveTypeA( &_v280);
						if(_t40 == 2 || _t40 == 3) {
							_t62 =  &_v280 - 1;
							do {
								_t46 =  *((intOrPtr*)(_t62 + 1));
								_t62 = _t62 + 1;
							} while (_t46 != 0);
							asm("movsd");
							_push( &_v544);
							_t40 =  &_v280;
							_push(_t40);
							asm("movsd");
							L0040107A();
							if(_t40 != 0) {
								_t40 = E00409396( &_v280);
								if(_t40 != 0) {
									_t40 = E004093AB(_v12,  &_v280);
								}
							}
						}
						L10:
						_v8 = _v8 + 1;
					} while (_v8 < 0x20);
					return _t40;
				}
			}

0x0040e0b6
0x0040e1cf
0x0040e0bc
0x0040e0c7
0x0040e0d4
0x0040e0e3
0x0040e0ef
0x0040e0f6
0x0040e102
0x0040e107
0x0040e10a
0x0040e111
0x0040e117
0x0040e11e
0x00000000
0x00000000
0x0040e12e
0x0040e138
0x0040e13e
0x0040e148
0x0040e14f
0x0040e156
0x0040e15d
0x0040e166
0x0040e173
0x0040e174
0x0040e174
0x0040e177
0x0040e178
0x0040e187
0x0040e188
0x0040e189
0x0040e18f
0x0040e190
0x0040e191
0x0040e19a
0x0040e1a3
0x0040e1ab
0x0040e1b7
0x0040e1bd
0x0040e1ab
0x0040e19a
0x0040e1be
0x0040e1be
0x0040e1c1
0x00000000
0x0040e1cd

APIs

GetDlgItem.USER32 ref: 0040E0CE
GetLogicalDrives.KERNEL32 ref: 0040E0D7
memset.MSVCRT ref: 0040E0F6

Part of subcall function 00409225: GetWindowsDirectoryA.KERNEL32(00412B88,00000104,?,00402A6C,00000000,?,00000000,00000104), ref: 0040923A

memset.MSVCRT ref: 0040E12E
GetDriveTypeA.KERNEL32(?), ref: 0040E15D
_stricmp.MSVCRT(?,00000000), ref: 0040E191

Strings

, xrefs: 0040E1C1
:, xrefs: 0040E148
Windows, xrefs: 0040E17C
\, xrefs: 0040E14F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$DirectoryDriveDrivesItemLogicalTypeWindows_stricmp
String ID: $:$Windows$\
API String ID: 1179675397-2453529296
Opcode ID: bef06e0d57a42d07de4d7ea2a4da898f6a23be68d91c5a16efaa69d34a520f7e
Instruction ID: 076f0527ea9c5fee8924921937fb03d8c48f1c3d5d0045629b0c51db26f4c80d
Opcode Fuzzy Hash: bef06e0d57a42d07de4d7ea2a4da898f6a23be68d91c5a16efaa69d34a520f7e
Instruction Fuzzy Hash: 1B31CF7190024CABDB24DBA6CD4ABDEB7B8AB05304F1444F6D608FA1C2D7388B858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00409CB1 Relevance: 16.6, APIs: 11, Instructions: 58
clipboardmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409CB1(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00409716(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}

0x00409cb7
0x00409cbb
0x00409cc4
0x00409ccd
0x00409cd0
0x00409d46
0x00409cd2
0x00409cde
0x00409ce0
0x00409cef
0x00409cf3
0x00409d29
0x00409d2f
0x00409cf5
0x00409cfe
0x00409d11
0x00000000
0x00409d13
0x00409d14
0x00409d18
0x00409d21
0x00409d21
0x00409d11
0x00409d35
0x00409d3d
0x00409d49
0x00409d53

APIs

EmptyClipboard.USER32(00404DF4,?), ref: 00409CBB

Part of subcall function 00409716: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00409CC9,?), ref: 00409728

GetFileSize.KERNEL32(00000000,00000000,?), ref: 00409CD8
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00409CE9
GlobalLock.KERNEL32 ref: 00409CF6
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00409D09
GlobalUnlock.KERNEL32(00000000), ref: 00409D18
SetClipboardData.USER32 ref: 00409D21
GetLastError.KERNEL32 ref: 00409D29
CloseHandle.KERNEL32(?), ref: 00409D35
GetLastError.KERNEL32 ref: 00409D40
CloseClipboard.USER32 ref: 00409D49

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 10de5859567b87446904565400fedfa97000c2bcf1d4b14b3dbc8805c7939b9a
Instruction ID: 5a50d71c9677ff208350085b36c79d2013372cce5b999ce37c3e4ca6669c51b4
Opcode Fuzzy Hash: 10de5859567b87446904565400fedfa97000c2bcf1d4b14b3dbc8805c7939b9a
Instruction Fuzzy Hash: 5E116D35500205EBD7206FA5EE48B9E7BB8EF48311F104076F605E6591DB709D098A68

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 154
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040CC60(long _a4, char _a8) {
				void* _v8;
				void* _v12;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __ebx;
				void* __edi;
				intOrPtr* _t40;
				void* _t43;
				unsigned int _t44;
				long _t56;
				long _t58;
				long _t60;
				intOrPtr* _t71;
				void* _t74;
				void* _t75;
				char _t76;
				char _t81;
				void _t82;
				void _t83;
				signed int _t85;
				int _t88;
				void* _t91;
				char _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t101;
				void* _t105;
				void* _t111;
				long _t112;

				_t40 = _a8;
				if( *_t40 != 0x5c ||  *((char*)(_t40 + 1)) != 0x5c) {
					_t74 = _a4 + 0x768;
					_t94 = _t74 - _t40;
					do {
						_t81 =  *_t40;
						 *((char*)(_t94 + _t40)) = _t81;
						_t40 = _t40 + 1;
					} while (_t81 != 0);
					goto L7;
				} else {
					_t74 = _a4 + 0x768;
					_t71 = _t40 + 2;
					_t97 = _t74 - _t71;
					do {
						_t92 =  *_t71;
						 *((char*)(_t97 + _t71)) = _t92;
						_t71 = _t71 + 1;
					} while (_t92 != 0);
					L7:
					memset( &_v275, 0, 0x106);
					asm("movsw");
					_t43 = _t74;
					asm("movsb");
					_t95 = _t43;
					do {
						_t82 =  *_t43;
						_t43 = _t43 + 1;
					} while (_t82 != 0);
					_t44 = _t43 - _t95;
					_t101 =  &_v276 - 1;
					do {
						_t83 =  *(_t101 + 1);
						_t101 = _t101 + 1;
					} while (_t83 != 0);
					_t85 = _t44 >> 2;
					_t111 = _t95;
					_t88 = memcpy(_t101, _t111, _t85 << 2) & 0x00000003;
					memcpy(_t111 + _t85 + _t85, _t111, _t88);
					_t105 = _t111 + _t88 + _t88;
					_v1300 = 0;
					memset( &_v1299, 0, 0x3ff);
					_t75 = 9;
					sprintf( &_v1300, E00407C3F(_t75));
					_t112 = _a4;
					E00409E22( *((intOrPtr*)(_t112 + 0x878)),  &_v1300);
					_t76 = 0;
					_t91 = _t74;
					if( *((intOrPtr*)(_t112 + 0x754)) == 0) {
						L13:
						_a8 = _t76;
						_t56 = RegConnectRegistryA( &_v276, 0x80000002,  &_v8);
						_a4 = _t56;
						if(_t56 == 0) {
							L18:
							_t58 = RegOpenKeyExA(_v8, "Software", 0, 0x20019,  &_v12);
							_a4 = _t58;
							if(_t58 == 0) {
								E0040CAFC(_t91, _t112, _v12, 0);
								RegCloseKey(_v12);
							}
							RegCloseKey(_v8);
							L21:
							if(_t76 != 0) {
								E00401D0A( &_a8,  &_v276, 0);
							}
							_t60 = _a4;
							L24:
							return _t60;
						}
						if( *((intOrPtr*)(_t112 + 0x760)) != 0) {
							_t76 = E00401D0A( &_a8,  &_v276, 1);
							if(_t76 != 0) {
								_a4 = RegConnectRegistryA( &_v276, 0x80000002,  &_v8);
							}
						}
						if(_a4 != 0) {
							goto L21;
						} else {
							goto L18;
						}
					}
					_t60 = E0040ABDB(_a8, _t105, _t112);
					if(_t60 == 0) {
						goto L24;
					}
					goto L13;
				}
			}

0x0040cc63
0x0040cc72
0x0040cc99
0x0040cca1
0x0040cca3
0x0040cca3
0x0040cca5
0x0040cca8
0x0040cca9
0x00000000
0x0040cc7a
0x0040cc7d
0x0040cc83
0x0040cc88
0x0040cc8a
0x0040cc8a
0x0040cc8c
0x0040cc8f
0x0040cc90
0x0040ccad
0x0040ccbb
0x0040cccb
0x0040cccd
0x0040ccd2
0x0040ccd3
0x0040ccd5
0x0040ccd5
0x0040ccd7
0x0040ccd8
0x0040cce2
0x0040cce4
0x0040cce5
0x0040cce5
0x0040cce8
0x0040cce9
0x0040ccef
0x0040ccf2
0x0040cd03
0x0040cd09
0x0040cd09
0x0040cd0b
0x0040cd12
0x0040cd1d
0x0040cd2b
0x0040cd30
0x0040cd43
0x0040cd48
0x0040cd51
0x0040cd52
0x0040cd65
0x0040cd7b
0x0040cd7e
0x0040cd82
0x0040cd85
0x0040cdc2
0x0040cdd5
0x0040cde3
0x0040cde6
0x0040cdee
0x0040cdf6
0x0040cdf6
0x0040cdfb
0x0040cdfd
0x0040cdff
0x0040ce0d
0x0040ce0d
0x0040ce12
0x0040ce15
0x0040ce19
0x0040ce19
0x0040cd8e
0x0040cda1
0x0040cda5
0x0040cdb9
0x0040cdb9
0x0040cda5
0x0040cdc0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cdc0
0x0040cd58
0x0040cd5f
0x00000000
0x00000000
0x00000000
0x0040cd5f

APIs

memset.MSVCRT ref: 0040CCBB
memset.MSVCRT ref: 0040CD12
sprintf.MSVCRT ref: 0040CD2B
RegConnectRegistryA.ADVAPI32(?,80000002,?), ref: 0040CD7E
RegConnectRegistryA.ADVAPI32(?,80000002,?), ref: 0040CDB7
RegOpenKeyExA.ADVAPI32(?,Software,00000000,00020019,?), ref: 0040CDD5
RegCloseKey.ADVAPI32(?), ref: 0040CDF6
RegCloseKey.ADVAPI32(?), ref: 0040CDFB

Strings

Software, xrefs: 0040CDCD

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseConnectRegistrymemset$Opensprintf
String ID: Software
API String ID: 3924636354-2393246361
Opcode ID: f09d0ba0c24eb170852eadd1196640db1142fb1754b71308216b7b879914348c
Instruction ID: a5624547f57fb1dbc346fbc3180d5039ffa5e1ae1cf231a9bc551707f2c1f170
Opcode Fuzzy Hash: f09d0ba0c24eb170852eadd1196640db1142fb1754b71308216b7b879914348c
Instruction Fuzzy Hash: 0051A671A0060CEFEB21DF64DC81BDB7BA8AF44344F14417AEA49B71C1D7789A49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004015BF Relevance: 15.2, APIs: 4, Strings: 6, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004015BF(void* __ebx, char* _a4, void* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				void* _t45;
				unsigned int _t46;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t59;
				unsigned int _t60;
				void* _t65;
				unsigned int _t66;
				void* _t69;
				void _t70;
				void _t71;
				signed int _t73;
				void _t79;
				void _t80;
				signed int _t82;
				void _t87;
				void _t88;
				signed int _t90;
				void* _t95;
				void* _t96;
				void* _t97;
				int _t98;
				void* _t100;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t121;
				void* _t127;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t139;
				void* _t141;

				_t69 = __ebx;
				_t98 = 0;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t136 = _t135 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__ebx + 4)) == 0xffffffff &&  *((intOrPtr*)(__ebx + 8)) <= 0) {
					_v8 = 0;
				}
				 *_a4 = 0;
				if(_v8 != _t98) {
					asm("movsd");
					asm("movsw");
					_t53 =  *((intOrPtr*)(_t69 + 8));
					if(_t53 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t53);
						_t65 =  &_v264;
						_t141 = _t136 + 0xc;
						_t97 = _t65;
						do {
							_t87 =  *_t65;
							_t65 = _t65 + 1;
						} while (_t87 != 0);
						_t66 = _t65 - _t97;
						_t121 = _a4 - 1;
						do {
							_t88 =  *(_t121 + 1);
							_t121 = _t121 + 1;
						} while (_t88 != 0);
						_t90 = _t66 >> 2;
						_t134 = _t97;
						memcpy(_t134 + _t90 + _t90, _t134, memcpy(_t121, _t134, _t90 << 2) & 0x00000003);
						_t136 = _t141 + 0x18;
					}
					_t54 =  *((intOrPtr*)(_t69 + 4));
					if( *((intOrPtr*)(_t69 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E004013F6(_t54,  &_v520));
						_t59 =  &_v264;
						_t139 = _t136 + 0x14;
						_t96 = _t59;
						do {
							_t79 =  *_t59;
							_t59 = _t59 + 1;
						} while (_t79 != 0);
						_t60 = _t59 - _t96;
						_t115 = _a4 - 1;
						do {
							_t80 =  *(_t115 + 1);
							_t115 = _t115 + 1;
						} while (_t80 != 0);
						_t82 = _t60 >> 2;
						_t133 = _t96;
						memcpy(_t133 + _t82 + _t82, _t133, memcpy(_t115, _t133, _t82 << 2) & 0x00000003);
						_t136 = _t139 + 0x18;
					}
					_t113 = _a4 - 1;
					do {
						_t55 =  *((intOrPtr*)(_t113 + 1));
						_t113 = _t113 + 1;
					} while (_t55 != 0);
					asm("movsw");
					_t98 = 0;
				}
				if( *((intOrPtr*)(_t69 + 0xc)) != _t98) {
					_t110 = _a4 - 1;
					do {
						_t52 =  *((intOrPtr*)(_t110 + 1));
						_t110 = _t110 + 1;
					} while (_t52 != 0);
					asm("movsd");
				}
				_t45 = _a8;
				_t95 = _t45;
				do {
					_t70 =  *_t45;
					_t45 = _t45 + 1;
				} while (_t70 != 0);
				_t46 = _t45 - _t95;
				_t100 = _a4 - 1;
				do {
					_t71 =  *(_t100 + 1);
					_t100 = _t100 + 1;
				} while (_t71 != 0);
				_t73 = _t46 >> 2;
				_t127 = _t95;
				memcpy(_t127 + _t73 + _t73, _t127, memcpy(_t100, _t127, _t73 << 2) & 0x00000003);
				if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
					_t108 = _a4 - 1;
					do {
						_t51 =  *((intOrPtr*)(_t108 + 1));
						_t108 = _t108 + 1;
					} while (_t51 != 0);
					asm("movsd");
					asm("movsb");
				}
				if(_v8 != 0) {
					_t106 = _a4 - 1;
					do {
						_t50 =  *((intOrPtr*)(_t106 + 1));
						_t106 = _t106 + 1;
					} while (_t50 != 0);
					asm("movsd");
					asm("movsd");
				}
				return _a4;
			}

0x004015bf
0x004015d0
0x004015da
0x004015e1
0x004015ef
0x004015f6
0x004015fb
0x00401602
0x00401609
0x00401610
0x00401610
0x00401619
0x0040161c
0x00401629
0x0040162a
0x0040162c
0x00401631
0x00401640
0x00401645
0x0040164b
0x0040164e
0x00401650
0x00401650
0x00401652
0x00401653
0x0040165a
0x0040165c
0x0040165d
0x0040165d
0x00401660
0x00401661
0x00401667
0x0040166a
0x00401673
0x00401673
0x00401673
0x00401675
0x0040167b
0x00401697
0x0040169c
0x004016a2
0x004016a5
0x004016a7
0x004016a7
0x004016a9
0x004016aa
0x004016b1
0x004016b3
0x004016b4
0x004016b4
0x004016b7
0x004016b8
0x004016be
0x004016c1
0x004016ca
0x004016ca
0x004016ca
0x004016cf
0x004016d0
0x004016d0
0x004016d3
0x004016d4
0x004016dd
0x004016df
0x004016df
0x004016e4
0x004016e9
0x004016ea
0x004016ea
0x004016ed
0x004016ee
0x004016f7
0x004016f7
0x004016f8
0x004016fb
0x004016fd
0x004016fd
0x004016ff
0x00401700
0x00401707
0x00401709
0x0040170a
0x0040170a
0x0040170d
0x0040170e
0x00401714
0x00401717
0x00401720
0x00401726
0x0040172b
0x0040172c
0x0040172c
0x0040172f
0x00401730
0x00401739
0x0040173a
0x0040173a
0x0040173f
0x00401744
0x00401745
0x00401745
0x00401748
0x00401749
0x00401752
0x00401753
0x00401753
0x0040175a

APIs

memset.MSVCRT ref: 004015E1
memset.MSVCRT ref: 004015F6
sprintf.MSVCRT ref: 00401640
sprintf.MSVCRT ref: 00401697

Strings

size="%d", xrefs: 0040163A
<b>, xrefs: 004016F2
</b>, xrefs: 00401734
color="#%s", xrefs: 00401691
</font>, xrefs: 0040174D
<font, xrefs: 00401624

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memsetsprintf
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 4041149307-1996832678
Opcode ID: 1e2aab957bc7b26221ffa0c709ab96f7c84d7ed275eae9eb88dfbc97be7e2620
Instruction ID: 39ae1bf813dd95f269064c10691c7677a7bb4ec6dda8d1802202662c61fc824e
Opcode Fuzzy Hash: 1e2aab957bc7b26221ffa0c709ab96f7c84d7ed275eae9eb88dfbc97be7e2620
Instruction Fuzzy Hash: 53517B318004495BCF11CE288850BEBB7E6AF91350F1882B6E899AF391D776DDC1CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00407AB3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00407AB3(char __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				int _v0;
				int _v4;
				int _t42;
				void* _t53;
				void* _t55;
				void* _t58;
				unsigned int _t59;
				intOrPtr _t62;
				int _t63;
				void _t70;
				void _t71;
				signed int _t73;
				void* _t77;
				void* _t80;
				void* _t82;
				int _t88;
				void* _t90;
				signed int _t91;
				signed int _t92;

				_t68 = __ecx;
				_t92 = _t91 & 0xfffffff8;
				E0040EAD0(0x204c, __ecx);
				_t42 = GetMenuItemCount(_a8.cbSize);
				_t88 = 0;
				_a4 = _t42;
				_v4 = 0;
				if(_t42 <= 0) {
					L20:
					return _t42;
				}
				do {
					memset( &_a57, _t88, 0x1000);
					_t92 = _t92 + 0xc;
					_a44 =  &_a56;
					_a8.cbSize = 0x30;
					_a12 = 0x36;
					_a48 = 0x1000;
					_a56 = 0;
					if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
						goto L19;
					}
					if(_a56 == 0) {
						L17:
						_t106 = _a28 - _t88;
						if(_a28 != _t88) {
							_push(_t88);
							_push(_a28);
							_push(_a4);
							E00407AB3(_t68, _t106);
							_t92 = _t92 + 0xc;
						}
						goto L19;
					}
					_v0 = _a24;
					_a4160 = 0;
					memset( &_a4161, _t88, 0x1000);
					_t53 = strchr( &_a56, 9);
					_t92 = _t92 + 0x14;
					_t80 = _t53;
					if(_a28 != _t88) {
						if(_a12 == _t88) {
							 *0x41279c =  *0x41279c + 1;
							_t62 =  *0x41279c; // 0x0
							_t63 = _t62 + 0x11558;
							__eflags = _t63;
						} else {
							_t63 = _v4 + 0x11171;
						}
						_v0 = _t63;
					}
					_t55 = E004076DC(_v0,  &_a4160);
					_pop(_t68);
					if(_t55 == 0) {
						goto L17;
					} else {
						if(_t80 == _t88) {
							L16:
							ModifyMenuA(_a8, _v4, 0x400, _v0,  &_a4160);
							goto L17;
						}
						_t58 = _t80;
						_t77 = _t80;
						do {
							_t70 =  *_t58;
							_t58 = _t58 + 1;
						} while (_t70 != 0);
						_t59 = _t58 - _t77;
						_t82 =  &_a4160 - 1;
						do {
							_t71 =  *(_t82 + 1);
							_t82 = _t82 + 1;
						} while (_t71 != 0);
						_t73 = _t59 >> 2;
						_t90 = _t77;
						memcpy(_t90 + _t73 + _t73, _t90, memcpy(_t82, _t90, _t73 << 2) & 0x00000003);
						_t92 = _t92 + 0x18;
						_t68 = 0;
						_t88 = 0;
						goto L16;
					}
					L19:
					_v4 = _v4 + 1;
					_t42 = _v4;
				} while (_t42 < _a4);
				goto L20;
			}

0x00407ab3
0x00407ab6
0x00407abe
0x00407ac9
0x00407acf
0x00407ad3
0x00407ad7
0x00407adb
0x00407c27
0x00407c2d
0x00407c2d
0x00407ae6
0x00407aed
0x00407af2
0x00407af9
0x00407b08
0x00407b13
0x00407b1b
0x00407b1f
0x00407b2c
0x00000000
0x00000000
0x00407b37
0x00407bff
0x00407bff
0x00407c03
0x00407c05
0x00407c06
0x00407c0a
0x00407c0d
0x00407c12
0x00407c12
0x00000000
0x00407c03
0x00407b42
0x00407b4f
0x00407b57
0x00407b63
0x00407b68
0x00407b6f
0x00407b71
0x00407b76
0x00407b83
0x00407b89
0x00407b8e
0x00407b8e
0x00407b78
0x00407b7c
0x00407b7c
0x00407b93
0x00407b93
0x00407ba3
0x00407bab
0x00407bac
0x00000000
0x00407bae
0x00407bb0
0x00407be1
0x00407bf9
0x00000000
0x00407bf9
0x00407bb2
0x00407bb4
0x00407bb6
0x00407bb6
0x00407bb8
0x00407bb9
0x00407bc4
0x00407bc6
0x00407bc7
0x00407bc7
0x00407bca
0x00407bcb
0x00407bd1
0x00407bd4
0x00407bdd
0x00407bdd
0x00407bdd
0x00407bdf
0x00000000
0x00407bdf
0x00407c15
0x00407c15
0x00407c19
0x00407c1d
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00407AC9
memset.MSVCRT ref: 00407AED
GetMenuItemInfoA.USER32 ref: 00407B24
memset.MSVCRT ref: 00407B57
strchr.MSVCRT ref: 00407B63
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407BF9

Strings

6, xrefs: 00407B13
0, xrefs: 00407B08

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Menu$Itemmemset$CountInfoModifystrchr
String ID: 0$6
API String ID: 2695500961-3849865405
Opcode ID: 3f125d8f9c99a8dc343bc0f6ed8da4378aa4ab476d370e35e0c0dbe081e5d04a
Instruction ID: bc50868f119f1ac69747449354b0e5ede2fc8155e10fb2fb2ca5d72e8faccf57
Opcode Fuzzy Hash: 3f125d8f9c99a8dc343bc0f6ed8da4378aa4ab476d370e35e0c0dbe081e5d04a
Instruction Fuzzy Hash: 4741CF7190C344AFC7218F59D800A9FBBE9EB84754F04493EF988A2291D775E944CFA7

Uniqueness

Uniqueness Score: -1.00%

Function 00408080 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00408080(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				void* _t18;
				char _t21;
				void* _t22;
				struct HMENU__* _t34;
				void* _t45;
				struct HWND__* _t47;
				struct HMENU__* _t50;

				E0040EAD0(0x1004, __ecx);
				_t18 = 4;
				_t55 = _a8 - _t18;
				if(_a8 != _t18) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t21 = E00407595(_a12);
						__eflags = _t21;
						if(_t21 == 0) {
							_push(_a12);
							_t22 = 5;
							E00407714(_t22);
							_t47 = CreateDialogParamA(_a4, _a12, 0, E004075B7, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t47,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E004075BC(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t47, E00407E46, 0);
							DestroyWindow(_t47);
						}
					}
				} else {
					E00407714(_t18, _a12);
					_pop(_t45);
					_t34 = LoadMenuA(_a4, _a12);
					 *0x41279c =  *0x41279c & 0x00000000;
					_t50 = _t34;
					_push(1);
					_push(_t50);
					_push(_a12);
					E00407EF9(_t45, _t55);
					DestroyMenu(_t50);
				}
				return 1;
			}

0x00408088
0x00408090
0x00408091
0x00408094
0x004080ce
0x004080d2
0x004080db
0x004080e0
0x004080e3
0x004080eb
0x004080f0
0x004080f1
0x00408112
0x0040811c
0x00408122
0x00408133
0x00408139
0x0040813f
0x0040814d
0x00408153
0x0040815b
0x00408162
0x00408169
0x004080e3
0x00408096
0x00408099
0x0040809e
0x004080a5
0x004080ab
0x004080b2
0x004080b4
0x004080b6
0x004080b7
0x004080ba
0x004080c3
0x004080c3
0x0040816f

APIs

LoadMenuA.USER32 ref: 004080A5

Part of subcall function 00407EF9: GetMenuItemCount.USER32 ref: 00407F0E
Part of subcall function 00407EF9: memset.MSVCRT ref: 00407F2F
Part of subcall function 00407EF9: GetMenuItemInfoA.USER32 ref: 00407F6A
Part of subcall function 00407EF9: strchr.MSVCRT ref: 00407F81

DestroyMenu.USER32(00000000), ref: 004080C3
CreateDialogParamA.USER32(?,?,00000000,004075B7,00000000), ref: 00408106
memset.MSVCRT ref: 00408122
GetWindowTextA.USER32 ref: 00408133
EnumChildWindows.USER32 ref: 0040815B
DestroyWindow.USER32(00000000), ref: 00408162

Part of subcall function 00407714: sprintf.MSVCRT ref: 00407737

Strings

caption, xrefs: 00408148

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindowssprintfstrchr
String ID: caption
API String ID: 2399569875-4135340389
Opcode ID: c6f0a7400c459f5448579dd9d8661458a8750f959f47b059c50533fb2ca9ee94
Instruction ID: eee04953f9942be59f9ff2124a300e171563816723e8f5865314466324634240
Opcode Fuzzy Hash: c6f0a7400c459f5448579dd9d8661458a8750f959f47b059c50533fb2ca9ee94
Instruction Fuzzy Hash: 3D210632404248BFDB216F21DD45EEB3B28EF04355F00447AF645F54E0D6B95D948B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A877 Relevance: 13.7, APIs: 3, Strings: 6, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040A877(void* __ebx, intOrPtr _a4) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				signed int* _v24;
				signed char _v26;
				void* _v40;
				void _v68;
				void _v131;
				char _v132;
				void* _v368;
				void* _v373;
				void* _v378;
				void* _v383;
				void _v387;
				void _v388;
				signed char _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t101;
				void* _t110;
				unsigned int _t111;
				void* _t113;
				void* _t118;
				signed int _t119;
				signed int _t121;
				signed int* _t123;
				signed int _t126;
				signed int _t127;
				void _t128;
				void _t129;
				signed int _t131;
				void* _t145;
				signed int _t155;
				void* _t157;
				signed int _t171;
				signed char* _t173;
				signed int _t174;
				int _t175;
				void* _t176;
				signed int _t182;
				void* _t183;

				_t118 = __ebx;
				_t119 = 6;
				memcpy( &_v68, "BCDFGHJKMPQRTVWXY2346789", _t119 << 2);
				_v20 = 0;
				_v8 = 0;
				_v132 = 0;
				asm("movsb");
				memset( &_v131, 0, 0x3f);
				_t121 = 8;
				memset(__ebx, 0, _t121 << 2);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t95 = _v26;
				if((_t95 & 0x00000008) != 0) {
					_v20 = 1;
					_v26 = _t95 >> 0x00000001 & 0x00000078 | _t95 & 0x000000f7;
				}
				_t123 = _t118 + 0x1c;
				_v16 = 1;
				_v16 = _v16 - _t118;
				_a4 = 0x18;
				_v12 = 0x1c;
				_v24 = _t123;
				do {
					_t97 = _v16 + _t123;
					asm("cdq");
					_t171 = 6;
					_t98 = _t97 / _t171;
					if(_t97 % _t171 != 0) {
						_v8 = 0xe;
						_t99 = 0;
						do {
							_t173 = _t183 + _v8 - 0x24;
							_t126 = _t99 << 0x00000008 |  *_t173 & 0x000000ff;
							_t101 = _t126;
							_t155 = 0x18;
							_t35 =  &_v8;
							 *_t35 = _v8 - 1;
							 *_t173 = _t101 / _t155;
							_t99 = _t101 % _t155;
						} while ( *_t35 >= 0);
						if(_v20 != 0) {
							if(_a4 >= 0) {
								_t182 = _t155;
								 *((char*)(_t183 + _a4 - 0x80)) =  *((intOrPtr*)(_t183 + _t126 % _t182 - 0x40));
							}
							_a4 = _a4 - 1;
						}
						_t127 = 0x18;
						_t123 = _v24;
						_t174 = _t126 % _t127;
						_t98 =  *((intOrPtr*)(_t183 + _t174 - 0x40));
						 *_t123 = _t98;
						_v8 = _t174;
					} else {
						 *_t123 = 0x2d;
					}
					_v12 = _v12 - 1;
					_t123 = _t123 - 1;
					_v24 = _t123;
				} while (_v12 >= 0);
				if(_v20 != 0) {
					_t175 = _v8;
					if(_t175 < 0x1e) {
						_v388 = 0;
						memset( &_v387, 0, 0xfe);
						memcpy( &_v388,  &_v131, _t175);
						_t110 = _t183 + _t175 - 0x7f;
						 *((char*)(_t183 + _t175 - 0x180)) = 0x4e;
						_t145 = _t110;
						do {
							_t128 =  *_t110;
							_t110 = _t110 + 1;
						} while (_t128 != 0);
						_t111 = _t110 - _t145;
						_t157 =  &_v388 - 1;
						do {
							_t129 =  *(_t157 + 1);
							_t157 = _t157 + 1;
						} while (_t129 != 0);
						_t131 = _t111 >> 2;
						_t176 = _t145;
						_t113 = memcpy(_t176 + _t131 + _t131, _t176, memcpy(_t157, _t176, _t131 << 2) & 0x00000003);
						asm("movsd");
						asm("movsb");
						asm("movsd");
						asm("movsb");
						asm("movsd");
						asm("movsb");
						asm("movsd");
						asm("movsb");
						asm("movsd");
						 *((char*)(_t118 + 5)) = 0x2d;
						 *((char*)(_t118 + 0xb)) = 0x2d;
						 *((char*)(_t118 + 0x11)) = 0x2d;
						 *((char*)(_t118 + 0x17)) = 0x2d;
						asm("movsb");
						 *((char*)(_t118 + 0x1d)) = 0;
						return _t113;
					}
				}
				return _t98;
			}

0x0040a877
0x0040a884
0x0040a88d
0x0040a894
0x0040a897
0x0040a89a
0x0040a8a1
0x0040a8a2
0x0040a8b1
0x0040a8b4
0x0040a8b9
0x0040a8ba
0x0040a8bb
0x0040a8bc
0x0040a8be
0x0040a8bf
0x0040a8c7
0x0040a8d4
0x0040a8d7
0x0040a8d7
0x0040a8da
0x0040a8dd
0x0040a8e0
0x0040a8e3
0x0040a8ea
0x0040a8f1
0x0040a8f4
0x0040a8f7
0x0040a8fb
0x0040a8fc
0x0040a8fd
0x0040a901
0x0040a908
0x0040a90f
0x0040a911
0x0040a916
0x0040a920
0x0040a926
0x0040a928
0x0040a92b
0x0040a92b
0x0040a92e
0x0040a930
0x0040a930
0x0040a938
0x0040a93e
0x0040a945
0x0040a94f
0x0040a94f
0x0040a953
0x0040a953
0x0040a95a
0x0040a95f
0x0040a962
0x0040a964
0x0040a968
0x0040a96a
0x0040a903
0x0040a903
0x0040a903
0x0040a96d
0x0040a970
0x0040a975
0x0040a975
0x0040a982
0x0040a988
0x0040a98e
0x0040a9a2
0x0040a9a9
0x0040a9ba
0x0040a9bf
0x0040a9c6
0x0040a9ce
0x0040a9d0
0x0040a9d0
0x0040a9d2
0x0040a9d3
0x0040a9dd
0x0040a9df
0x0040a9e0
0x0040a9e0
0x0040a9e3
0x0040a9e4
0x0040a9ea
0x0040a9ed
0x0040a9f6
0x0040aa00
0x0040aa01
0x0040aa0b
0x0040aa0c
0x0040aa16
0x0040aa17
0x0040aa21
0x0040aa22
0x0040aa2c
0x0040aa2d
0x0040aa31
0x0040aa35
0x0040aa39
0x0040aa3d
0x0040aa3e
0x00000000
0x0040aa3e
0x0040a98e
0x0040aa45

APIs

memset.MSVCRT ref: 0040A8A2
memset.MSVCRT ref: 0040A9A9
memcpy.MSVCRT ref: 0040A9BA

Strings

-, xrefs: 0040AA31
N, xrefs: 0040A9C6
BCDFGHJKMPQRTVWXY2346789, xrefs: 0040A885
-, xrefs: 0040AA2D
-, xrefs: 0040AA39
-, xrefs: 0040AA35

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$memcpy
String ID: -$-$-$-$BCDFGHJKMPQRTVWXY2346789$N
API String ID: 368790112-290593145
Opcode ID: 6234dd5b282ead6a4b6fa16e9340903ba4a9d7abc0c46a715f62a906365b06bc
Instruction ID: be0272b2efbbd6c10dabd1d3c91be8c75acc4c0b7bfd47c7a7399edc3e37da8e
Opcode Fuzzy Hash: 6234dd5b282ead6a4b6fa16e9340903ba4a9d7abc0c46a715f62a906365b06bc
Instruction Fuzzy Hash: C251CE31A042599FDF15CE68C8047DFBBB1AF55304F1484AAE844BB282D7B5AB4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040B48A Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040B48A(intOrPtr* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				void _v1031;
				void _v1032;
				void _v2055;
				char _v2056;
				void _v3079;
				char _v3080;
				void* __ebx;
				void* __esi;
				void* _t39;
				void* _t45;
				signed int _t48;
				void* _t50;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t50 = __edi;
				_v8 = __ecx;
				E004017CD(__ecx, _a4);
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_v2056 = 0;
				memset( &_v2055, 0, 0x3ff);
				_v3080 = 0;
				memset( &_v3079, 0, 0x3ff);
				_t59 = _t58 + 0x28;
				_t62 =  *0x4128f0; // 0x0
				if(_t62 != 0) {
					sprintf( &_v2056, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x4128f0);
					_t59 = _t59 + 0xc;
				}
				_t63 =  *0x4128ec; // 0x0
				if(_t63 != 0) {
					_push(_t50);
					_t48 = 7;
					memcpy( &_v1032, "<table dir=\"rtl\"><tr><td>\r\n", _t48 << 2);
					_t59 = _t59 + 0xc;
				}
				E00401782(_a4,  *((intOrPtr*)( *_v8 + 0x1c))(),  &_v2056,  &_v1032);
				_push("ProduKey");
				_t45 = 6;
				_push(E00407C3F(_t45));
				sprintf( &_v3080, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t39 = E004096D5(_v8, _a4,  &_v3080);
				_t64 = _a8 - 4;
				if(_a8 == 4) {
					return E00405761(_v8, _t64, _a4);
				}
				return _t39;
			}

0x0040b48a
0x0040b498
0x0040b49b
0x0040b4b0
0x0040b4b6
0x0040b4c4
0x0040b4ca
0x0040b4d8
0x0040b4de
0x0040b4e3
0x0040b4e6
0x0040b4ec
0x0040b4ff
0x0040b504
0x0040b504
0x0040b507
0x0040b50d
0x0040b50f
0x0040b512
0x0040b51e
0x0040b51e
0x0040b520
0x0040b53b
0x0040b543
0x0040b54a
0x0040b550
0x0040b55d
0x0040b56c
0x0040b574
0x0040b578
0x00000000
0x0040b580
0x0040b588

APIs

memset.MSVCRT ref: 0040B4B6
memset.MSVCRT ref: 0040B4CA
memset.MSVCRT ref: 0040B4DE
sprintf.MSVCRT ref: 0040B4FF
sprintf.MSVCRT ref: 0040B55D

Strings

ProduKey, xrefs: 0040B543
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040B4F9
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 0040B557
<table dir="rtl"><tr><td>, xrefs: 0040B513

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$sprintf
String ID: <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$ProduKey
API String ID: 1905644873-4049021796
Opcode ID: 778b35b1de36561c8a15e4ac573c118ea7b29f4b81876604b5700a31cfb043f7
Instruction ID: 12a8dd2a83f90a446e50023e9b62def618514604d974679ae29f97422011508a
Opcode Fuzzy Hash: 778b35b1de36561c8a15e4ac573c118ea7b29f4b81876604b5700a31cfb043f7
Instruction Fuzzy Hash: 8A21A6B2D01158BADB20EB65CD41EDB77ACEB14308F0440F6B608B3191D6399F58CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040BF30(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v271;
				void _v279;
				char _v280;
				void _v583;
				char _v584;
				char _v1608;
				long _t42;
				char* _t43;
				void* _t51;
				unsigned int _t52;
				void _t59;
				void _t60;
				signed int _t62;
				void* _t67;
				int* _t68;
				void* _t71;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				_t68 = 0;
				_v280 = 0;
				memset( &_v279, 0, 0xff);
				_t80 = _t79 + 0xc;
				_v16 = 0xff;
				_v20 = 0;
				_v24 = 0x3ff;
				_v12 = 0;
				_t42 = RegEnumValueA(_a12, 0,  &_v280,  &_v16, 0,  &_v20,  &_v1608,  &_v24);
				while(_t42 == 0) {
					_push(9);
					_t43 =  &_v280;
					_push("productid");
					_push(_t43);
					L0040108C();
					_t80 = _t80 + 0xc;
					if(_t43 == 0) {
						memset( &_v583, _t68, 0x12b);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t51 =  &_v271;
						_t81 = _t80 + 0xc;
						asm("movsb");
						_t67 = _t51;
						do {
							_t59 =  *_t51;
							_t51 = _t51 + 1;
						} while (_t59 != 0);
						_t52 = _t51 - _t67;
						_t71 =  &_v584 - 1;
						do {
							_t60 =  *(_t71 + 1);
							_t71 = _t71 + 1;
						} while (_t60 != 0);
						_t62 = _t52 >> 2;
						_t78 = _t67;
						memcpy(_t78 + _t62 + _t62, _t78, memcpy(_t71, _t78, _t62 << 2) & 0x00000003);
						_t80 = _t81 + 0x18;
						E0040B8BD(0, _a4, _a8, _a12,  &_v280, _a12,  &_v584, 4, 0x40f469, 0x40f469, 0x40f469, 1);
						_t68 = 0;
					}
					_v12 = _v12 + 1;
					_t42 = RegEnumValueA(_a12, _v12,  &_v280,  &_v16, _t68,  &_v20,  &_v1608,  &_v24);
				}
				return _t42;
			}

0x0040bf42
0x0040bf4c
0x0040bf53
0x0040bf58
0x0040bf7a
0x0040bf7d
0x0040bf80
0x0040bf87
0x0040bf8a
0x0040bf92
0x0040bf9d
0x0040bf9f
0x0040bfa5
0x0040bfaa
0x0040bfab
0x0040bfb0
0x0040bfb5
0x0040bfc4
0x0040bfd4
0x0040bfd5
0x0040bfd6
0x0040bfd7
0x0040bfd8
0x0040bfde
0x0040bfe1
0x0040bfe2
0x0040bfe4
0x0040bfe4
0x0040bfe6
0x0040bfe7
0x0040bff1
0x0040bff3
0x0040bff4
0x0040bff4
0x0040bff7
0x0040bff8
0x0040c003
0x0040c008
0x0040c028
0x0040c028
0x0040c02d
0x0040c032
0x0040c032
0x0040c034
0x0040c058
0x0040c05e
0x0040c06a

APIs

memset.MSVCRT ref: 0040BF53
RegEnumValueA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?), ref: 0040BF8A
_strnicmp.MSVCRT ref: 0040BFAB
memset.MSVCRT ref: 0040BFC4
RegEnumValueA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,000003FF), ref: 0040C058

Strings

DigitalProductID, xrefs: 0040BFC9
productid, xrefs: 0040BFA5

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: EnumValuememset$_strnicmp
String ID: DigitalProductID$productid
API String ID: 122006098-3158503407
Opcode ID: e4dbb91b9a3dc3db13993cf8e91e5e521a3c96c3a7a9c64e8599efa7cd0b86d2
Instruction ID: ded00ab1c49dcf52826af456cbea8e792decb2087d77f508eba27fd8bb73ba88
Opcode Fuzzy Hash: e4dbb91b9a3dc3db13993cf8e91e5e521a3c96c3a7a9c64e8599efa7cd0b86d2
Instruction Fuzzy Hash: A4317C7290011EABDB21DE95CC41FEFB7BDEF54704F0040B6BA18F6150E7719A588BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407E46 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407E46(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E0040EAD0(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L0040107A();
					if(_t26 != 0) {
						E00407993(_t35,  &_v4360);
					}
				}
				return 1;
			}

0x00407e4e
0x00407e66
0x00407e6c
0x00407e77
0x00407e7d
0x00407e8a
0x00407e92
0x00407eaa
0x00407eb0
0x00407ec3
0x00407ec9
0x00407ecf
0x00407ed4
0x00407ed5
0x00407ede
0x00407ee8
0x00407eee
0x00407ede
0x00407ef6

APIs

memset.MSVCRT ref: 00407E6C
GetDlgCtrlID.USER32(?), ref: 00407E77
GetWindowTextA.USER32 ref: 00407E8A
memset.MSVCRT ref: 00407EB0
GetClassNameA.USER32(?,?,000000FF), ref: 00407EC3
_stricmp.MSVCRT(?,sysdatetimepick32), ref: 00407ED5

Part of subcall function 00407993: _itoa.MSVCRT ref: 004079B4

Strings

sysdatetimepick32, xrefs: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
String ID: sysdatetimepick32
API String ID: 896699463-4169760276
Opcode ID: 2f645697545001dd0d580fc77fc6236cdcc8ee29f3f06962c495c1c78859140a
Instruction ID: 002409b2ff2b35f88df28a0fb8a32fe212527c33e95a4f591c4e010e06ff33fa
Opcode Fuzzy Hash: 2f645697545001dd0d580fc77fc6236cdcc8ee29f3f06962c495c1c78859140a
Instruction Fuzzy Hash: B7110A72D051196EE721EB55DC81EEE37ACEF18304F0400FBFA08F2551E6799E848B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040AEF5(intOrPtr __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v36;
				char _v428;
				char _v557;
				char _v686;
				char _v815;
				char _v944;
				char _v956;
				char _v1980;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t44;
				long _t47;
				void* _t50;
				void* _t79;
				intOrPtr _t85;
				void* _t92;
				void* _t93;
				void* _t94;

				_v12 = _v12 & 0x00000000;
				_v16 = __ecx;
				_v1980 = 0;
				_t44 = E00401EC5(0x3ff, _a4, 0,  &_v1980);
				_t93 = _t92 + 0xc;
				if(_t44 != 0) {
					return _t44;
				}
				do {
					_v8 = _v8 & 0x00000000;
					_t47 = RegOpenKeyExA(_a4,  &_v1980, 0, 0x20019,  &_v8);
					_t97 = _t47;
					if(_t47 == 0) {
						_t85 = _a8;
						_t77 = _v16;
						E0040AEF5(_v16, _t97, _v8, _t85 + 1);
						if(_t85 >= 0) {
							E0040A80B( &_v956);
							E00401F0A(0x80, _t77,  &_v686, _v8, "SerialNumber");
							_pop(_t79);
							if(_v686 != 0) {
								E00401F0A(0x80, _t79,  &_v815, _v8, "ProductCode");
								E00401F0A(0x80, _t79,  &_v944, _v8, "ProductName");
								E00401F0A(0x104, _t79,  &_v428, _v8, "Location");
								_t94 = _t93 + 0x18;
								if(_v944 == 0) {
									E00409476(0x80,  &_v944,  &_v1980);
									_pop(_t79);
								}
								_v20 = 8;
								E00401DEC(_v8,  &_v36);
								E00409476(0x80,  &_v557, _v16 + 0x768);
								_t93 = _t94 + 0xc;
								E00405DE7(_v16, _t79,  &_v956);
							}
						}
						RegCloseKey(_v8);
					}
					_v12 = _v12 + 1;
					_t50 = E00401EC5(0x3ff, _a4, _v12,  &_v1980);
					_t93 = _t93 + 0xc;
				} while (_t50 == 0);
				return _t50;
			}

0x0040aefe
0x0040af13
0x0040af16
0x0040af1d
0x0040af22
0x0040af27
0x0040b071
0x0040b071
0x0040af35
0x0040af35
0x0040af4e
0x0040af54
0x0040af56
0x0040af5c
0x0040af5f
0x0040af69
0x0040af70
0x0040af7c
0x0040af91
0x0040af9e
0x0040af9f
0x0040afb5
0x0040afca
0x0040afe2
0x0040afe7
0x0040aff1
0x0040b000
0x0040b005
0x0040b005
0x0040b00d
0x0040b014
0x0040b028
0x0040b02d
0x0040b03a
0x0040b03a
0x0040af9f
0x0040b042
0x0040b042
0x0040b048
0x0040b05d
0x0040b062
0x0040b065
0x00000000

APIs

Part of subcall function 00401EC5: RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?), ref: 00401EE4

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000), ref: 0040AF4E

Part of subcall function 0040AEF5: RegCloseKey.ADVAPI32(00000000), ref: 0040B042

Strings

Location, xrefs: 0040AFCF
ProductName, xrefs: 0040AFBA
ProductCode, xrefs: 0040AFA5
SerialNumber, xrefs: 0040AF81

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseEnumOpen
String ID: Location$ProductCode$ProductName$SerialNumber
API String ID: 1332880857-3150285382
Opcode ID: 3b0a12e50cef74caee93ee181dda03b1001e0fef77cd8e9b5b7477cef9444fcd
Instruction ID: 9fa157b7ef48736957d423d201b5757fea497bdd6292b4b657393e42b22838a1
Opcode Fuzzy Hash: 3b0a12e50cef74caee93ee181dda03b1001e0fef77cd8e9b5b7477cef9444fcd
Instruction Fuzzy Hash: 15414D72D00219AFDF61AB55DC41BDDB7B8EF04304F1040B6A904B2192DB386F89DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95
timeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040BA61(void* __ecx) {
				void* __ebx;
				intOrPtr _t22;
				char* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t36;
				char* _t44;
				void* _t46;
				intOrPtr _t54;
				char* _t58;
				void* _t61;
				void* _t63;

				_t61 = _t63 - 0x70;
				_t44 =  *(_t61 + 0x7c);
				_t56 = __ecx;
				_t22 =  *((intOrPtr*)(_t61 + 0x78));
				 *_t44 = 0;
				if(_t22 == 0) {
					_t23 = __ecx + 0xc;
					L22:
					return _t23;
				}
				_t24 = _t22 - 1;
				if(_t24 == 0) {
					_t23 = __ecx + 0x8d;
					goto L22;
				}
				_t25 = _t24 - 1;
				if(_t25 == 0) {
					_t58 = __ecx + 0x10e;
					_push("BBBBB-BBBBB-BBBBB-BBBBB-BBBBB");
					_push(_t58);
					L00401080();
					if(_t25 != 0) {
						_t23 = _t58;
					} else {
						_t46 = 0x10;
						_t23 = E00407C3F(_t46);
					}
					goto L22;
				}
				_t26 = _t25 - 1;
				if(_t26 == 0) {
					_t23 = __ecx + 0x210;
					goto L22;
				}
				_t27 = _t26 - 1;
				if(_t27 == 0) {
					_t23 = __ecx + 0x315;
					goto L22;
				}
				_t28 = _t27 - 1;
				if(_t28 == 0) {
					_t54 =  *((intOrPtr*)(__ecx + 0x3a0));
					if(_t54 == 0) {
						_t23 = __ecx + 0x18f;
						goto L22;
					}
					 *((char*)(_t61 - 0x18)) = 0;
					memset(_t61 - 0x17, 0, 0x7f);
					_push(_t54);
					_push(_t61 - 0x18);
					E0040AAE7();
					sprintf(_t44, "%s (%s)", _t56 + 0x18f, _t61 - 0x18);
					goto L13;
				} else {
					if(_t28 == 1) {
						_t36 =  *0x4126f8; // 0xbc25b0
						if( *((intOrPtr*)(_t36 + 0x58c)) != 0) {
							 *(_t61 + 0x68) =  *(__ecx + 0x398);
							 *((intOrPtr*)(_t61 + 0x6c)) =  *((intOrPtr*)(__ecx + 0x39c));
						} else {
							FileTimeToLocalFileTime(__ecx + 0x398, _t61 + 0x68);
						}
						_push(_t44);
						E00408F8A(_t61 + 0x68);
					}
					L13:
					_t23 = _t44;
					goto L22;
				}
			}

0x0040ba62
0x0040ba70
0x0040ba74
0x0040ba78
0x0040ba7b
0x0040ba7d
0x0040bb68
0x0040bb6b
0x0040bb72
0x0040bb72
0x0040ba83
0x0040ba84
0x0040bb60
0x00000000
0x0040bb60
0x0040ba8a
0x0040ba8b
0x0040bb3b
0x0040bb41
0x0040bb46
0x0040bb47
0x0040bb50
0x0040bb5c
0x0040bb52
0x0040bb54
0x0040bb55
0x0040bb55
0x00000000
0x0040bb50
0x0040ba91
0x0040ba92
0x0040bb33
0x00000000
0x0040bb33
0x0040ba98
0x0040ba99
0x0040bb2b
0x00000000
0x0040bb2b
0x0040ba9f
0x0040baa0
0x0040bae3
0x0040baeb
0x0040bb23
0x00000000
0x0040bb23
0x0040baf4
0x0040baf7
0x0040baff
0x0040bb00
0x0040bb01
0x0040bb17
0x00000000
0x0040baa2
0x0040baa3
0x0040baa5
0x0040bab0
0x0040bacb
0x0040bad4
0x0040bab2
0x0040babd
0x0040babd
0x0040bad7
0x0040badb
0x0040bae0
0x0040bb1f
0x0040bb1f
0x00000000
0x0040bb1f

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040BABD
memset.MSVCRT ref: 0040BAF7
sprintf.MSVCRT ref: 0040BB17
_stricmp.MSVCRT(?,BBBBB-BBBBB-BBBBB-BBBBB-BBBBB), ref: 0040BB47

Strings

BBBBB-BBBBB-BBBBB-BBBBB-BBBBB, xrefs: 0040BB41
%s (%s), xrefs: 0040BB11

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FileTime$Local_stricmpmemsetsprintf
String ID: %s (%s)$BBBBB-BBBBB-BBBBB-BBBBB-BBBBB
API String ID: 4101006872-1976196928
Opcode ID: e35bc464ce63c23f2551731cee8dc18f3ee7e47a91196a29afc57797713ace9e
Instruction ID: 3677dd148965493d53ce516f5a8301e290d6a33004366d8288dd37aa27c60dae
Opcode Fuzzy Hash: e35bc464ce63c23f2551731cee8dc18f3ee7e47a91196a29afc57797713ace9e
Instruction Fuzzy Hash: 28316C31A046099BC734DB248881AEB77B8EB14304F54043BF55AF36D5EB7CB9458BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040197B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040197B(void* __eax, void* __eflags) {
				char _v1027;
				char _v1028;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t17;
				char* _t18;
				char* _t21;
				char* _t25;
				void* _t39;

				_t39 = __eax;
				_v1028 = 0;
				memset( &_v1027, 0, 0x3ff);
				if(E00402134( &_v1028, 0x80000000, "http\\shell\\open\\command", 0x40f469, 0x3ff) == 0 || _v1028 == 0) {
					L12:
					return 0;
				} else {
					if(_v1028 != 0x22) {
						_t17 = strrchr( &_v1027, 0x5c);
						if(_t17 == 0) {
							goto L12;
						}
						_t18 = strchr(_t17, 0x20);
						if(_t18 != 0) {
							 *_t18 = 0;
						}
						if(E00409396( &_v1028) == 0) {
							goto L12;
						} else {
							_t21 =  &_v1028;
							L6:
							E00409476(0x104, _t39, _t21);
							return 1;
						}
					}
					_t25 = strchr( &_v1027, 0x22);
					if(_t25 == 0) {
						goto L12;
					}
					 *_t25 = 0;
					if(E00409396( &_v1027) == 0) {
						goto L12;
					}
					_t21 =  &_v1027;
					goto L6;
				}
			}

0x0040198f
0x00401999
0x0040199f
0x004019c4
0x00401a50
0x00000000
0x004019d2
0x004019df
0x00401a1c
0x00401a25
0x00000000
0x00000000
0x00401a2a
0x00401a33
0x00401a35
0x00401a35
0x00401a46
0x00000000
0x00401a48
0x00401a48
0x00401a08
0x00401a0e
0x00000000
0x00401a16
0x00401a46
0x004019e4
0x004019ed
0x00000000
0x00000000
0x004019ef
0x00401a00
0x00000000
0x00000000
0x00401a02
0x00000000
0x00401a02

APIs

memset.MSVCRT ref: 0040199F

Part of subcall function 00402134: RegCloseKey.KERNELBASE(?,000003FF), ref: 0040216E

strchr.MSVCRT ref: 004019E4

Part of subcall function 00409396: GetFileAttributesA.KERNELBASE(}@,0040791C,00000000,?,00407DE3), ref: 0040939A

strrchr.MSVCRT ref: 00401A1C
strchr.MSVCRT ref: 00401A2A

Strings

", xrefs: 004019D2
http\shell\open\command, xrefs: 004019AA

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: strchr$AttributesCloseFilememsetstrrchr
String ID: "$http\shell\open\command
API String ID: 1162287896-1950826730
Opcode ID: d1c773c073627adbf29546af093c200f2fe3b1194ac23ce3381b8b3f125a5929
Instruction ID: 6e59d34447f748108a54929566104150787b734e98c39b168f745e8c94178a70
Opcode Fuzzy Hash: d1c773c073627adbf29546af093c200f2fe3b1194ac23ce3381b8b3f125a5929
Instruction Fuzzy Hash: B7212472F0A2556DEB20A2B14C41BAB679CDF00358F1404BBFB05F21D2EA3C9E494E2D

Uniqueness

Uniqueness Score: -1.00%

Function 00407EF9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407EF9(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				intOrPtr _t34;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E0040EAD0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EF9(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x41279c =  *0x41279c + 1;
							_t34 =  *0x41279c; // 0x0
							_t33 = _t34 + 0x11558;
							__eflags = _t34 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407993(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}

0x00407ef9
0x00407efc
0x00407f04
0x00407f0e
0x00407f16
0x00407f1a
0x00407f1e
0x00407fe3
0x00407fe8
0x00000000
0x00000000
0x00000000
0x00407f24
0x00407f24
0x00407f2f
0x00407f34
0x00407f3b
0x00407f4a
0x00407f52
0x00407f5a
0x00407f62
0x00407f66
0x00407f6a
0x00407f72
0x00000000
0x00000000
0x00407f78
0x00407fc2
0x00407fc2
0x00407fc6
0x00407fc8
0x00407fc9
0x00407fcd
0x00407fd0
0x00407fd5
0x00407fd5
0x00000000
0x00407fc6
0x00407f81
0x00407f8a
0x00407f8c
0x00407f8c
0x00407f92
0x00407f96
0x00407f9b
0x00407fa5
0x00407fab
0x00407fb0
0x00407fb0
0x00407f9d
0x00407f9d
0x00407f9d
0x00407f9d
0x00407f9b
0x00407fbb
0x00407fc1
0x00000000
0x00407fd8
0x00407fd8
0x00407fd9
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00407F0E
memset.MSVCRT ref: 00407F2F
GetMenuItemInfoA.USER32 ref: 00407F6A
strchr.MSVCRT ref: 00407F81

Strings

0, xrefs: 00407F4A
6, xrefs: 00407F52

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: bc7a620c73af99c1b323adf13958f74d25821cc529af0c635c1f720489260e74
Instruction ID: 128be8fb5cc611165b0733850d53bdbb1440fa96cd5a04a54b621966ed798803
Opcode Fuzzy Hash: bc7a620c73af99c1b323adf13958f74d25821cc529af0c635c1f720489260e74
Instruction Fuzzy Hash: D7219F7190C385AFDB108F15C881A9BB7E8FB88344F44493EF584A62D0E779E954CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00403F29 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00403F29(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t29;
				intOrPtr _t32;
				void* _t38;
				void* _t40;
				void* _t52;
				char _t58;
				char* _t59;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E00407C3F(0x1f5);
				_t58 = "*.txt";
				_v72 = _t29;
				_v68 = _t58;
				_v64 = E00407C3F(0x1f6);
				_v60 = _t58;
				_v56 = E00407C3F(0x1f7);
				_v52 = _t58;
				_t32 = E00407C3F(0x1f8);
				_t59 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t59;
				_v40 = E00407C3F(0x1f9);
				_v36 = _t59;
				_v32 = E00407C3F(0x1fa);
				_v28 = "*.xml";
				_v24 = E00407C3F(0x1fb);
				_v20 = "*.csv";
				_v16 = E00407C3F(0x1fc);
				_push( &_v72);
				_t38 = 8;
				_t56 =  &_v1096;
				_v12 = "*.json";
				E00408B73(_t38,  &_v1096);
				_t52 = 7;
				_t40 = E00407C3F(_t52);
				_t23 =  &_v8; // 0x747874
				_t26 = _a4 + 0x108; // 0x7379654b
				return E00408D55( *_t26, _a12, _a8, _t56, _t40, _t23);
			}

0x00403f43
0x00403f4a
0x00403f57
0x00403f5e
0x00403f63
0x00403f69
0x00403f6c
0x00403f79
0x00403f7c
0x00403f85
0x00403f88
0x00403f8b
0x00403f90
0x00403f9a
0x00403f9d
0x00403fa6
0x00403fa9
0x00403fb6
0x00403fb9
0x00403fc6
0x00403fc9
0x00403fd5
0x00403fdb
0x00403fde
0x00403fdf
0x00403fe5
0x00403fec
0x00403ff4
0x00403ff5
0x00403ffd
0x0040400b
0x0040401d

APIs

memset.MSVCRT ref: 00403F4A

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,?,004074B9,?,00000000), ref: 00407C68
Part of subcall function 00407C3F: LoadStringA.USER32 ref: 00407CF2
Part of subcall function 00407C3F: memcpy.MSVCRT ref: 00407D31

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,004074B9,?,00000000), ref: 00407CC7

Part of subcall function 00408B73: memset.MSVCRT ref: 00408B96
Part of subcall function 00408B73: sprintf.MSVCRT ref: 00408BCB
Part of subcall function 00408B73: memcpy.MSVCRT ref: 00408BF6
Part of subcall function 00408B73: memcpy.MSVCRT ref: 00408C20

Part of subcall function 00408D55: GetSaveFileNameA.COMDLG32(?), ref: 00408DA4

Strings

txt, xrefs: 00403FFD, 00404000
*.txt, xrefs: 00403F63
d, xrefs: 00403FB9
t, xrefs: 00403FE5
*.htm;*.html, xrefs: 00403F90
l, xrefs: 00403FC9

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memcpy$HandleModulememset$FileLoadNameSaveStringsprintf
String ID: *.htm;*.html$*.txt$d$l$t$txt
API String ID: 2393846163-3349648381
Opcode ID: a7c13929c30cb576514a60836ce69b860cfd6933a9065d97f5b84c31690b4c7e
Instruction ID: 5abb5fe217e8adcb178f005a3a95b3df54ba3d664fd4bde60622f1d0f22f22e3
Opcode Fuzzy Hash: a7c13929c30cb576514a60836ce69b860cfd6933a9065d97f5b84c31690b4c7e
Instruction Fuzzy Hash: 7B2130B1D0421C9FDB10EFAAD841BDDBBB4BB08304F10447FE558B7281DB782A458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040972F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040972F(long __eax, void* __ecx, intOrPtr _a4) {
				char _v8;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t13;
				long _t15;
				void _t20;
				char _t21;
				void* _t22;
				void* _t24;
				long _t26;
				void* _t29;

				_t26 = __eax;
				_t1 = _t26 - 0x834; // -2100
				_t9 = 0;
				_t15 = 0x1100;
				if(_t1 <= 0x383) {
					_t9 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t15 = 0x1900;
					}
				}
				_t10 = FormatMessageA(_t15, _t9, _t26, 0x400,  &_v8, 0, 0);
				if(_t10 <= 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					goto L11;
				} else {
					_t29 = _v8;
					_t11 = _t29;
					_t4 = _t11 + 1; // 0x2
					_t22 = _t4;
					do {
						_t20 =  *_t11;
						_t11 = _t11 + 1;
					} while (_t20 != 0);
					if(_t11 - _t22 >= 0x400) {
						L9:
						_t10 = LocalFree(_t29);
						L11:
						return _t10;
					}
					_t13 = _t29;
					_t24 = _a4 - _t29;
					do {
						_t21 =  *_t13;
						 *((char*)(_t24 + _t13)) = _t21;
						_t13 = _t13 + 1;
					} while (_t21 != 0);
					goto L9;
				}
			}

0x00409736
0x00409738
0x00409740
0x00409748
0x0040974d
0x00409757
0x0040975f
0x00409761
0x00409761
0x0040975f
0x00409775
0x0040977d
0x004097b6
0x004097b7
0x004097b8
0x004097b9
0x00000000
0x0040977f
0x0040977f
0x00409782
0x00409784
0x00409784
0x00409787
0x00409787
0x00409789
0x0040978a
0x00409792
0x004097a5
0x004097a6
0x004097bb
0x004097bf
0x004097bf
0x00409797
0x00409799
0x0040979b
0x0040979b
0x0040979d
0x004097a0
0x004097a1
0x00000000
0x0040979b

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,00000000,00000000,00000000,?,Mqt,00409826,?,00000001), ref: 00409757
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,00000001,00000000,00000000,00000000,00000000,00000000,?,Mqt,00409826,?,00000001), ref: 00409775
LocalFree.KERNEL32(00000001,?,Mqt,00409826,?,00000001), ref: 004097A6

Strings

Unknown Error, xrefs: 004097B1
netmsg.dll, xrefs: 00409752
Mqt, xrefs: 0040972F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FormatFreeLibraryLoadLocalMessage
String ID: Unknown Error$netmsg.dll$Mqt
API String ID: 1325279722-46246100
Opcode ID: 412eca96e1c04b5d70236736187b1dd26c3e3df9f4897c000102b2503df2dc30
Instruction ID: 1ca6936c2ea6891eade7529bb53e59055be907e5d85f378e791af833a288d16b
Opcode Fuzzy Hash: 412eca96e1c04b5d70236736187b1dd26c3e3df9f4897c000102b2503df2dc30
Instruction Fuzzy Hash: CE116B36614110ABD3224E25CD58EAB7B5DDF87790B244071FD42FB382D5749D05C3E8

Uniqueness

Uniqueness Score: -1.00%

Function 004094FE Relevance: 10.5, APIs: 7, Instructions: 46
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004094FE(void* _a4) {
				void* _t7;
				signed int _t13;
				int _t15;
				void* _t17;
				void _t18;
				void* _t20;
				signed int _t22;
				void* _t25;

				_t25 = _a4;
				_t22 = 0;
				EmptyClipboard();
				if(_t25 != 0) {
					_t7 = _t25;
					_t17 = _t7 + 1;
					do {
						_t18 =  *_t7;
						_t7 = _t7 + 1;
					} while (_t18 != 0);
					_t15 = _t7 - _t17 + 1;
					_t20 = GlobalAlloc(0x2000, _t15);
					if(_t20 != 0) {
						memcpy(GlobalLock(_t20), _t25, _t15);
						GlobalUnlock(_t20);
						_t13 = SetClipboardData(1, _t20);
						asm("sbb esi, esi");
						_t22 =  ~( ~_t13);
					}
				}
				CloseClipboard();
				return _t22;
			}

0x004094ff
0x00409504
0x00409506
0x0040950e
0x00409510
0x00409512
0x00409515
0x00409515
0x00409517
0x00409518
0x00409520
0x0040952f
0x00409533
0x0040953f
0x00409548
0x00409551
0x0040955b
0x0040955d
0x0040955d
0x00409560
0x00409561
0x0040956b

APIs

EmptyClipboard.USER32(?,?,00404590,?), ref: 00409506
GlobalAlloc.KERNEL32(00002000,?,?,?,?,?,00404590,?), ref: 00409529
GlobalLock.KERNEL32 ref: 00409536
memcpy.MSVCRT ref: 0040953F
GlobalUnlock.KERNEL32(00000000), ref: 00409548
SetClipboardData.USER32 ref: 00409551
CloseClipboard.USER32 ref: 00409561

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpy
String ID:
API String ID: 4281975876-0
Opcode ID: 382b1388d6f3ccb0e475e7a8e732124f69640ed4a929f3609a4016d7d68969c5
Instruction ID: 6c7b5e656f87a6772e3dda65743f52150f9ff59ae3070b8da2c06ae0992377d1
Opcode Fuzzy Hash: 382b1388d6f3ccb0e475e7a8e732124f69640ed4a929f3609a4016d7d68969c5
Instruction Fuzzy Hash: F0F0C83B100215ABC3216FA5ED8CD6B7B2CDB85B457050179FE46E7252EA36AC0D87A8

Uniqueness

Uniqueness Score: -1.00%

Function 00408181 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408181(intOrPtr* __eax, struct HINSTANCE__* _a4) {
				struct HINSTANCE__* _v0;
				intOrPtr _v4;
				intOrPtr* _t5;
				char _t6;
				intOrPtr _t7;
				char _t12;
				intOrPtr _t13;
				void* _t14;
				char _t15;

				_t5 = __eax;
				do {
					_t15 =  *_t5;
					 *((char*)(0x4127a0 + _t5)) = _t15;
					_t5 = _t5 + 1;
					_t29 = _t15;
				} while (_t15 != 0);
				_t6 = "general"; // 0x656e6567
				 *0x4128a8 = _t6;
				_t7 =  *0x40fd7c; // 0x6c6172
				 *0x4128ac = _t7;
				E004075BC(_t29, "TranslatorName", 0x40f469);
				E004075BC(_t29, "TranslatorURL", 0x40f469);
				EnumResourceNamesA(_a4, 4, E00408080, 0);
				EnumResourceNamesA(_v0, 5, E00408080, 0);
				_t12 = "strings"; // 0x69727473
				 *0x4128a8 = _t12;
				_t13 =  *0x40fd74; // 0x73676e
				 *0x4128ac = _t13;
				_t14 = E00407DE5(_t15, _t29, _v4);
				 *0x4127a0 = 0;
				return _t14;
			}

0x00408181
0x00408188
0x00408188
0x0040818a
0x0040818d
0x0040818e
0x0040818e
0x00408192
0x0040819e
0x004081a3
0x004081ae
0x004081b3
0x004081be
0x004081da
0x004081e5
0x004081e7
0x004081f0
0x004081f5
0x004081fa
0x004081ff
0x00408206
0x0040820e

APIs

EnumResourceNamesA.KERNEL32 ref: 004081DA
EnumResourceNamesA.KERNEL32 ref: 004081E5

Strings

strings, xrefs: 004081E7
TranslatorName, xrefs: 004081A9
TranslatorURL, xrefs: 004081B9
general, xrefs: 00408192

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: EnumNamesResource
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 3334572018-3647959541
Opcode ID: 4156d8c37e1a61cdefbfebdcb61d4fd1b8c8f5c658b526a0baf4a3c0576992b5
Instruction ID: 209f779ddb25f5af74832284491d342bc251737630bee5914a750b4ba385d638
Opcode Fuzzy Hash: 4156d8c37e1a61cdefbfebdcb61d4fd1b8c8f5c658b526a0baf4a3c0576992b5
Instruction Fuzzy Hash: FE019E31904600BFD321AB29AE09F833FE0EF85710F14803AF448AB6E1D6B558598BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004097F0(long __esi, struct HWND__* _a4, intOrPtr _a8) {
				char _v1028;
				char _v2052;
				long _t7;
				void* _t16;
				long _t17;
				long _t18;

				_t18 = __esi;
				if(__esi != 0) {
					_t17 = __esi;
				} else {
					_t7 = GetLastError();
					_t17 = _t7;
				}
				if(_a8 == 0) {
					E0040972F(_t17, _t16,  &_v1028);
					sprintf( &_v2052, "Error %d: %s", _t17,  &_v1028);
					return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
				} else {
					 *0x4126fc = _t18;
					return _t7;
				}
			}

0x004097f0
0x004097fc
0x00409808
0x004097fe
0x004097fe
0x00409804
0x00409804
0x0040980e
0x00409821
0x0040983a
0x00000000
0x00409810
0x00409810
0x00000000
0x00409810

APIs

GetLastError.KERNEL32(00000001), ref: 004097FE

Part of subcall function 0040972F: LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,00000000,00000000,00000000,?,Mqt,00409826,?,00000001), ref: 00409757
Part of subcall function 0040972F: FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,00000001,00000000,00000000,00000000,00000000,00000000,?,Mqt,00409826,?,00000001), ref: 00409775
Part of subcall function 0040972F: LocalFree.KERNEL32(00000001,?,Mqt,00409826,?,00000001), ref: 004097A6

sprintf.MSVCRT ref: 0040983A
MessageBoxA.USER32 ref: 00409853

Strings

Error %d: %s, xrefs: 00409834
Mqt, xrefs: 004097F0
Error, xrefs: 00409844

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Message$ErrorFormatFreeLastLibraryLoadLocalsprintf
String ID: Error$Error %d: %s$Mqt
API String ID: 1804333364-384850037
Opcode ID: 084d39a359356ad7847816d2aef003e23d65f73f4ea9ee93ff9083b3cc005403
Instruction ID: fbc003b7c461b04974fb8c9c857bc755e714a62d47ff6d5a9af6f98d96675b72
Opcode Fuzzy Hash: 084d39a359356ad7847816d2aef003e23d65f73f4ea9ee93ff9083b3cc005403
Instruction Fuzzy Hash: 54F0F6B6810118ABC720BB44DC05BEA76BCB745744F0480B6F905B22C2E6789D4DCFAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A22E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040A22E(intOrPtr _a4) {
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;
				struct HINSTANCE__* _t11;

				_t9 = 0;
				_t10 = 0;
				_t11 = LoadLibraryA("comctl32.dll");
				if(_t11 == 0) {
					L5:
					__imp__#17();
					return 1;
				}
				_t5 = GetProcAddress(_t11, "InitCommonControlsEx");
				if(_t5 != 0) {
					_t10 = 1;
					_t9 =  *_t5(_a4);
				}
				FreeLibrary(_t11);
				if(_t10 == 0) {
					goto L5;
				} else {
					return _t9;
				}
			}

0x0040a236
0x0040a238
0x0040a240
0x0040a244
0x0040a26e
0x0040a26e
0x00000000
0x0040a276
0x0040a24c
0x0040a254
0x0040a25a
0x0040a25d
0x0040a25d
0x0040a260
0x0040a268
0x00000000
0x0040a26a
0x00000000
0x0040a26a

APIs

LoadLibraryA.KERNEL32(comctl32.dll,74714DE0,?,00000000,0040A4E8,?,?,?,?,00404E3B,74714DE0), ref: 0040A23A
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040A24C
FreeLibrary.KERNEL32(00000000,?,00000000,0040A4E8,?,?,?,?,00404E3B,74714DE0), ref: 0040A260
#17.COMCTL32(?,00000000,0040A4E8,?,?,?,?,00404E3B,74714DE0), ref: 0040A26E

Strings

InitCommonControlsEx, xrefs: 0040A246
comctl32.dll, xrefs: 0040A231

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: InitCommonControlsEx$comctl32.dll
API String ID: 145871493-802336580
Opcode ID: 39c4708e21592f6b5b83b4b2a6d089808a0747253cc70916cb65b440dda5b722
Instruction ID: 087d2bfa413aa19143781dd4ca8eb23a0016281e5864367d40afe674b3bd0d1a
Opcode Fuzzy Hash: 39c4708e21592f6b5b83b4b2a6d089808a0747253cc70916cb65b440dda5b722
Instruction Fuzzy Hash: 2EE02B313013109BC3315B709D88E2F36A4EFC0B01306003AF911F1780EB398C19955E

Uniqueness

Uniqueness Score: -1.00%

Function 00408257 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408257(struct HINSTANCE__** __esi) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t7;

				_t4 =  *__esi;
				if(_t4 != 0) {
					__esi[1] = GetProcAddress(_t4, "IcmpCreateFile");
					__esi[2] = GetProcAddress( *__esi, "IcmpCloseHandle");
					_t7 = GetProcAddress( *__esi, "IcmpSendEcho");
					__esi[3] = _t7;
					return _t7;
				}
				return _t4;
			}

0x00408257
0x0040825b
0x00408273
0x0040827f
0x00408282
0x00408284
0x00000000
0x00408287
0x00408288

APIs

GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0040826A
GetProcAddress.KERNEL32(?,IcmpCloseHandle), ref: 00408276
GetProcAddress.KERNEL32(?,IcmpSendEcho), ref: 00408282

Strings

IcmpCloseHandle, xrefs: 0040826C
IcmpSendEcho, xrefs: 00408278
IcmpCreateFile, xrefs: 00408264

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressProc
String ID: IcmpCloseHandle$IcmpCreateFile$IcmpSendEcho
API String ID: 190572456-1259528597
Opcode ID: 23cc92f69b86c125c888f9d92ae312f5f0d95321de70f0ab1c4eac699587f4cc
Instruction ID: e3040b6c4cbc9dce3db47db9ad32ef43000e21e6f45b276228b28e75c94a7058
Opcode Fuzzy Hash: 23cc92f69b86c125c888f9d92ae312f5f0d95321de70f0ab1c4eac699587f4cc
Instruction Fuzzy Hash: 7EE0EC70540704AACB709F6ADC04D06BBE4EFA9700325883EE591A3A90D679E4448E44

Uniqueness

Uniqueness Score: -1.00%

Function 00409DB8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409DB8(struct HINSTANCE__** __esi) {
				void* _t3;
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t6;

				if( *__esi == 0) {
					_t4 = GetModuleHandleA("kernel32.dll");
					 *__esi = _t4;
					__esi[1] = GetProcAddress(_t4, "EnumSystemFirmwareTables");
					_t6 = GetProcAddress( *__esi, "GetSystemFirmwareTable");
					__esi[2] = _t6;
					return _t6;
				}
				return _t3;
			}

0x00409dbb
0x00409dc3
0x00409dd5
0x00409de0
0x00409de3
0x00409de5
0x00000000
0x00409de8
0x00409de9

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00409DFE,00020019,0040D088,?), ref: 00409DC3
GetProcAddress.KERNEL32(00000000,EnumSystemFirmwareTables), ref: 00409DD7
GetProcAddress.KERNEL32(?,GetSystemFirmwareTable), ref: 00409DE3

Strings

kernel32.dll, xrefs: 00409DBE
GetSystemFirmwareTable, xrefs: 00409DD9
EnumSystemFirmwareTables, xrefs: 00409DCF

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumSystemFirmwareTables$GetSystemFirmwareTable$kernel32.dll
API String ID: 667068680-556989768
Opcode ID: 331c28743f1cb4a627a5e0a57ce2784328d82bf2e9980eb1adcf1daa3fb6cb83
Instruction ID: ed11e46ac89e2c8d86e13da19356c947bf7504ae6910298a258e52afc57c2eb1
Opcode Fuzzy Hash: 331c28743f1cb4a627a5e0a57ce2784328d82bf2e9980eb1adcf1daa3fb6cb83
Instruction Fuzzy Hash: 05D0EC74544305DAD7306F65D90AA06BAE4BBA4710B20483EE480A2A90D2B854848A04

Uniqueness

Uniqueness Score: -1.00%

Function 00408B73 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B73(char __eax, char* __edi, intOrPtr _a4) {
				void** _v8;
				char _v12;
				void _v1035;
				void _v1036;
				char* _t31;
				void** _t34;
				intOrPtr* _t37;
				void* _t44;
				char _t49;
				void _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;

				_t57 = __edi;
				_t49 = __eax;
				_t58 = 0;
				_v1036 = 0;
				memset( &_v1035, 0, 0x3ff);
				_t61 = _t60 + 0xc;
				 *__edi = 0;
				if(_t49 > 0) {
					_t34 = _a4 + 4;
					_v8 = _t34;
					_v12 = _t49;
					while(1) {
						_t7 = _t34 - 4; // 0xe8004100
						sprintf( &_v1036, "%s (%s)",  *_t7,  *_t34);
						_t37 =  &_v1036;
						_t62 = _t61 + 0x10;
						_t10 = _t37 + 1; // 0x1
						_t53 = _t10;
						do {
							_t55 =  *_t37;
							_t37 = _t37 + 1;
						} while (_t55 != 0);
						_t11 = _t37 - _t53 + 1; // 0x2
						memcpy(_t58 + _t57,  &_v1036, _t11);
						_t54 =  *_v8;
						_t44 = _t54;
						_t63 = _t62 + 0xc;
						_t59 = _t58 + _t37 - _t53 + 1;
						_t56 = _t44 + 1;
						do {
							_t51 =  *_t44;
							_t44 = _t44 + 1;
						} while (_t51 != 0);
						_t52 = _t44 - _t56;
						memcpy(_t59 + _t57, _t54, _t52 + 1);
						_v8 =  &(_v8[2]);
						_t61 = _t63 + 0xc;
						_t22 =  &_v12;
						 *_t22 = _v12 - 1;
						_t58 = _t59 + _t52 + 1;
						if( *_t22 != 0) {
							_t34 = _v8;
							continue;
						}
						goto L8;
					}
				}
				L8:
				_t31 = _t58 + _t57;
				 *_t31 = 0;
				 *((char*)(_t31 + 1)) = 0;
				return _t57;
			}

0x00408b73
0x00408b83
0x00408b85
0x00408b8f
0x00408b96
0x00408b9b
0x00408ba0
0x00408ba3
0x00408bac
0x00408baf
0x00408bb2
0x00408bba
0x00408bbc
0x00408bcb
0x00408bd0
0x00408bd6
0x00408bd9
0x00408bd9
0x00408bdc
0x00408bdc
0x00408bde
0x00408bdf
0x00408be7
0x00408bf6
0x00408bfe
0x00408c00
0x00408c02
0x00408c05
0x00408c09
0x00408c0c
0x00408c0c
0x00408c0e
0x00408c0f
0x00408c15
0x00408c20
0x00408c25
0x00408c29
0x00408c2c
0x00408c2c
0x00408c2f
0x00408c33
0x00408bb7
0x00000000
0x00408bb7
0x00000000
0x00408c33
0x00408bba
0x00408c35
0x00408c35
0x00408c39
0x00408c3c
0x00408c44

APIs

memset.MSVCRT ref: 00408B96
sprintf.MSVCRT ref: 00408BCB
memcpy.MSVCRT ref: 00408BF6
memcpy.MSVCRT ref: 00408C20

Strings

%s (%s), xrefs: 00408BC5
*.htm;*.html, xrefs: 00408B7D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memcpy$memsetsprintf
String ID: %s (%s)$*.htm;*.html
API String ID: 1941091690-1402919948
Opcode ID: d18015177108984baa15ee6ee8af0f05e90cfa79162649ca993e2c14bbf23510
Instruction ID: 3f8d38bbff6308db14577c9186b7d138bb798970aeef803183a93644235fb190
Opcode Fuzzy Hash: d18015177108984baa15ee6ee8af0f05e90cfa79162649ca993e2c14bbf23510
Instruction Fuzzy Hash: 4B21B7B1904249DFCB11DF54C984BDABBF9DF44304F0440BAE685E7241EA75EB49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004090CA Relevance: 9.0, APIs: 6, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090CA(intOrPtr* __esi, int* _a4) {
				int _t3;
				struct HDC__* _t12;
				intOrPtr* _t13;
				int* _t14;

				_t13 = __esi;
				_t14 = _a4;
				 *__esi = GetSystemMetrics(0x11);
				_t3 = GetSystemMetrics(0x10);
				 *_t14 = _t3;
				if( *__esi == 0 || _t3 == 0) {
					_t12 = GetDC(0);
					 *_t14 = GetDeviceCaps(_t12, 8);
					 *_t13 = GetDeviceCaps(_t12, 0xa);
					return ReleaseDC(0, _t12);
				}
				return _t3;
			}

0x004090ca
0x004090cb
0x004090dc
0x004090de
0x004090e3
0x004090e6
0x004090fb
0x00409105
0x0040910d
0x00000000
0x00409115
0x00409118

APIs

GetSystemMetrics.USER32 ref: 004090D8
GetSystemMetrics.USER32 ref: 004090DE
GetDC.USER32(00000000), ref: 004090EF
GetDeviceCaps.GDI32(00000000,00000008), ref: 00409100
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409108
ReleaseDC.USER32 ref: 0040910F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 84a31667dc520d80a7ae1faed3a9ecc5a532576b4a5f478b7d801bf386425950
Instruction ID: 526282f1a5c0b809247f27c058f5214bee5de060b0667dcea82074e018295ea0
Opcode Fuzzy Hash: 84a31667dc520d80a7ae1faed3a9ecc5a532576b4a5f478b7d801bf386425950
Instruction Fuzzy Hash: EEF08231680309AFF7202F719C45B6AB7A8FBD0B45F104439F684AB2D1D7B59C448B24

Uniqueness

Uniqueness Score: -1.00%

Function 00407C3F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00407C3F(signed short __ebx) {
				CHAR* _t14;
				void* _t15;
				intOrPtr _t16;
				struct HINSTANCE__* _t18;
				intOrPtr _t20;
				signed int _t23;
				signed int _t24;
				intOrPtr _t25;
				char _t27;
				intOrPtr _t28;
				void _t30;
				signed short _t32;
				signed int _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t46;
				void* _t48;
				int _t52;
				void* _t53;
				void* _t60;
				void* _t61;

				_t32 = __ebx;
				if( *0x412b68 == 0) {
					E0040781B();
				}
				_t14 = E004077E3(_t32);
				_t48 = _t14;
				if(_t48 != 0) {
					L18:
					_t15 = _t48;
				} else {
					if((_t32 & 0x00010000) == 0) {
						if( *0x4127a0 == 0) {
							_t16 =  *0x412b70; // 0x1000
							_push(_t16 - 1);
							_push( *0x412b54);
							_push(_t32);
							_t18 = E00407C2E();
							goto L12;
						} else {
							_t27 = "strings"; // 0x69727473
							 *0x4128a8 = _t27;
							_t28 =  *0x40fd74; // 0x73676e
							 *0x4128ac = _t28;
							if(E004076DC(_t32,  *0x412b54) == 0) {
								L10:
								_t18 = GetModuleHandleA(0);
								_t40 =  *0x412b70; // 0x1000
								_push(_t40 - 1);
								_push( *0x412b54);
								_push(_t32);
								goto L12;
							} else {
								_t53 =  *0x412b54; // 0xbcbf08
								_t3 = _t53 + 1; // 0xbcbf09
								_t42 = _t3;
								do {
									_t30 =  *_t53;
									_t53 = _t53 + 1;
								} while (_t30 != 0);
								_t52 = _t53 - _t42;
								if(_t52 == 0) {
									goto L10;
								}
							}
						}
					} else {
						_t18 = GetModuleHandleA(_t14);
						_t43 =  *0x412b70; // 0x1000
						_push(_t43 - 1);
						_push( *0x412b54);
						_push(_t32 & 0x0000ffff);
						L12:
						_t52 = LoadStringA(_t18, ??, ??, ??);
					}
					if(_t52 <= 0) {
						L17:
						_t15 = 0x40f469;
					} else {
						_t20 =  *0x412b64; // 0xfb
						_t5 = _t52 + 2; // 0xfd
						_t60 = _t20 + _t5 -  *0x412b68; // 0x8000
						if(_t60 >= 0) {
							goto L17;
						} else {
							_t34 =  *0x412b60; // 0x12
							_t61 = _t34 -  *0x412b6c; // 0x100
							if(_t61 >= 0) {
								goto L17;
							} else {
								_t35 =  *0x412b50; // 0xbc36f0
								_t48 = _t35 + _t20;
								_t7 = _t52 + 1; // 0x1
								memcpy(_t48,  *0x412b54, _t7);
								_t23 =  *0x412b60; // 0x12
								_t36 =  *0x412b64; // 0xfb
								_t46 =  *0x412b5c; // 0xbcbb00
								 *((intOrPtr*)(_t46 + _t23 * 4)) = _t36;
								_t24 =  *0x412b60; // 0x12
								_t37 =  *0x412b58; // 0xbcb6f8
								 *(_t37 + _t24 * 4) = _t32;
								_t25 =  *0x412b64; // 0xfb
								 *0x412b60 =  *0x412b60 + 1;
								 *0x412b64 = _t25 + _t52 + 1;
								if(_t48 != 0) {
									goto L18;
								} else {
									goto L17;
								}
							}
						}
					}
				}
				return _t15;
			}

0x00407c3f
0x00407c46
0x00407c48
0x00407c48
0x00407c50
0x00407c55
0x00407c59
0x00407d7a
0x00407d7a
0x00407c5f
0x00407c65
0x00407c89
0x00407cde
0x00407ce4
0x00407ce5
0x00407ceb
0x00407cec
0x00000000
0x00407c8b
0x00407c8b
0x00407c96
0x00407c9b
0x00407ca1
0x00407caf
0x00407cc5
0x00407cc7
0x00407ccd
0x00407cd4
0x00407cd5
0x00407cdb
0x00000000
0x00407cb1
0x00407cb1
0x00407cb7
0x00407cb7
0x00407cba
0x00407cba
0x00407cbc
0x00407cbd
0x00407cc1
0x00407cc3
0x00000000
0x00000000
0x00407cc3
0x00407caf
0x00407c67
0x00407c68
0x00407c6e
0x00407c75
0x00407c76
0x00407c7f
0x00407cf1
0x00407cf8
0x00407cf8
0x00407cfc
0x00407d73
0x00407d73
0x00407cfe
0x00407cfe
0x00407d03
0x00407d07
0x00407d0d
0x00000000
0x00407d0f
0x00407d0f
0x00407d15
0x00407d1b
0x00000000
0x00407d1d
0x00407d1d
0x00407d23
0x00407d26
0x00407d31
0x00407d36
0x00407d3b
0x00407d41
0x00407d47
0x00407d4a
0x00407d4f
0x00407d55
0x00407d58
0x00407d60
0x00407d6c
0x00407d71
0x00000000
0x00000000
0x00000000
0x00000000
0x00407d71
0x00407d1b
0x00407d0d
0x00407cfc
0x00407d7e

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,004074B9,?,00000000), ref: 00407C68
GetModuleHandleA.KERNEL32(00000000,?,?,004074B9,?,00000000), ref: 00407CC7
LoadStringA.USER32 ref: 00407CF2
memcpy.MSVCRT ref: 00407D31

Part of subcall function 0040781B: ??2@YAPAXI@Z.MSVCRT ref: 00407843
Part of subcall function 0040781B: ??2@YAPAXI@Z.MSVCRT ref: 00407861
Part of subcall function 0040781B: ??2@YAPAXI@Z.MSVCRT ref: 0040787F
Part of subcall function 0040781B: ??2@YAPAXI@Z.MSVCRT ref: 0040788F

Part of subcall function 004076DC: _itoa.MSVCRT ref: 004076FD

Strings

strings, xrefs: 00407C8B

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@$HandleModule$LoadString_itoamemcpy
String ID: strings
API String ID: 1623145738-3030018805
Opcode ID: 7bd8298991550abc5c2c98f91390d0293e29c8c3185365eace5f488851281c97
Instruction ID: 97e43cacb30860ce3e801c0595160a29f8d5ee6be1373f002ccc26d35cd4094e
Opcode Fuzzy Hash: 7bd8298991550abc5c2c98f91390d0293e29c8c3185365eace5f488851281c97
Instruction Fuzzy Hash: 4831637990C6019FD729DF15EE549B23776FB44304700843AE806E72A1D7B9B926CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E886 Relevance: 7.7, APIs: 5, Instructions: 186
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040E886(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr _t76;
				signed int _t85;
				signed int _t86;
				void* _t94;
				void* _t97;
				short* _t115;
				short _t123;
				signed int _t126;
				void* _t139;
				intOrPtr* _t141;
				unsigned int _t145;
				intOrPtr _t147;
				signed int _t150;

				_t124 = __ecx;
				_push(__ecx);
				_t69 = _a4 - 0x4e;
				_t150 = __ecx;
				if(_t69 == 0) {
					_t141 = _a12;
					__eflags =  *((intOrPtr*)(_t141 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t141 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t141 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E0040A2D5(__eflags,  *_t141,  *(_t141 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t141 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t141 + 8)) != 0xffffff9b) {
						L26:
						_t70 = 0;
						__eflags = 0;
						goto L27;
					} else {
						__eflags =  *((intOrPtr*)(_t141 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t141 + 4)) != 0x3e9) {
							goto L26;
						}
						_t71 =  *(_t141 + 0x14);
						__eflags = _t71 & 0x00000002;
						if((_t71 & 0x00000002) == 0) {
							L35:
							_t126 =  *(_t141 + 0x18) ^ _t71;
							__eflags = 0x0000f000 & _t126;
							if((0x0000f000 & _t126) == 0) {
								L38:
								__eflags =  *(_t141 + 0x14) & 0x00000002;
								if(( *(_t141 + 0x14) & 0x00000002) == 0) {
									goto L26;
								}
								__eflags =  *(_t141 + 0x18) & 0x00000002;
								if(( *(_t141 + 0x18) & 0x00000002) != 0) {
									goto L26;
								}
								__eflags =  *(_t141 + 0xc);
								E0040DB55(_t150, 0x3eb, 0 |  *(_t141 + 0xc) != 0x00000000);
								_t76 =  *((intOrPtr*)(_t150 + 0xc));
								 *(_t141 + 0xc) -  *((intOrPtr*)(_t76 + 4)) - 1 =  *(_t141 + 0xc) !=  *((intOrPtr*)(_t76 + 4)) - 1;
								E0040DB55(_t150, 0x3ec, 0 |  *(_t141 + 0xc) !=  *((intOrPtr*)(_t76 + 4)) - 0x00000001);
								E0040E821(_t150,  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t150 + 0xc)))) +  *(_t141 + 0x28) * 4)));
								L41:
								_t70 = 1;
								L27:
								return _t70;
							}
							L36:
							_t85 = E0040A1F0( *_t141,  *(_t141 + 0xc), 0xf002);
							__eflags = _t85 & 0x00000002;
							if((_t85 & 0x00000002) != 0) {
								_t86 = _t85 & 0x0000f000;
								__eflags = _t86 - 0x1000;
								_v8 = _t86;
								E0040DB55(_t150, 0x3ee, 0 | _t86 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E0040DB55(_t150, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L38;
						}
						__eflags =  *(_t141 + 0x18) & 0x00000002;
						if(( *(_t141 + 0x18) & 0x00000002) == 0) {
							goto L36;
						}
						goto L35;
					}
				}
				_t94 = _t69 - 0xc2;
				if(_t94 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E0040E669(_t150, __eflags);
					goto L26;
				}
				_t97 = _t94 - 1;
				if(_t97 != 0) {
					goto L26;
				}
				_t145 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t97 || _t145 != 0x300) {
					L7:
					if(_t145 != 0) {
						goto L26;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E0040A6DF(GetDlgItem( *(_t150 + 4), 0x3e9), _t124);
						}
						if(_a8 == 0x3ec) {
							E0040A6A3(GetDlgItem( *(_t150 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E0040A46E(GetDlgItem( *(_t150 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E0040A46E(GetDlgItem( *(_t150 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							E0040DB26(_t150, 2);
						}
						if(_a8 == 1) {
							E0040E7BA(_t150);
							E0040DB26(_t150, 1);
						}
						goto L41;
					}
					_t147 =  *((intOrPtr*)( *((intOrPtr*)(_t150 + 0xc)) + 4));
					_t124 = 0;
					if(_t147 <= 0) {
						L12:
						E0040E669(_t150, _t165);
						goto L13;
					} else {
						_t139 = 0;
						do {
							_t115 =  *((intOrPtr*)( *((intOrPtr*)(_t150 + 0xc)))) + _t124 * 4;
							 *(_t115 + 2) = _t124;
							_t123 =  *((intOrPtr*)( *((intOrPtr*)(_t150 + 0x10)) + _t139 + 0xc));
							_t124 = _t124 + 1;
							_t139 = _t139 + 0x14;
							_t165 = _t124 - _t147;
							 *_t115 = _t123;
						} while (_t124 < _t147);
						goto L12;
					}
				} else {
					if(_a8 != 0x3ed) {
						goto L26;
					} else {
						E0040E83A(__ecx, __ecx);
						goto L7;
					}
				}
			}

0x0040e886
0x0040e88c
0x0040e890
0x0040e896
0x0040e898
0x0040e9d0
0x0040e9d3
0x0040e9dc
0x0040e9de
0x0040e9e1
0x0040e9e8
0x0040e9ee
0x0040e9e1
0x0040e9ef
0x0040e9f3
0x0040e9c5
0x0040e9c5
0x0040e9c5
0x00000000
0x0040e9f5
0x0040e9f5
0x0040e9f8
0x00000000
0x00000000
0x0040e9fa
0x0040e9fd
0x0040ea04
0x0040ea0c
0x0040ea0f
0x0040ea11
0x0040ea13
0x0040ea62
0x0040ea62
0x0040ea66
0x00000000
0x00000000
0x0040ea6c
0x0040ea70
0x00000000
0x00000000
0x0040ea78
0x0040ea86
0x0040ea8b
0x0040ea99
0x0040eaa2
0x0040eab4
0x0040eab9
0x0040eabb
0x0040e9c7
0x0040e9cd
0x0040e9cd
0x0040ea15
0x0040ea1f
0x0040ea27
0x0040ea29
0x0040ea2b
0x0040ea2f
0x0040ea37
0x0040ea43
0x0040ea52
0x0040ea5d
0x0040ea5d
0x00000000
0x0040ea29
0x0040ea06
0x0040ea0a
0x00000000
0x00000000
0x00000000
0x0040ea0a
0x0040e9f3
0x0040e89e
0x0040e8a3
0x0040e9b8
0x0040e9c0
0x00000000
0x0040e9c0
0x0040e8a9
0x0040e8aa
0x00000000
0x00000000
0x0040e8b3
0x0040e8b9
0x0040e8d3
0x0040e8d6
0x00000000
0x00000000
0x0040e8e2
0x0040e918
0x0040e929
0x0040e931
0x0040e931
0x0040e93c
0x0040e944
0x0040e944
0x0040e94f
0x0040e95a
0x0040e960
0x0040e967
0x0040e972
0x0040e978
0x0040e97e
0x0040e984
0x0040e984
0x0040e98e
0x0040e994
0x0040e99d
0x0040e99d
0x00000000
0x0040e98e
0x0040e8e7
0x0040e8ea
0x0040e8ee
0x0040e911
0x0040e913
0x00000000
0x0040e8f0
0x0040e8f0
0x0040e8f2
0x0040e8f7
0x0040e8fa
0x0040e901
0x0040e906
0x0040e907
0x0040e90a
0x0040e90c
0x0040e90c
0x00000000
0x0040e8f2
0x0040e8c2
0x0040e8c8
0x00000000
0x0040e8ce
0x0040e8ce
0x00000000
0x0040e8ce
0x0040e8c8

APIs

GetDlgItem.USER32 ref: 0040E92F
GetDlgItem.USER32 ref: 0040E942
GetDlgItem.USER32 ref: 0040E957
GetDlgItem.USER32 ref: 0040E96F

Part of subcall function 0040E83A: GetDlgItem.USER32 ref: 0040E848

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 0040E9B8

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Item$MessageSend
String ID:
API String ID: 1192005507-0
Opcode ID: 7c90aea8232da8ad537cf2a5ce2d4c7232e844a3d3ada824651be2fe7239a305
Instruction ID: 4d099fed6390a821e44670faac05e94f15387c4cbfcb2ca509142600d3213a37
Opcode Fuzzy Hash: 7c90aea8232da8ad537cf2a5ce2d4c7232e844a3d3ada824651be2fe7239a305
Instruction Fuzzy Hash: 8951D471600601ABDB20AF27C846B2A73A5EF54724F05C93FF814A76D1DB78E960CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3D Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00402B3D(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				unsigned int _v12;
				int _v16;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v300;
				intOrPtr _v304;
				void _v308;
				void _v571;
				int _v572;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				char _v1124;
				char _v17508;
				void* __ebx;
				void* _t60;
				void* _t61;
				void* _t65;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				int _t88;
				char _t92;
				void _t97;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t105;

				E0040EAD0(0x4464, __ecx);
				_t88 = 0;
				_v16 = 0;
				if(E00409B5D() == 0) {
					L12:
					__eflags =  *0x412b10 - _t88; // 0x0
					if(__eflags != 0) {
						_t97 = _a4;
						_t60 =  *0x4125c8(8, _t97);
						__eflags = _t60 - 0xffffffff;
						_v8 = _t60;
						if(_t60 != 0xffffffff) {
							_v16 = 1;
							_v1124 = 0x224;
							_t61 =  *0x4125c0(_t60,  &_v1124);
							while(1) {
								__eflags = _t61;
								if(_t61 == 0) {
									goto L20;
								}
								memset( &_v308, _t88, 0x118);
								_t102 = _t102 + 0xc;
								_v304 = _v1096;
								_v308 = _t97;
								_t65 = 0;
								__eflags = 0;
								do {
									_t92 =  *((intOrPtr*)(_t101 + _t65 - 0x340));
									 *((char*)(_t101 + _t65 - 0x128)) = _t92;
									_t65 = _t65 + 1;
									__eflags = _t92 - _t88;
								} while (_t92 != _t88);
								_v36 = _v1100;
								_v32 = _v1104;
								_v1124 = 0x224;
								_t69 = E004027FC(_a8,  &_v308);
								__eflags = _t69;
								if(_t69 != 0) {
									_t61 =  *0x4125bc(_v8,  &_v1124);
									continue;
								}
								goto L20;
							}
							goto L20;
						}
					}
				} else {
					_t105 =  *0x412b14 - _t88; // 0x0
					if(_t105 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v8 = _t72;
						if(_t72 != 0) {
							_push( &_v12);
							_push(0x4000);
							_push( &_v17508);
							_push(_t72);
							if( *0x4125cc() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v16 = 1;
								_t98 = 0;
								if( *_t6 != 0) {
									while(1) {
										_v572 = _t88;
										memset( &_v571, _t88, 0x104);
										memset( &_v308, _t88, 0x118);
										_t78 =  *((intOrPtr*)(_t101 + _t98 * 4 - 0x4460));
										_t102 = _t102 + 0x18;
										_v308 = _a4;
										_v304 = _t78;
										 *0x4125c4(_v8, _t78,  &_v572, 0x104);
										E00402986( &_v572,  &_v300);
										_push(0xc);
										_push( &_v28);
										_push(_v304);
										_push(_v8);
										if( *0x4125d0() != 0) {
											_v36 = _v24;
											_v32 = _v28;
										}
										if(E004027FC(_a8,  &_v308) == 0) {
											goto L20;
										}
										_t98 = _t98 + 1;
										if(_t98 < _v12) {
											_t88 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L20;
									}
								}
							}
							L20:
							CloseHandle(_v8);
						}
					}
				}
				return _v16;
			}

0x00402b45
0x00402b4c
0x00402b4f
0x00402b59
0x00402c6d
0x00402c6d
0x00402c73
0x00402c79
0x00402c7f
0x00402c85
0x00402c88
0x00402c8b
0x00402c9e
0x00402ca5
0x00402cab
0x00402d2a
0x00402d2a
0x00402d2c
0x00000000
0x00000000
0x00402cc0
0x00402ccb
0x00402cce
0x00402cd4
0x00402cda
0x00402cda
0x00402cdc
0x00402cdc
0x00402ce3
0x00402cea
0x00402ceb
0x00402ceb
0x00402cf5
0x00402cfe
0x00402d0b
0x00402d11
0x00402d16
0x00402d18
0x00402d24
0x00000000
0x00402d24
0x00000000
0x00402d18
0x00000000
0x00402d2a
0x00402c8b
0x00402b5f
0x00402b5f
0x00402b65
0x00000000
0x00402b6b
0x00402b74
0x00402b7c
0x00402b7f
0x00402b88
0x00402b89
0x00402b94
0x00402b95
0x00402b9e
0x00402ba4
0x00402ba4
0x00402ba8
0x00402baf
0x00402bb1
0x00402bc0
0x00402bc9
0x00402bcf
0x00402be1
0x00402be9
0x00402bf0
0x00402bf4
0x00402c05
0x00402c0b
0x00402c1d
0x00402c22
0x00402c27
0x00402c28
0x00402c2e
0x00402c39
0x00402c3e
0x00402c44
0x00402c44
0x00402c58
0x00000000
0x00000000
0x00402c5e
0x00402c62
0x00402bbe
0x00402bbe
0x00000000
0x00000000
0x00402c68
0x00000000
0x00402c62
0x00402bc0
0x00402bb1
0x00402d2e
0x00402d31
0x00402d31
0x00402b7f
0x00402b65
0x00402d3e

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00402B74
memset.MSVCRT ref: 00402BCF
memset.MSVCRT ref: 00402BE1
memset.MSVCRT ref: 00402CC0
CloseHandle.KERNEL32(?,00000001,?), ref: 00402D31

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$CloseHandleOpenProcess
String ID:
API String ID: 2659917700-0
Opcode ID: 1ebf7961364a92b06d82b9fe625fa98a7b0d8ac1040caa31b57378f6bf9ea446
Instruction ID: 31624b9f32d3fd1142d46a14fe65249d5835e2d161884a26e909a5a6c6e23d97
Opcode Fuzzy Hash: 1ebf7961364a92b06d82b9fe625fa98a7b0d8ac1040caa31b57378f6bf9ea446
Instruction Fuzzy Hash: 59510DB190021CABDB11DFA5DD89AEEB7B8BB08304F0444BAE505F6290D7749E54CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00405A08 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00405A08(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v12;
				char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v52;
				char _v72;
				void _v100;
				void* __ebx;
				signed int _t56;
				intOrPtr* _t66;
				void* _t67;
				signed int _t73;
				signed int _t75;
				intOrPtr _t78;
				char* _t84;
				intOrPtr _t91;
				intOrPtr* _t99;
				intOrPtr* _t103;
				void* _t105;
				void* _t106;

				_t75 = 6;
				memcpy( &_v100, "<td bgcolor=#%s nowrap>%s", _t75 << 2);
				_t106 = _t105 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E004096D5(0, _a8, "<tr>");
				_t103 = _a4;
				_v12 = _v12 & 0x00000000;
				_pop(_t78);
				if( *((intOrPtr*)(_t103 + 0x24)) > 0) {
					do {
						_t56 = _v12;
						_t73 =  *( *((intOrPtr*)(_t103 + 0x28)) + _t56 * 4);
						_t84 =  &_v100;
						if( *((intOrPtr*)((_t73 << 4) +  *((intOrPtr*)(_t103 + 0x38)) + 4)) == 0) {
							_t84 =  &_v52;
						}
						_t99 = _a12;
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 & 0x00000000;
						_v16 = _t84;
						 *((intOrPtr*)( *_t103 + 0x30))(4, _t56, _t99,  &_v32);
						E004013F6(_v32,  &_v72);
						E00401387( *((intOrPtr*)(_t103 + 0x58)),  *((intOrPtr*)( *_t99))(_t73,  *(_t103 + 0x54)));
						 *((intOrPtr*)( *_t103 + 0x48))( *((intOrPtr*)(_t103 + 0x58)), _t99, _t73);
						_t66 =  *((intOrPtr*)(_t103 + 0x58));
						_t91 =  *_t66;
						if(_t91 == 0 || _t91 == 0x20) {
							_t67 = _t66 - 1;
							do {
								_t78 =  *((intOrPtr*)(_t67 + 1));
								_t67 = _t67 + 1;
							} while (_t78 != 0);
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t103 = _a4;
						}
						E004015BF( &_v32,  *((intOrPtr*)(_t103 + 0x5c)),  *((intOrPtr*)(_t103 + 0x58)));
						sprintf( *(_t103 + 0x54), _v16,  &_v72,  *((intOrPtr*)(_t103 + 0x5c)));
						E004096D5(_t78, _a8,  *(_t103 + 0x54));
						_t106 = _t106 + 0x20;
						_v12 = _v12 + 1;
					} while (_v12 <  *((intOrPtr*)(_t103 + 0x24)));
				}
				return E004096D5(_t78, _a8, "\r\n");
			}

0x00405a13
0x00405a1c
0x00405a1c
0x00405a1e
0x00405a28
0x00405a29
0x00405a2a
0x00405a2b
0x00405a2c
0x00405a36
0x00405a37
0x00405a3c
0x00405a3f
0x00405a48
0x00405a49
0x00405a4f
0x00405a52
0x00405a55
0x00405a65
0x00405a68
0x00405a6a
0x00405a6a
0x00405a6d
0x00405a72
0x00405a76
0x00405a7a
0x00405a7e
0x00405a82
0x00405a8f
0x00405a99
0x00405aaf
0x00405abd
0x00405ac0
0x00405ac3
0x00405ac7
0x00405ace
0x00405acf
0x00405acf
0x00405ad2
0x00405ad3
0x00405ade
0x00405adf
0x00405ae1
0x00405ae2
0x00405ae2
0x00405aee
0x00405b00
0x00405b0b
0x00405b10
0x00405b13
0x00405b19
0x00405a4f
0x00405b35

APIs

Part of subcall function 004096D5: WriteFile.KERNEL32(00000001,00000007,00000008,?,00000000,?,Mqt,00405D6B,00000001,00000001,004066BB,00000007,],00407088,00000001,?), ref: 004096F5

sprintf.MSVCRT ref: 00405B00

Strings

<td bgcolor=#%s>%s, xrefs: 00405A20
 , xrefs: 00405AD9
<tr>, xrefs: 00405A2E
<td bgcolor=#%s nowrap>%s, xrefs: 00405A14

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FileWritesprintf
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 1487071335-4153097237
Opcode ID: 702a3c32cabf1f88c58567333f5c504749f0d3cc3fa98b31e56703f1878b1f50
Instruction ID: b39776ee9a5446e31fe3793a89f3811eb2b3ec2e01c3e99e1ec3be62203b76ce
Opcode Fuzzy Hash: 702a3c32cabf1f88c58567333f5c504749f0d3cc3fa98b31e56703f1878b1f50
Instruction Fuzzy Hash: A641C131900709AFDB25DF41C845AAFBBB6FF44324F20452AF8526B6E1C775A915CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004065EA Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004065EA(void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t36;
				char* _t47;
				void* _t49;

				E004096D5(__ecx, _a4, "<item>\r\n");
				_t36 = 0;
				_pop(_t39);
				if( *((intOrPtr*)(__edi + 0x24)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t39 = _a8;
						E00401387( *((intOrPtr*)(__edi + 0x58)),  *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x28)) + _t36 * 4),  *((intOrPtr*)(__edi + 0x54))));
						_t47 =  &_v260;
						E00405DB4( *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x28)) + _t36 * 4) << 4) +  *((intOrPtr*)(__edi + 0x38)) + 0xc)), _t47);
						sprintf( *(__edi + 0x5c), "<%s>%s</%s>\r\n", _t47,  *((intOrPtr*)(__edi + 0x58)), _t47);
						E004096D5(_a8, _a4,  *(__edi + 0x5c));
						_t49 = _t49 + 0x28;
						_t36 = _t36 + 1;
					} while (_t36 <  *((intOrPtr*)(__edi + 0x24)));
				}
				return E004096D5(_t39, _a4, "</item>\r\n");
			}

0x004065fc
0x00406601
0x00406607
0x00406608
0x0040660b
0x00406619
0x00406620
0x0040662b
0x0040663e
0x0040664d
0x00406653
0x00406667
0x00406672
0x00406677
0x0040667a
0x0040667b
0x00406680
0x00406692

APIs

Part of subcall function 004096D5: WriteFile.KERNEL32(00000001,00000007,00000008,?,00000000,?,Mqt,00405D6B,00000001,00000001,004066BB,00000007,],00407088,00000001,?), ref: 004096F5

memset.MSVCRT ref: 00406620

Part of subcall function 00405DB4: _strlwr.MSVCRT ref: 00405DDE

sprintf.MSVCRT ref: 00406667

Strings

<item>, xrefs: 004065F4
</item>, xrefs: 00406681
<%s>%s</%s>, xrefs: 0040665F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: FileWrite_strlwrmemsetsprintf
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3790356888-2769808009
Opcode ID: 0f63e4aab8ab1bf85a5962dcf09dded0389523d36828774249a28022f24372c7
Instruction ID: fde61e8dda856c35f80db56188135188a95777a6ba072418582c54b9e59401eb
Opcode Fuzzy Hash: 0f63e4aab8ab1bf85a5962dcf09dded0389523d36828774249a28022f24372c7
Instruction Fuzzy Hash: DA11C431904616BFDB11EB55CC42F8A7BA4FF04318F10403AF809669E2DB7ABC65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402ABB Relevance: 7.6, APIs: 5, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402ABB(char* __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				char* _t8;

				_t8 = strchr(__esi, 0x5c);
				if(_t8 == 0) {
					if(strchr(__esi, 0x2e) == 0) {
						_v268 = 0;
						memset( &_v267, 0, 0x104);
						E00409B6E(_a4,  &_v268);
						_t8 =  &_v268;
						_push(__esi);
						_push(_t8);
						L0040107A();
						L3:
						if(_t8 != 0) {
							return 0;
						} else {
							return  &(_t8[1]);
						}
					}
					_t8 = E00409317(_a4);
					_push(__esi);
					_push(_t8);
					L2:
					L0040107A();
					goto L3;
				}
				_push(__esi);
				_push(_a4);
				goto L2;
			}

0x00402ac7
0x00402ad0
0x00402af0
0x00402b0c
0x00402b13
0x00402b22
0x00402b27
0x00402b2d
0x00402b2e
0x00402b2f
0x00402add
0x00402adf
0x00402b3c
0x00402ae1
0x00402ae3
0x00402ae3
0x00402adf
0x00402af5
0x00402afa
0x00402afb
0x00402ad6
0x00402ad6
0x00000000
0x00402adc
0x00402ad2
0x00402ad3
0x00000000

APIs

strchr.MSVCRT ref: 00402AC7
_stricmp.MSVCRT(00000000), ref: 00402AD6
strchr.MSVCRT ref: 00402AE7
memset.MSVCRT ref: 00402B13

Part of subcall function 00409B6E: strrchr.MSVCRT ref: 00409B87

_stricmp.MSVCRT(00000000,?,00000000,?,00000000,00000104), ref: 00402B2F

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: _stricmpstrchr$memsetstrrchr
String ID:
API String ID: 1556096600-0
Opcode ID: 96ca6cb642b6ab74d963f4bce240b6dfa48fa6025da02c3aed7fee4a850514b8
Instruction ID: 3d94280b60d1943fbf4895c28001f677b7c53e9330229df40d0712a5b19e3b1f
Opcode Fuzzy Hash: 96ca6cb642b6ab74d963f4bce240b6dfa48fa6025da02c3aed7fee4a850514b8
Instruction Fuzzy Hash: 1501DB3570824465EB34A672DD06FCB379C9F00358F10007BB585B54D1EEF8E9C14AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040655E Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040655E(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t24 = __ecx;
				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E004096D5(_t24, _a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00405DB4(_t17, _t28);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E004096D5(_t26, _a4,  &_v516);
			}

0x0040655e
0x00406578
0x0040657a
0x00406581
0x00406590
0x00406597
0x004065a4
0x004065b0
0x004065b3
0x004065b9
0x004065cd
0x004065e7

APIs

memset.MSVCRT ref: 00406581
memset.MSVCRT ref: 00406597

Part of subcall function 004096D5: WriteFile.KERNEL32(00000001,00000007,00000008,?,00000000,?,Mqt,00405D6B,00000001,00000001,004066BB,00000007,],00407088,00000001,?), ref: 004096F5

Part of subcall function 00405DB4: _strlwr.MSVCRT ref: 00405DDE

sprintf.MSVCRT ref: 004065CD

Strings

<%s>, xrefs: 004065C7
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040659C

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$FileWrite_strlwrsprintf
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 2668691490-1998499579
Opcode ID: 70dd308df9ff3523b82206564b9d0d24c505a0913d072cffb5b4b132d72fb44d
Instruction ID: 627c366ac279c3a02e6257e4d4abee7f173dcc254d430477c9bf57c17902ba05
Opcode Fuzzy Hash: 70dd308df9ff3523b82206564b9d0d24c505a0913d072cffb5b4b132d72fb44d
Instruction Fuzzy Hash: 8401A272A001296BDB20E75ACC46FDA7A6CAF44308F0400B7B50DF71D3DB789E948BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004063D1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004063D1(void* __esi) {
				void* _t9;
				long _t12;
				void* _t20;

				if( *((intOrPtr*)(__esi + 0x1c4)) != 0) {
					E00405688(__esi, 4, 1);
					_t12 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(__esi + 0x1a0) = _t12;
					__imp__ImageList_SetImageCount(_t12, 0, _t20);
					ImageList_AddMasked( *(__esi + 0x1a0), E00409902(0x87),  *(__esi + 0x50));
					ImageList_AddMasked( *(__esi + 0x1a0), E00409902(0x6c),  *(__esi + 0x50));
					return SendMessageA( *(__esi + 0x190), 0x1003, 2,  *(__esi + 0x1a0));
				}
				return _t9;
			}

0x004063d8
0x004063e1
0x004063f0
0x004063f9
0x004063ff
0x00406420
0x00406434
0x00000000
0x0040644f
0x00406450

APIs

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000004,00000001,00000000,0040B488), ref: 004063F0
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 004063FF

Part of subcall function 00409902: GetModuleHandleA.KERNEL32(00000000,00406412,00000087,?), ref: 00409904
Part of subcall function 00409902: LoadImageA.USER32 ref: 0040991C

ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00406420
ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00406434
SendMessageA.USER32(?,00001003,00000002,?), ref: 00406449

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Image$List_$Masked$CountCreateHandleLoadMessageModuleSend
String ID:
API String ID: 4182045780-0
Opcode ID: 26f374aef07ca369e4edf62f3c6e46d7972b97e7ebd2828148313294c29697fd
Instruction ID: 21a4dcc33a34f3f9d67521fe10afb2230a2aac32d3ac6fe916b77ba968a417e2
Opcode Fuzzy Hash: 26f374aef07ca369e4edf62f3c6e46d7972b97e7ebd2828148313294c29697fd
Instruction Fuzzy Hash: 3901E171281704BEFA3227609C0AFDA7665FB48B04F40483DF395795E2C6F66450DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00407714 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407714(void* __eax, intOrPtr _a4) {
				char _t4;
				intOrPtr _t5;
				char _t6;

				if(__eax != 4) {
					if(__eax != 5) {
						if(__eax == 6) {
							_t6 = "strings"; // 0x69727473
							 *0x4128a8 = _t6;
							_t5 =  *0x40fd74; // 0x73676e
							L9:
							 *0x4128ac = _t5;
							return _t5;
						}
						if(__eax == 0) {
							_t4 = "general"; // 0x656e6567
							 *0x4128a8 = _t4;
							_t5 =  *0x40fd7c; // 0x6c6172
							goto L9;
						}
						return __eax;
					} else {
						return sprintf(0x4128a8, ??, "dialog_%d", _a4);
						goto L4;
					}
				} else {
					return sprintf(0x4128a8, ??, "menu_%d", _a4);
					L4:
				}
			}

0x00407717
0x00407727
0x00407743
0x00407745
0x0040774a
0x0040774f
0x00407769
0x00407769
0x00000000
0x00407769
0x00407758
0x0040775a
0x0040775f
0x00407764
0x00000000
0x00407764
0x0040776e
0x00407729
0x0040773f
0x00000000
0x0040773f
0x00407719
0x0040773f
0x00407732
0x0040773f

APIs

sprintf.MSVCRT ref: 00407737

Strings

strings, xrefs: 00407745
menu_%d, xrefs: 0040771D
dialog_%d, xrefs: 0040772D
general, xrefs: 0040775A

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: sprintf
String ID: dialog_%d$general$menu_%d$strings
API String ID: 590974362-502967061
Opcode ID: a17a5228ab9808788ccc858fc477c9d0032b53db8640bbc1f45ff4f354d33841
Instruction ID: dc2664122fd744ac89bb07bcd6245be0c15406158903a1f35011880d38323053
Opcode Fuzzy Hash: a17a5228ab9808788ccc858fc477c9d0032b53db8640bbc1f45ff4f354d33841
Instruction Fuzzy Hash: FBF01274914700EEC620DB24DE8091532E0EB48744B204537E406F77A0E678B8549B0E

Uniqueness

Uniqueness Score: -1.00%

Function 0040324B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
networkCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040324B(signed int _a4) {
				signed int _t8;
				intOrPtr* _t11;
				signed int _t14;
				void** _t17;
				void** _t20;

				_t8 =  *0x412b08; // 0x0
				if(_t8 != 0) {
					_push(2);
					_t20 = _a4 * 0xc + _t8;
					_push(4);
					_t17 =  &(_t20[2]);
					_push(_t17);
					L00401350();
					_a4 = _a4 & 0x00000000;
					_t14 = _t8;
					if( *0x412b08 != 0) {
						if(_t14 == 0) {
							L0040133E();
							_a4 = _t8;
						}
						_t11 = E00408342(0x412148, _t20[1]);
						if(_t11 != 0) {
							 *((intOrPtr*)( *_t11))( *_t17, _t14, _a4);
						}
						CloseHandle( *_t20);
						 *_t20 =  *_t20 & 0x00000000;
					}
				}
				return 0;
			}

0x0040324e
0x00403258
0x00403260
0x00403262
0x00403264
0x00403266
0x00403269
0x0040326a
0x0040326f
0x0040327a
0x0040327c
0x00403280
0x00403282
0x00403287
0x00403287
0x00403292
0x00403299
0x004032a5
0x004032a5
0x004032a9
0x004032af
0x004032af
0x0040327c
0x004032b8

APIs

gethostbyaddr.WS2_32(?,00000004,00000002), ref: 0040326A
WSAGetLastError.WS2_32 ref: 00403282
CloseHandle.KERNEL32(?,?), ref: 004032A9

Strings

H!A, xrefs: 0040328D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: CloseErrorHandleLastgethostbyaddr
String ID: H!A
API String ID: 829321779-210526607
Opcode ID: 63e709186d85802a625cb6053a47f72908d93a1828cbdd8e0367ca52442d84ca
Instruction ID: 2a1d009462b8a7b488afa1501fdc0e19cc9a1357039da1a28aff8c3b3d262e5a
Opcode Fuzzy Hash: 63e709186d85802a625cb6053a47f72908d93a1828cbdd8e0367ca52442d84ca
Instruction Fuzzy Hash: B101DB31200304AFE7109F51DD81B677BA8EB44755F10443EFD44EB290D7759D54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004079CB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004079CB(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t11;

				_t18 = __ecx;
				_t8 = E0040EAD0(0x1004, __ecx);
				_t22 =  *0x4127a0;
				if( *0x4127a0 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					_push( *0x4128e8);
					_t11 = 5;
					E00407714(_t11);
					if(E0040762A(_t18, _t22, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E0040776F, 0);
				}
				return _t8;
			}

0x004079cb
0x004079d3
0x004079d8
0x004079df
0x004079ef
0x004079f6
0x004079fb
0x00407a03
0x00407a04
0x00407a1f
0x00407a2b
0x00407a2b
0x00000000
0x00407a3b
0x00407a42

APIs

memset.MSVCRT ref: 004079F6

Part of subcall function 00407714: sprintf.MSVCRT ref: 00407737

Part of subcall function 0040762A: memset.MSVCRT ref: 0040764E
Part of subcall function 0040762A: GetPrivateProfileStringA.KERNEL32(004128A8,0000000A,0040F469,?,00001000,004127A0), ref: 00407670

SetWindowTextA.USER32(?,?), ref: 00407A2B
EnumChildWindows.USER32 ref: 00407A3B

Strings

caption, xrefs: 00407A10

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintf
String ID: caption
API String ID: 670118382-4135340389
Opcode ID: 3a16401db87154e29734f327cd967811c32ad6f593e80b9db89ea3d4c520e0b4
Instruction ID: eb6801712ff5f3793bcf583c275848c14d25528d0646c5adc5be71172eec7444
Opcode Fuzzy Hash: 3a16401db87154e29734f327cd967811c32ad6f593e80b9db89ea3d4c520e0b4
Instruction Fuzzy Hash: 15F02B30A442487EDB22A755DD06BC937689B08745F0044B2F704F51E0D7F4BAC48F5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040925E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040925E(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L0040107A();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}

0x00409277
0x0040927e
0x00409291
0x00409297
0x0040929d
0x004092a2
0x004092a3
0x004092ac
0x004092b1

APIs

memset.MSVCRT ref: 0040927E
GetClassNameA.USER32(?,00000000,000000FF), ref: 00409291
_stricmp.MSVCRT(00000000,edit), ref: 004092A3

Strings

edit, xrefs: 0040929D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ClassName_stricmpmemset
String ID: edit
API String ID: 3665161774-2167791130
Opcode ID: 1cfecf832dc5d596aa0e39dbd4597336c6fe878ab0f6f15d6d08781b49a6f9ef
Instruction ID: 3c0eebbde036c6db2872d526128da02f57f0528f3baf21114fc6d7e576a942c9
Opcode Fuzzy Hash: 1cfecf832dc5d596aa0e39dbd4597336c6fe878ab0f6f15d6d08781b49a6f9ef
Instruction Fuzzy Hash: 02E09B72D4412E6ADB31F665DC01FE537ACEF18304F0400B6B849F14D1E5B4A6884BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040829A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040829A(struct HINSTANCE__** __eax) {
				void* __esi;
				void* _t4;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					 *_t10 = LoadLibraryA("Iphlpapi.dll");
					_t4 = E00408257(_t10);
					if( *((intOrPtr*)(_t10 + 4)) == 0) {
						E00408289(_t10);
						 *_t10 = LoadLibraryA("icmp.dll");
						_t4 = E00408257(_t10);
					}
					return _t4;
				}
				return __eax;
			}

0x0040829b
0x004082a0
0x004082b0
0x004082b2
0x004082bb
0x004082bd
0x004082c9
0x004082cb
0x004082cb
0x00000000
0x004082d0
0x004082d2

APIs

LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,004082F0), ref: 004082AE

Part of subcall function 00408257: GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0040826A
Part of subcall function 00408257: GetProcAddress.KERNEL32(?,IcmpCloseHandle), ref: 00408276
Part of subcall function 00408257: GetProcAddress.KERNEL32(?,IcmpSendEcho), ref: 00408282

Part of subcall function 00408289: FreeLibrary.KERNEL32(00000000,0040BBE2,?,?,004044A2,00000001,00404C51,00000000,00000000,?,00000000,00000000,00000000,74714DE0,?,00000000), ref: 00408290

LoadLibraryA.KERNEL32(icmp.dll,?,?,004082F0), ref: 004082C7

Strings

icmp.dll, xrefs: 004082C2
Iphlpapi.dll, xrefs: 004082A9

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free
String ID: Iphlpapi.dll$icmp.dll
API String ID: 3890210519-413374463
Opcode ID: 4fec41d2b5989501e07b3d4c9651d397d1b9b3b4a86371711c18ca54078e8af7
Instruction ID: 0b6e63d0cae7dd16096740f2b8d8435cf9b177e91a2a56ff30e9c7847e705a7a
Opcode Fuzzy Hash: 4fec41d2b5989501e07b3d4c9651d397d1b9b3b4a86371711c18ca54078e8af7
Instruction Fuzzy Hash: 31E0EC31540B149ECB307B7AAA05706F6D45FE1714F2108BFE4C1B35D0DABC48848A59

Uniqueness

Uniqueness Score: -1.00%

Function 00408B42 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408B42(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t7 != 0) {
					 *_t7(_a4,  &_v8);
				}
				return _v8;
			}

0x00408b46
0x00408b5b
0x00408b63
0x00408b6c
0x00408b6c
0x00408b72

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00408B54
GetProcAddress.KERNEL32(00000000), ref: 00408B5B

Strings

kernel32, xrefs: 00408B4F
IsWow64Process, xrefs: 00408B4A

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: aecdae43805f87fb8adcc04bb4af8d751b0385bff0289bf7daa79f207a46c273
Instruction ID: 14f95c188769b76f73108f8b96d627f79ad2ac93a913c914285f3619fafbbc17
Opcode Fuzzy Hash: aecdae43805f87fb8adcc04bb4af8d751b0385bff0289bf7daa79f207a46c273
Instruction Fuzzy Hash: 32D01274604209FFDB14DBA1DE0AB9D7778FB04749F200079B901F2490DBB8EE049718

Uniqueness

Uniqueness Score: -1.00%

Function 004017DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004017DE(intOrPtr* __esi, intOrPtr _a4) {
				_Unknown_base(*)()* _t3;

				 *__esi = 0x34;
				_t3 = GetProcAddress(GetModuleHandleA("user32.dll"), "GetComboBoxInfo");
				if(_t3 == 0) {
					return 0;
				} else {
					return  *_t3(_a4, __esi);
				}
			}

0x004017e8
0x004017f5
0x004017fd
0x00401809
0x004017ff
0x00401806
0x00401806

APIs

GetModuleHandleA.KERNEL32(user32.dll,GetComboBoxInfo,0040E654,00000000), ref: 004017EE
GetProcAddress.KERNEL32(00000000), ref: 004017F5

Strings

GetComboBoxInfo, xrefs: 004017DE
user32.dll, xrefs: 004017E3

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetComboBoxInfo$user32.dll
API String ID: 1646373207-3174150333
Opcode ID: 2226fdea089c3a05446b4ada4f483745aefc94f6ebeb98019eec55739f6bcacf
Instruction ID: b83c21a91fa3469feaed3addd1857c1a91e642ba4a40d27d5acdabeb95e023ca
Opcode Fuzzy Hash: 2226fdea089c3a05446b4ada4f483745aefc94f6ebeb98019eec55739f6bcacf
Instruction Fuzzy Hash: 0ED01270242215AFCB211F70CC0CB4B3E98AF90782F1444757594E54B0DBF8C9C4D62C

Uniqueness

Uniqueness Score: -1.00%

Function 004018BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018BC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x412b1c == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x412b1c = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x412b18 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x004018c3
0x004018ca
0x004018d2
0x004018d7
0x004018df
0x004018e5
0x00000000
0x004018e5
0x004018d7
0x004018ea

APIs

LoadLibraryA.KERNEL32(shell32.dll,00404E57,?,00000000), ref: 004018CA
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004018DF

Strings

shell32.dll, xrefs: 004018C5
SHGetSpecialFolderPathA, xrefs: 004018D9

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: cf0bff61eae21087795894de178c3bfa42ec3d102e0d4c01dcc572666ab534c8
Instruction ID: f3029a26553a15ab45b7535dd6fa42627ec5de75f695190acadfce5a8b35013a
Opcode Fuzzy Hash: cf0bff61eae21087795894de178c3bfa42ec3d102e0d4c01dcc572666ab534c8
Instruction Fuzzy Hash: 7DD092B06483009BD720AF61EE48B823BA4B764B02F108036A401F22A8D7F856A49F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004060FF Relevance: 6.3, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004060FF(intOrPtr* __esi) {
				void* _t22;
				void* _t24;
				intOrPtr* _t30;

				_t30 = __esi;
				_t1 = _t30 + 4; // 0x4
				_t24 = _t1;
				 *__esi = 0x40ff70;
				_t22 = memset(_t24, 0, 0x1d0);
				_push(0x14);
				 *_t24 = 0;
				L004010A4();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *(_t30 + 8) = _t22;
				L004010A4();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *(_t30 + 0xc) = _t22;
				L004010A4();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *(_t30 + 0x10) = _t22;
				L004010A4();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *(_t30 + 0x14) = _t22;
				return _t30;
			}

0x004060ff
0x00406108
0x00406108
0x0040610d
0x00406113
0x00406118
0x0040611a
0x0040611c
0x0040612b
0x0040613d
0x0040612d
0x0040612d
0x00406130
0x00406132
0x00406135
0x00406138
0x00406138
0x0040613f
0x00406141
0x00406144
0x0040614c
0x0040615e
0x0040614e
0x0040614e
0x00406151
0x00406153
0x00406156
0x00406159
0x00406159
0x00406160
0x00406162
0x00406165
0x0040616d
0x0040617f
0x0040616f
0x0040616f
0x00406172
0x00406174
0x00406177
0x0040617a
0x0040617a
0x00406181
0x00406183
0x00406186
0x0040618e
0x004061a0
0x00406190
0x00406190
0x00406193
0x00406195
0x00406198
0x0040619b
0x0040619b
0x004061a3
0x004061a9

APIs

memset.MSVCRT ref: 00406113
??2@YAPAXI@Z.MSVCRT ref: 0040611C
??2@YAPAXI@Z.MSVCRT ref: 00406144
??2@YAPAXI@Z.MSVCRT ref: 00406165
??2@YAPAXI@Z.MSVCRT ref: 00406186

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 22f9adb3412914d52b21ad88d3f8d37356db5ee118e6f1e6b33e1133ec302bd2
Instruction ID: 043405e180bbfa69a68fd3ddffe9275c3d489b42cb6acf531a6d8dba20b1be92
Opcode Fuzzy Hash: 22f9adb3412914d52b21ad88d3f8d37356db5ee118e6f1e6b33e1133ec302bd2
Instruction Fuzzy Hash: ED21C4B4A003008ED7219F2B8885956FAE4FF94310B6AC8AFD159DF6B2D7B8C851CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00402986 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 122
stringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00402986(void* __eax, short* __ebx) {
				void _v267;
				char _v268;
				intOrPtr* _t21;
				char* _t23;
				void* _t26;
				void* _t33;
				unsigned int _t34;
				intOrPtr* _t41;
				void* _t42;
				intOrPtr* _t43;
				short* _t44;
				void* _t46;
				char _t48;
				void* _t49;
				void _t50;
				signed int _t52;
				char _t58;
				void* _t59;
				intOrPtr _t60;
				char _t61;
				char _t62;
				void* _t64;
				void _t65;
				void* _t67;
				void _t68;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t77;
				void* _t83;

				_t44 = __ebx;
				_t21 = __eax;
				_t84 = __eax;
				if( *((char*)(__eax + 1)) != 0x3a) {
					_t23 = strchr(__eax + 2, 0x3a);
					_pop(_t46);
					if(_t23 == 0) {
						_t74 = E004095D5(_t84, _t46, "\\systemroot");
						if(_t74 < 0) {
							if( *_t84 != 0x5c) {
								_t26 = _t84;
								_t64 = __ebx - _t84;
								do {
									_t48 =  *_t26;
									 *((char*)(_t64 + _t26)) = _t48;
									_t26 = _t26 + 1;
								} while (_t48 != 0);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00409225( &_v268);
								 *__ebx = _v268;
								_t33 = _t84;
								 *((char*)(__ebx + 2)) = 0;
								_t49 = _t33;
								do {
									_t65 =  *_t33;
									_t33 = _t33 + 1;
								} while (_t65 != 0);
								_t34 = _t33 - _t49;
								_t77 = __ebx - 1;
								do {
									_t50 =  *(_t77 + 1);
									_t77 = _t77 + 1;
								} while (_t50 != 0);
								goto L21;
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00409225( &_v268);
							_t41 =  &_v268;
							_t67 = __ebx - _t41;
							do {
								_t58 =  *_t41;
								 *((char*)(_t67 + _t41)) = _t58;
								_t41 = _t41 + 1;
							} while (_t58 != 0);
							_t11 = _t84 + 0xb; // 0xb
							_t42 = _t74 + _t11;
							_t59 = _t42;
							do {
								_t68 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t68 != 0);
							_t34 = _t42 - _t59;
							_t84 = _t59;
							_t83 = __ebx - 1;
							do {
								_t60 =  *((intOrPtr*)(_t83 + 1));
								_t83 = _t83 + 1;
							} while (_t60 != 0);
							L21:
							_t52 = _t34 >> 2;
							memcpy(_t84 + _t52 + _t52, _t84, memcpy(_t77, _t84, _t52 << 2) & 0x00000003);
						}
					} else {
						_t43 = _t23 - 1;
						_t70 = __ebx - _t43;
						do {
							_t61 =  *_t43;
							 *((char*)(_t70 + _t43)) = _t61;
							_t43 = _t43 + 1;
						} while (_t61 != 0);
					}
				} else {
					_t72 = __ebx - __eax;
					do {
						_t62 =  *_t21;
						 *((char*)(_t72 + _t21)) = _t62;
						_t21 = _t21 + 1;
					} while (_t62 != 0);
				}
				return _t44;
			}

0x00402986
0x00402986
0x00402990
0x00402996
0x004029b1
0x004029b9
0x004029ba
0x004029dd
0x004029e2
0x00402a44
0x00402aa7
0x00402aa9
0x00402aab
0x00402aab
0x00402aad
0x00402ab0
0x00402ab1
0x00402a46
0x00402a54
0x00402a5b
0x00402a67
0x00402a73
0x00402a76
0x00402a7b
0x00402a7f
0x00402a81
0x00402a81
0x00402a83
0x00402a84
0x00402a8a
0x00402a8c
0x00402a8d
0x00402a8d
0x00402a90
0x00402a91
0x00000000
0x00402a8d
0x004029e4
0x004029f2
0x004029f9
0x00402a05
0x00402a0a
0x00402a17
0x00402a19
0x00402a19
0x00402a1b
0x00402a1e
0x00402a1f
0x00402a23
0x00402a23
0x00402a27
0x00402a29
0x00402a29
0x00402a2b
0x00402a2c
0x00402a32
0x00402a34
0x00402a36
0x00402a37
0x00402a37
0x00402a3a
0x00402a3b
0x00402a95
0x00402a97
0x00402aa1
0x00402aa1
0x004029bc
0x004029bc
0x004029bf
0x004029c1
0x004029c1
0x004029c3
0x004029c6
0x004029c7
0x004029cb
0x00402998
0x0040299a
0x0040299c
0x0040299c
0x0040299e
0x004029a1
0x004029a2
0x004029a6
0x00402aba

APIs

strchr.MSVCRT ref: 004029B1

Part of subcall function 004095D5: _memicmp.MSVCRT ref: 00409615

memset.MSVCRT ref: 004029F9

Part of subcall function 00409225: GetWindowsDirectoryA.KERNEL32(00412B88,00000104,?,00402A6C,00000000,?,00000000,00000104), ref: 0040923A

memset.MSVCRT ref: 00402A5B

Strings

\systemroot, xrefs: 004029D1

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$DirectoryWindows_memicmpstrchr
String ID: \systemroot
API String ID: 192065784-1821301763
Opcode ID: 620001a1641ca959dba40a467a675807d08a1b1fc6ccdaecc019a2041688ab2c
Instruction ID: 6097d3b08450cda3f4311a94afa6a68f0fe9f01403df4b2954c8190962c3f291
Opcode Fuzzy Hash: 620001a1641ca959dba40a467a675807d08a1b1fc6ccdaecc019a2041688ab2c
Instruction Fuzzy Hash: 9C316920B086465BDB22853C49687A37BD45FAA304F1440FBD4C9E73C2EDB88C898795

Uniqueness

Uniqueness Score: -1.00%

Function 0040E669 Relevance: 6.1, APIs: 4, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040E669(void* __edi, void* __eflags) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v60;
				void _v315;
				char _v316;
				intOrPtr* _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t62;
				void* _t64;
				signed int _t68;
				short _t70;
				void* _t73;
				intOrPtr _t74;
				void* _t76;
				void* _t77;
				void* _t82;
				struct HWND__* _t83;
				signed int _t85;
				short* _t86;
				void* _t87;
				void* _t88;

				_t82 = __edi;
				_t83 = GetDlgItem( *(__edi + 4), 0x3e9);
				_v16 = _t83;
				E00409EF5(_t83);
				_t68 = 0;
				SendMessageA(_t83, 0x1036, 0, 0x26);
				E0040A053(_t83);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_t83);
				_t73 = 6;
				E0040A171(0x40f469, _t73);
				_t49 =  *((intOrPtr*)(__edi + 0xc));
				_t74 =  *((intOrPtr*)(_t49 + 4));
				_t88 = _t87 + 0x10;
				_v28 = _t74;
				_v24 =  *_t49;
				_v12 = 0;
				if(_t74 <= 0) {
					L9:
					_t51 = 2;
					E0040A208(_t51, _t83, _t68, _t51);
					return SetFocus(_t83);
				} else {
					goto L1;
				}
				do {
					L1:
					_v8 = _t68;
					_v20 = _t68;
					do {
						_t85 = _v8 << 2;
						if( *((short*)(_v24 + _t85 + 2)) == _v12) {
							_v316 = 0;
							memset( &_v315, 0, 0xff);
							_push(0xff);
							_push( &_v316);
							_push(_v8);
							_push( *((intOrPtr*)( *((intOrPtr*)(_t82 + 0xc)) + 8)));
							_t76 = 4;
							_t62 = E0040A111( &_v60, _t76);
							_t88 = _t88 + 0x1c;
							if(_t62 != 0) {
								_push(_v8);
								_push(0);
								_push(_v16);
								_t77 = 5;
								_t64 = E0040A0BA( &_v316, _t77);
								_t86 = _t85 + _v24;
								_t70 =  *_t86;
								E00409F67(_v16, _t64, 0 | _t70 > 0x00000000);
								_t88 = _t88 + 0x18;
								if(_t70 == 0) {
									 *_t86 =  *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x10)) + _v20 + 0xc));
								}
							}
						}
						_v8 = _v8 + 1;
						_t56 = _v28;
						_v20 = _v20 + 0x14;
					} while (_v8 < _t56);
					_v12 = _v12 + 1;
					_t68 = 0;
				} while (_v12 < _t56);
				_t83 = _v16;
				goto L9;
			}

0x0040e669
0x0040e682
0x0040e685
0x0040e688
0x0040e690
0x0040e699
0x0040e6a0
0x0040e6a6
0x0040e6ab
0x0040e6ac
0x0040e6ad
0x0040e6b5
0x0040e6b6
0x0040e6bb
0x0040e6be
0x0040e6c3
0x0040e6c8
0x0040e6cb
0x0040e6ce
0x0040e6d1
0x0040e7a1
0x0040e7a3
0x0040e7a7
0x0040e7b9
0x00000000
0x00000000
0x00000000
0x0040e6d7
0x0040e6d7
0x0040e6d7
0x0040e6da
0x0040e6dd
0x0040e6e3
0x0040e6ee
0x0040e703
0x0040e70a
0x0040e718
0x0040e71f
0x0040e720
0x0040e723
0x0040e729
0x0040e72a
0x0040e72f
0x0040e734
0x0040e736
0x0040e73f
0x0040e741
0x0040e746
0x0040e747
0x0040e74f
0x0040e751
0x0040e763
0x0040e768
0x0040e76d
0x0040e77a
0x0040e77a
0x0040e76d
0x0040e734
0x0040e77d
0x0040e780
0x0040e783
0x0040e787
0x0040e790
0x0040e793
0x0040e795
0x0040e79e
0x00000000

APIs

GetDlgItem.USER32 ref: 0040E67C

Part of subcall function 00409EF5: SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00409F02

SendMessageA.USER32(00000000,00001036,00000000,00000026), ref: 0040E699

Part of subcall function 0040A053: SendMessageA.USER32(0040E6A5,0000101C,00000000,00000000), ref: 0040A060

Part of subcall function 0040A171: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 0040A1B7

memset.MSVCRT ref: 0040E70A

Part of subcall function 0040A111: SendMessageA.USER32(?,00001019,00000000,?), ref: 0040A12F

Part of subcall function 0040A0BA: SendMessageA.USER32(?,00001007,00000000,?), ref: 0040A108

Part of subcall function 00409F67: SendMessageA.USER32(?,0000102B,?,?), ref: 00409F92

SetFocus.USER32(00000000), ref: 0040E7B0

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 48640707d1499f987a14a9b78215ebb401cdfae753aa73d56d0b55e11b51c743
Instruction ID: b6be17ff35d8ce9602de8e075ec2aa06abd2b18790c4ef29e68e1ee6de857504
Opcode Fuzzy Hash: 48640707d1499f987a14a9b78215ebb401cdfae753aa73d56d0b55e11b51c743
Instruction Fuzzy Hash: 14418F75A00219AFDB20AF95DC82EAEB778FF04304F10447AF904BB291E7759E50CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B58B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B58B(intOrPtr _a4) {
				void* _v12;
				signed int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				void* _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t41;
				intOrPtr _t42;
				void* _t44;
				signed int _t48;
				signed int _t51;
				signed int _t53;
				intOrPtr _t61;
				signed int _t63;
				signed int _t65;
				void* _t66;
				void* _t69;
				signed int _t71;

				_t41 = _a4;
				_t53 = 0;
				_v24 = 0x20;
				_v32 = 0;
				_v20 = 0;
				_v28 = 0;
				_v12 = 0;
				if( *((intOrPtr*)(_t41 + 0x2c)) <= 0) {
					L17:
					_t65 = 0;
					if(_t53 <= 0) {
						L24:
						if(_v32 == 0) {
							return _t41;
						}
						free(_v32);
						return _t41;
					}
					_t69 = _a4 + 0x1d4;
					do {
						if(_t65 < 0 || _t65 >= _t53) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)(_v32 + _t65 * 4));
						}
						_t41 = E00403458(_t54, _t69, _t42);
						Sleep(0xa);
						_t65 = _t65 + 1;
					} while (_t65 < _t53);
					goto L24;
				} else {
					goto L1;
				}
				do {
					L1:
					_t44 = E00405532(_a4, _v12);
					_v16 = _v16 & 0x00000000;
					_t66 = _t44;
					_t13 = _t66 + 0x18f; // 0x18f
					if(E0040AA46(_t13,  &_v16) == 0) {
						goto L16;
					}
					_t63 = _v16;
					_t48 = 0;
					 *((intOrPtr*)(_t66 + 0x3a0)) = _t63;
					if(_t53 <= 0) {
						L9:
						_t71 = _t53;
						if(_t53 >= 0) {
							if(_t53 != 0xffffffff) {
								E00409425( &_v28, _t53,  &_v32, 4, _v24);
								_t53 = _v20;
							} else {
								free(_v32);
							}
							_t24 = _t71 + 1; // 0x1
							_t51 = _t24;
							if(_t53 < _t51) {
								_t53 = _t51;
								_v20 = _t53;
							}
							 *(_v32 + _t71 * 4) = _v16;
						}
						goto L16;
					}
					L3:
					L3:
					if(_t48 < 0 || _t48 >= _t53) {
						_t61 = 0;
					} else {
						_t61 =  *((intOrPtr*)(_v32 + _t48 * 4));
					}
					if(_t61 == _t63) {
						goto L16;
					}
					_t48 = _t48 + 1;
					if(_t48 < _t53) {
						goto L3;
					}
					goto L9;
					L16:
					_v12 = _v12 + 1;
					_t41 = _a4;
					_t54 = _v12;
				} while (_v12 <  *((intOrPtr*)(_t41 + 0x2c)));
				goto L17;
			}

0x0040b591
0x0040b595
0x0040b59c
0x0040b5a3
0x0040b5a6
0x0040b5a9
0x0040b5ac
0x0040b5af
0x0040b659
0x0040b659
0x0040b65d
0x0040b68e
0x0040b692
0x0040b6a1
0x0040b6a1
0x0040b697
0x00000000
0x0040b69c
0x0040b662
0x0040b668
0x0040b66a
0x0040b678
0x0040b670
0x0040b673
0x0040b673
0x0040b67c
0x0040b683
0x0040b689
0x0040b68a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b5b5
0x0040b5b5
0x0040b5bb
0x0040b5c0
0x0040b5c4
0x0040b5ca
0x0040b5da
0x00000000
0x00000000
0x0040b5dc
0x0040b5df
0x0040b5e3
0x0040b5e9
0x0040b606
0x0040b608
0x0040b60a
0x0040b60f
0x0040b628
0x0040b62d
0x0040b611
0x0040b614
0x0040b614
0x0040b631
0x0040b631
0x0040b637
0x0040b639
0x0040b63b
0x0040b63b
0x0040b644
0x0040b644
0x00000000
0x0040b60a
0x00000000
0x0040b5eb
0x0040b5ed
0x0040b5fb
0x0040b5f3
0x0040b5f6
0x0040b5f6
0x0040b5ff
0x00000000
0x00000000
0x0040b601
0x0040b604
0x00000000
0x00000000
0x00000000
0x0040b647
0x0040b647
0x0040b64a
0x0040b64d
0x0040b650
0x00000000

APIs

free.MSVCRT(?,?), ref: 0040B614
Sleep.KERNEL32(0000000A), ref: 0040B683
free.MSVCRT(00000000), ref: 0040B697

Part of subcall function 0040AA46: memset.MSVCRT ref: 0040AA5F
Part of subcall function 0040AA46: atoi.MSVCRT ref: 0040AA9C

Strings

, xrefs: 0040B59C

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: free$Sleepatoimemset
String ID:
API String ID: 974239163-3916222277
Opcode ID: bf18c20752a2c3d53ceb7974e038712389ea27865c16d83284f006a5178114dd
Instruction ID: fe420ae7a9214f9af618cfec97980af17a631c8c40830a620ec39472056085f8
Opcode Fuzzy Hash: bf18c20752a2c3d53ceb7974e038712389ea27865c16d83284f006a5178114dd
Instruction Fuzzy Hash: F1316071E00206ABCB049F96C8C0AAEB7B5FF44318F10443FD915B72C1D73A99428B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D200 Relevance: 6.1, APIs: 4, Instructions: 106
shareCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040D200(void* __ecx, struct _NETRESOURCE* _a4, void _a7) {
				int _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t50;
				signed short _t59;
				void* _t60;
				intOrPtr* _t61;
				void* _t70;
				void* _t73;
				void* _t75;

				_t59 = 0xa;
				_t70 = __ecx;
				E00409E22( *((intOrPtr*)(_t70 + 0x878)), E00407C3F(_t59));
				if(WNetOpenEnumA(2, 0, 0, _a4,  &_v16) != 0) {
					L17:
					return 0;
				}
				_v12 = _v12 | 0xffffffff;
				_v8 = 1;
				E00409E22( *((intOrPtr*)(_t70 + 0x878)), E00407C3F(_t59));
				WNetEnumResourceA(_v16,  &_v12,  &_a7,  &_v8);
				if(_v8 <= 1) {
					L16:
					WNetCloseEnum(_v16);
					goto L17;
				}
				_v8 = _v8 + 0x1000;
				_t69 = _v8;
				_v24 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v20 = 0x100;
				E00408559( &_v36, _v8);
				_t73 = _v36;
				_v12 = _v12 | 0xffffffff;
				_t60 = 0x40f469;
				_t50 = 0x40f469;
				if(_t73 != 0) {
					_t50 = _t73;
				}
				if(WNetEnumResourceA(_v16,  &_v12, _t50,  &_v8) != 0) {
					L15:
					E00408540( &_v36);
					goto L16;
				}
				if(_t73 != 0) {
					_t60 = _t73;
				}
				_t75 = 0;
				if(_v12 > 0) {
					_t61 = _t60 + 0x14;
					do {
						_t29 = _t61 - 0x14; // 0x40f441
						if(_t29 != 0) {
							if( *((intOrPtr*)(_t61 - 0xc)) != 1) {
								_t31 = _t61 - 0x14; // 0x40f441
								E0040D200(_t70, _t31);
							} else {
								_t57 =  *_t61;
								if( *_t61 != 0) {
									E0040CE1C(_t69, _t70, _t57);
								}
							}
						}
						_t75 = _t75 + 1;
						_t61 = _t61 + 0x20;
					} while (_t75 < _v12);
				}
			}

0x0040d20b
0x0040d20c
0x0040d21a
0x0040d235
0x0040d316
0x0040d31a
0x0040d31a
0x0040d23b
0x0040d242
0x0040d251
0x0040d267
0x0040d26f
0x0040d30c
0x0040d30f
0x00000000
0x0040d30f
0x0040d275
0x0040d27c
0x0040d281
0x0040d284
0x0040d287
0x0040d28a
0x0040d290
0x0040d297
0x0040d29c
0x0040d29f
0x0040d2a5
0x0040d2aa
0x0040d2ac
0x0040d2ae
0x0040d2ae
0x0040d2c3
0x0040d304
0x0040d307
0x00000000
0x0040d307
0x0040d2c7
0x0040d2c9
0x0040d2c9
0x0040d2cb
0x0040d2d0
0x0040d2d2
0x0040d2d5
0x0040d2d5
0x0040d2da
0x0040d2e0
0x0040d2f0
0x0040d2f6
0x0040d2e2
0x0040d2e2
0x0040d2e6
0x0040d2e9
0x0040d2e9
0x0040d2e6
0x0040d2e0
0x0040d2fb
0x0040d2fc
0x0040d2ff
0x0040d2d5

APIs

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,?,004074B9,?,00000000), ref: 00407C68
Part of subcall function 00407C3F: LoadStringA.USER32 ref: 00407CF2
Part of subcall function 00407C3F: memcpy.MSVCRT ref: 00407D31

Part of subcall function 00409E22: SendMessageA.USER32(00000000,00000401,00000000,?), ref: 00409E31

WNetOpenEnumA.MPR(00000002,00000000,00000000,?,?), ref: 0040D22E

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,004074B9,?,00000000), ref: 00407CC7

WNetEnumResourceA.MPR(?,000000FF,?,?), ref: 0040D267
WNetCloseEnum.MPR(?), ref: 0040D30F

Part of subcall function 00408559: free.MSVCRT(00000000,?,00000000,0040894C,00408AA2,?,74714DE0,?,00000000), ref: 00408568

WNetEnumResourceA.MPR(?,000000FF,0040F469,00001000), ref: 0040D2BC

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Enum$HandleModuleResource$CloseLoadMessageOpenSendStringfreememcpy
String ID:
API String ID: 3502242302-0
Opcode ID: 66f54070ff903f299dedfd7262f8d53144f652eee6b3331320c20c9254886cb3
Instruction ID: 566c83fc4a2d7eb0d181db45672644d8c7d96acff2c67565bc637989ceceadf9
Opcode Fuzzy Hash: 66f54070ff903f299dedfd7262f8d53144f652eee6b3331320c20c9254886cb3
Instruction Fuzzy Hash: 67318F72D00218AADB15EBE5CD81AEFB7B8AB04314F10417BE950F62C1DB389A448B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B753 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040B753(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v240;
				void* _v245;
				void* _v250;
				void* _v255;
				void _v259;
				char _v260;
				intOrPtr _v264;
				char _v280;
				char _v672;
				char _v801;
				void* _v906;
				void* _v912;
				void* _v918;
				void* _v924;
				void _v930;
				char _v1059;
				char _v1188;
				char _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				void* _t37;
				void* _t62;
				void* _t63;
				signed int _t64;
				intOrPtr _t66;
				intOrPtr* _t81;
				void* _t91;
				void* _t92;

				_t62 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xff);
				_t81 =  &_v260;
				E00401F0A(0xff, _t62, _t81, _a8, "PIDKEY");
				_t36 = _t81;
				_t92 = _t91 + 0x14;
				_t5 = _t36 + 1; // 0x1
				_t63 = _t5;
				do {
					_t66 =  *_t36;
					_t36 = _t36 + 1;
				} while (_t66 != 0);
				_t37 = _t36 - _t63;
				if(_t37 == 0x19) {
					E0040A80B( &_v1200);
					E00401F0A(0x80, _t63,  &_v1059, _a8, "ProductID");
					_t64 = 7;
					memcpy( &_v930, "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX", _t64 << 2);
					asm("movsw");
					asm("movsd");
					asm("movsb");
					asm("movsd");
					asm("movsb");
					asm("movsd");
					asm("movsb");
					asm("movsd");
					asm("movsb");
					asm("movsd");
					asm("movsb");
					E00401DEC(_a8,  &_v280);
					_v264 = 6;
					E00409476(0x80,  &_v801, _a4 + 0x768);
					E00409476(0x104,  &_v672, _a16);
					E00409476(0x80,  &_v1188, E00407C3F(0x89a));
					 *((intOrPtr*)(_t92 + 0x24)) = " (";
					E00408CD6(E00408CD6(E00408CD6( &_v1188), _a12), ")");
					return E00405DE7(_a4, 0,  &_v1200);
				}
				return _t37;
			}

0x0040b753
0x0040b76c
0x0040b773
0x0040b782
0x0040b788
0x0040b78d
0x0040b78f
0x0040b792
0x0040b792
0x0040b795
0x0040b795
0x0040b797
0x0040b798
0x0040b79c
0x0040b7a1
0x0040b7af
0x0040b7c9
0x0040b7d0
0x0040b7dc
0x0040b7de
0x0040b7ec
0x0040b7ed
0x0040b7fa
0x0040b7fb
0x0040b808
0x0040b809
0x0040b816
0x0040b817
0x0040b82a
0x0040b82f
0x0040b830
0x0040b845
0x0040b84f
0x0040b862
0x0040b880
0x0040b887
0x0040b8a0
0x00000000
0x0040b8b7
0x0040b8ba

APIs

memset.MSVCRT ref: 0040B773

Part of subcall function 00401F0A: RegQueryValueExA.KERNELBASE(?,d!@,00000000,?,?,000003FF,?,?,?,00402164,?,000003FF,000003FF), ref: 00401F23

Strings

XXXXX-XXXXX-XXXXX-XXXXX-XXXXX, xrefs: 0040B7D1
ProductID, xrefs: 0040B7B4
PIDKEY, xrefs: 0040B778

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: QueryValuememset
String ID: PIDKEY$ProductID$XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
API String ID: 3363972335-861314722
Opcode ID: 1cdf2bce93428134c8925047dfe57b536436aba27d2566a6bf0b9342ec471be5
Instruction ID: f61c62734a97450c8f9e01e2d9151ed58a04bf6130a734142c12666bbd96faa8
Opcode Fuzzy Hash: 1cdf2bce93428134c8925047dfe57b536436aba27d2566a6bf0b9342ec471be5
Instruction Fuzzy Hash: AA31917290022A9BCF21EE15CC41BCAB379AF55308F0144F6AD4877191D7B56F8A8F99

Uniqueness

Uniqueness Score: -1.00%

Function 00409A28 Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00409A28(struct HWND__* _a4) {
				int _v12;
				char _v16;
				char _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				void* __esi;
				intOrPtr _t34;
				int _t42;
				long _t49;
				intOrPtr _t50;
				struct HWND__* _t54;
				intOrPtr _t55;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				int _t69;

				_t49 = 0;
				_v12 = 0;
				E004090CA( &_v16,  &_v20);
				GetWindowRect(_a4,  &_v52);
				_t54 = GetParent(_a4);
				if(_t54 == 0) {
					_t55 = _v16;
					_t34 = _v20;
				} else {
					_v36.left = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					GetWindowRect(_t54,  &_v36);
					_t49 = _v36.left;
					_t60 = _v36.top;
					_t34 = _v36.right - _t49 + 1;
					_t55 = _v36.bottom - _t60 + 1;
					_v12 = _t60;
				}
				_t61 = _v52.right;
				_t59 = _v52.left - _t61;
				asm("cdq");
				_t69 = (_t59 + _t34 - 1 - _t59 >> 1) + _t49;
				_t50 = _v52.bottom;
				asm("cdq");
				_t42 = (_v52.top - _t50 + _t55 - 1 - _t59 >> 1) + _v12;
				if(_t42 < 0) {
					_t42 = 0;
				}
				if(_t69 < 0) {
					_t69 = 0;
				}
				return MoveWindow(_a4, _t69, _t42, _t61 - _v52.left + 1, _t50 - _v52.top + 1, 1);
			}

0x00409a34
0x00409a3a
0x00409a3d
0x00409a50
0x00409a5b
0x00409a5f
0x00409a8a
0x00409a8d
0x00409a61
0x00409a63
0x00409a69
0x00409a6a
0x00409a6b
0x00409a71
0x00409a76
0x00409a79
0x00409a83
0x00409a84
0x00409a85
0x00409a85
0x00409a93
0x00409a96
0x00409a9c
0x00409aa6
0x00409aa8
0x00409ab1
0x00409ab6
0x00409ab9
0x00409abb
0x00409abb
0x00409abf
0x00409ac1
0x00409ac1
0x00409ade

APIs

Part of subcall function 004090CA: GetSystemMetrics.USER32 ref: 004090D8
Part of subcall function 004090CA: GetSystemMetrics.USER32 ref: 004090DE
Part of subcall function 004090CA: GetDC.USER32(00000000), ref: 004090EF
Part of subcall function 004090CA: GetDeviceCaps.GDI32(00000000,00000008), ref: 00409100
Part of subcall function 004090CA: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409108
Part of subcall function 004090CA: ReleaseDC.USER32 ref: 0040910F

GetWindowRect.USER32 ref: 00409A50
GetParent.USER32(?), ref: 00409A55
GetWindowRect.USER32 ref: 00409A71
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00409AD4

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 942298c3d101d755c7465a8cf7374d64da193c57ac0334f9b6b79978f9ffbea1
Instruction ID: d7f44464c94bdf310ba7c3194a17dc4d655543f70f785db6c776c23c77ad5e39
Opcode Fuzzy Hash: 942298c3d101d755c7465a8cf7374d64da193c57ac0334f9b6b79978f9ffbea1
Instruction Fuzzy Hash: 1D212F76E10119AFCB11DFF8DD84CEEBBB9FB88310B04457AE915F3254D631AD058AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA46 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AA46(intOrPtr* _a4, signed int* _a8) {
				signed int _v8;
				int _v12;
				int _v16;
				void _v115;
				char _v116;
				signed int _t32;
				char _t34;
				signed int _t37;
				int _t38;
				void* _t39;
				void* _t44;

				_t38 = 0;
				_v12 = 0;
				_v116 = 0;
				memset( &_v115, 0, 0x63);
				_t37 = 0;
				_v16 = 0;
				_v8 = 0;
				while(1) {
					_t34 =  *_a4;
					if(_t34 - 0x30 > 9) {
						goto L3;
					}
					 *((char*)(_t39 + _t38 - 0x70)) = _t34;
					_t38 = _t38 + 1;
					_t44 = _t38 - 4;
					L11:
					if(_t44 >= 0) {
						L15:
						return _v16;
					}
					_a4 = _a4 + 1;
					continue;
					L3:
					if(_t38 == 0 || _t34 != 0x2e && _t34 != 0) {
						goto L15;
					} else {
						 *((char*)(_t39 + _t38 - 0x70)) = 0;
						_t32 = atoi( &_v116);
						if(_t32 > 0xff) {
							goto L15;
						}
						_t38 = 0;
						if(_v12 > 0) {
							_t32 = _t32 << _v8;
						}
						_v8 = _v8 + 8;
						_t37 = _t37 | _t32;
						_v12 = _v12 + 1;
						if(_t34 == 0) {
							if(_v12 == 4) {
								_v16 = 1;
								 *_a8 = _t37;
							}
							goto L15;
						} else {
							goto L11;
						}
					}
				}
			}

0x0040aa4f
0x0040aa58
0x0040aa5b
0x0040aa5f
0x0040aa67
0x0040aa69
0x0040aa6c
0x0040aa6f
0x0040aa72
0x0040aa7a
0x00000000
0x00000000
0x0040aa7c
0x0040aa80
0x0040aa81
0x0040aac6
0x0040aac6
0x0040aadf
0x0040aae6
0x0040aae6
0x0040aac8
0x00000000
0x0040aa86
0x0040aa88
0x00000000
0x0040aa93
0x0040aa97
0x0040aa9c
0x0040aaa7
0x00000000
0x00000000
0x0040aaa9
0x0040aaae
0x0040aab3
0x0040aab3
0x0040aab5
0x0040aab9
0x0040aabb
0x0040aac0
0x0040aad1
0x0040aad6
0x0040aadd
0x0040aadd
0x00000000
0x0040aac2
0x00000000
0x0040aac2
0x0040aac0
0x0040aa88

APIs

memset.MSVCRT ref: 0040AA5F
atoi.MSVCRT ref: 0040AA9C

Strings

., xrefs: 0040AA8A
, xrefs: 0040AAC2

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: atoimemset
String ID: $.
API String ID: 1386486121-3929174939
Opcode ID: c38543f7ac29c7ee5ed56dc8b58fa952c277becc102d902cd1c0fe574a744c7a
Instruction ID: 8d35f9858fefca9159f603dbe3b5168525f1678bd58d80eea2b0dfff62136ede
Opcode Fuzzy Hash: c38543f7ac29c7ee5ed56dc8b58fa952c277becc102d902cd1c0fe574a744c7a
Instruction Fuzzy Hash: 2D11F031E00358AEEB209EA9C6402DEBBB4EB45700F14407BD882B72C1D3B84E46DF96

Uniqueness

Uniqueness Score: -1.00%

Function 0040847C Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040847C(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x8
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L004010A4();
					_t10 =  &(_t53[1]); // 0x8
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040109E();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x0040847c
0x0040847d
0x0040847d
0x00408480
0x00408484
0x00408497
0x00408497
0x0040849b
0x0040849d
0x004084a3
0x004084a4
0x004084a7
0x004084b0
0x004084b1
0x004084b6
0x004084c0
0x004084c2
0x004084c7
0x004084ce
0x004084d8
0x004084da
0x004084db
0x004084e0
0x004084e7
0x004084f0
0x00408486
0x00408486
0x00408488
0x0040848a
0x0040848f
0x00408490
0x00408493
0x00408495
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00408495
0x00408500
0x00408503
0x0040850c
0x0040850c
0x004084f5
0x004084f9

APIs

??2@YAPAXI@Z.MSVCRT ref: 004084B1
memset.MSVCRT ref: 004084C2
memcpy.MSVCRT ref: 004084CE
??3@YAXPAX@Z.MSVCRT ref: 004084DB

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: fdc23d6c7c355a7f8824d6f8271387e1460a6349cdae78e936a41195db118b7e
Instruction ID: b7b31846c70ad2dad921fa4f0699ce3eb2af9f70827145e0b14fe4d5444e402c
Opcode Fuzzy Hash: fdc23d6c7c355a7f8824d6f8271387e1460a6349cdae78e936a41195db118b7e
Instruction Fuzzy Hash: 6C1188712146029FD328CF2DC991A26F7E5FFC8300B24882EE5DAD7391EA75E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004022AF Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004022AF(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				signed int _t38;

				E0040EAD0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x40f469,  &_v8200, 0x2000, _a20);
					asm("sbb esi, esi");
					_t38 =  ~0x2000;
					E00409940(0,  &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					E00408C58(_a16,  *__edi,  &_v8200);
					_t38 = WritePrivateProfileStringA(_a8, _a12,  &_v8200, _a20);
				}
				return _t38;
			}

0x004022b7
0x004022c2
0x004022c8
0x00402318
0x00402336
0x00402349
0x0040234d
0x0040234f
0x004022ca
0x004022d7
0x004022e8
0x00402306
0x00402306
0x0040235b

APIs

memset.MSVCRT ref: 004022D7

Part of subcall function 00408C58: sprintf.MSVCRT ref: 00408C94

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00402300
memset.MSVCRT ref: 00402318
GetPrivateProfileStringA.KERNEL32(?,?,0040F469,?,00002000,?), ref: 00402336

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: PrivateProfileStringmemset$Writesprintf
String ID:
API String ID: 3935685222-0
Opcode ID: 13c3db3c10bd9b4b813548ab36b3006e57b9ce8826d40c620dda9554cb8a933d
Instruction ID: 01dad1e97d0ea611c51632c9944fd68f59f6e64d5e25b22289b4f3fe4284738a
Opcode Fuzzy Hash: 13c3db3c10bd9b4b813548ab36b3006e57b9ce8826d40c620dda9554cb8a933d
Instruction Fuzzy Hash: 4E117771900219ABDF119F61DD89EDF7B7DEF14304F0404B6BA05B1152E6358A64CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407A43 Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407A43(void* __esi, struct HWND__* _a4, signed int _a8) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t33;

				_t33 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t35 = GetParent(_t33);
					GetWindowRect(_t33,  &_v20);
					GetClientRect(_t18,  &_v36);
					E004092B2(_t35,  &_v20);
					_t27 = _v36.right - _v20.right - _v36.left;
					_v20.left = _t27;
					SetWindowPos(_t33, 0, _t27, _v20.top, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00408F16(_t33);
				}
				return 1;
			}

0x00407a4e
0x00407a51
0x00407a5b
0x00407a62
0x00407a6d
0x00407a78
0x00407a84
0x00407a91
0x00407a97
0x00407a9d
0x00407aa2
0x00407aa5
0x00407aaa
0x00407ab0

APIs

GetParent.USER32(?), ref: 00407A55
GetWindowRect.USER32 ref: 00407A62
GetClientRect.USER32 ref: 00407A6D

Part of subcall function 004092B2: MapWindowPoints.USER32 ref: 004092BE

SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407A97

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 5345c5c527c3fc3f8e9d6d880b0170da0f52ac8d1f882eaa375eb39d27b71158
Instruction ID: 48dce25d97afcd2a1de3d63898f056f379a9ad6891b358c4f11349d87d03ae6b
Opcode Fuzzy Hash: 5345c5c527c3fc3f8e9d6d880b0170da0f52ac8d1f882eaa375eb39d27b71158
Instruction Fuzzy Hash: D8018C7280010ABEEB15DBA4DD4ADFF7BBCEB45314F00413EF801B2180DB78A9058B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5F0 Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040E5F0(void* __ecx) {
				intOrPtr _v12;
				void _v52;
				signed int _v56;
				void* __esi;
				void* _t26;
				intOrPtr* _t30;

				_t26 = __ecx;
				 *(__ecx + 0xc) =  *(__ecx + 0xc) & 0x00000000;
				E0040E1D0(__ecx);
				E0040180A(GetDlgItem( *(__ecx + 4), 0x3f0));
				 *_t30 = 0x3ea;
				E0040180A(GetDlgItem( *(_t26 + 4), ??));
				_v56 = _v56 & 0x00000000;
				memset( &_v52, 0, 0x30);
				E004017DE( &_v56, GetDlgItem( *(_t26 + 4), 0x3ef));
				E0040180A(_v12);
				return E0040DC88(_t26, _v56);
			}

0x0040e5f8
0x0040e5fa
0x0040e600
0x0040e616
0x0040e61b
0x0040e628
0x0040e62d
0x0040e639
0x0040e64f
0x0040e657
0x0040e668

APIs

GetDlgItem.USER32 ref: 0040E613

Part of subcall function 0040180A: LoadLibraryA.KERNEL32(shlwapi.dll,?,775D48C0,0040E61B,00000000), ref: 00401813
Part of subcall function 0040180A: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00401821
Part of subcall function 0040180A: FreeLibrary.KERNEL32(00000000,?,775D48C0,0040E61B,00000000), ref: 00401839

GetDlgItem.USER32 ref: 0040E625
memset.MSVCRT ref: 0040E639
GetDlgItem.USER32 ref: 0040E649

Part of subcall function 004017DE: GetModuleHandleA.KERNEL32(user32.dll,GetComboBoxInfo,0040E654,00000000), ref: 004017EE
Part of subcall function 004017DE: GetProcAddress.KERNEL32(00000000), ref: 004017F5

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Item$AddressLibraryProc$FreeHandleLoadModulememset
String ID:
API String ID: 269129164-0
Opcode ID: a030b01cc2aad7aa9a6a9bef71fa04415ad64c387887b09759075f4b579476b6
Instruction ID: cfe16cbaffc5988c80775c023091c45c56397ba5fe459ac6d31887564ce5492b
Opcode Fuzzy Hash: a030b01cc2aad7aa9a6a9bef71fa04415ad64c387887b09759075f4b579476b6
Instruction Fuzzy Hash: 84F0817290021877DB067762DD07B5EBA6DEF40329F00413AF504770E1CBBCAA118A98

Uniqueness

Uniqueness Score: -1.00%

Function 004064DF Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064DF(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00405DB4(_t15, _t26);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E004096D5(_t24, _a4,  &_v516);
			}

0x004064f9
0x004064fb
0x00406502
0x00406511
0x00406518
0x00406524
0x00406527
0x0040652d
0x00406541
0x0040655b

APIs

memset.MSVCRT ref: 00406502
memset.MSVCRT ref: 00406518

Part of subcall function 00405DB4: _strlwr.MSVCRT ref: 00405DDE

sprintf.MSVCRT ref: 00406541

Part of subcall function 004096D5: WriteFile.KERNEL32(00000001,00000007,00000008,?,00000000,?,Mqt,00405D6B,00000001,00000001,004066BB,00000007,],00407088,00000001,?), ref: 004096F5

Strings

</%s>, xrefs: 0040653B

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$FileWrite_strlwrsprintf
String ID: </%s>
API String ID: 2668691490-259020660
Opcode ID: 934da644deba16ecb91b013f8b1b9e960f504b70decd6c9124e7ad6f8a4d6ea7
Instruction ID: 2ce1b2bdd008745dd7762bb9e09ff5252843985f01a8bceac2a75e76fd85860d
Opcode Fuzzy Hash: 934da644deba16ecb91b013f8b1b9e960f504b70decd6c9124e7ad6f8a4d6ea7
Instruction Fuzzy Hash: 20F0F472A001296BEB20E71ACC49FDA776CAF44308F0400FAB50CF3182E6749E848BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040276A Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040276A(void* __ecx, intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				void* __esi;
				void* _t11;
				void* _t25;

				_t11 = _a4 - 0x110;
				_t25 = __ecx;
				if(_t11 == 0) {
					E004023E5(__ecx, __ecx, __eflags);
					E00409A28( *((intOrPtr*)(__ecx + 4)));
					L5:
					return E0040DA9A(_t25, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E0040925E(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, 0xffffff);
					SetTextColor(_a8, 0xc00000);
					return GetStockObject(0);
				}
			}

0x00402770
0x00402776
0x00402778
0x004027bd
0x004027c5
0x004027cb
0x00000000
0x004027d6
0x0040277d
0x00000000
0x0040278c
0x00402791
0x0040279f
0x004027ad
0x00000000
0x004027b5

APIs

Part of subcall function 0040925E: memset.MSVCRT ref: 0040927E
Part of subcall function 0040925E: GetClassNameA.USER32(?,00000000,000000FF), ref: 00409291
Part of subcall function 0040925E: _stricmp.MSVCRT(00000000,edit), ref: 004092A3

SetBkMode.GDI32(?,00000001), ref: 00402791
SetBkColor.GDI32(?,00FFFFFF), ref: 0040279F
SetTextColor.GDI32(?,00C00000), ref: 004027AD
GetStockObject.GDI32(00000000), ref: 004027B5

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Color$ClassModeNameObjectStockText_stricmpmemset
String ID:
API String ID: 1412957716-0
Opcode ID: 31688615ce41f1f23b71f10a780bee348b510d4980943a459489b4df03f5ec30
Instruction ID: 00b1f1ed83d2abfca551c5ce8c54ad90864e0f0cb1f907095ff4be0094b59536
Opcode Fuzzy Hash: 31688615ce41f1f23b71f10a780bee348b510d4980943a459489b4df03f5ec30
Instruction Fuzzy Hash: 64F0AF31100208BBDF212FB4DE0AE8A3B21AF04B25F10853AF914B55E1CBB59C649B58

Uniqueness

Uniqueness Score: -1.00%

Function 00406D54 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406D54(intOrPtr* __eax, void* __edi, void* __eflags) {
				void* __esi;
				void** _t10;
				intOrPtr* _t14;
				intOrPtr* _t21;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t27;

				_t21 = __eax;
				 *__eax = 0x40ff70;
				E0040685A(__eax);
				_t23 =  *((intOrPtr*)(_t21 + 0x14));
				if( *((intOrPtr*)(_t21 + 0x14)) != 0) {
					__eax = E00408540(__esi);
					_push(__esi);
					L0040109E();
				}
				_t24 =  *((intOrPtr*)(_t21 + 0x10));
				if(_t24 != 0) {
					E00408540(_t24);
					_push(_t24);
					L0040109E();
				}
				_t25 =  *((intOrPtr*)(_t21 + 0xc));
				if(_t25 != 0) {
					E00408540(_t25);
					_push(_t25);
					L0040109E();
				}
				_t26 =  *((intOrPtr*)(_t21 + 8));
				if(_t26 != 0) {
					E00408540(_t26);
					_push(_t26);
					L0040109E();
				}
				_t14 = _t21;
				_pop(_t23);
				_t27 = _t14;
				E004060D9(_t27);
				_t10 =  *((intOrPtr*)( *_t27))(_t23);
				free( *_t10);
				return _t10;
			}

0x00406d56
0x00406d58
0x00406d5e
0x00406d63
0x00406d68
0x00406d6a
0x00406d6f
0x00406d70
0x00406d75
0x00406d76
0x00406d7b
0x00406d7d
0x00406d82
0x00406d83
0x00406d88
0x00406d89
0x00406d8e
0x00406d90
0x00406d95
0x00406d96
0x00406d9b
0x00406d9c
0x00406da1
0x00406da3
0x00406da8
0x00406da9
0x00406dae
0x00406daf
0x00406db2
0x00406841
0x00406845
0x0040684e
0x00406852
0x00406859

APIs

Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 00406862
Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 00406870
Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 00406881
Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 0040689B

??3@YAXPAX@Z.MSVCRT ref: 00406D70
??3@YAXPAX@Z.MSVCRT ref: 00406D83
??3@YAXPAX@Z.MSVCRT ref: 00406D96
??3@YAXPAX@Z.MSVCRT ref: 00406DA9

Part of subcall function 00408540: free.MSVCRT(00000000,00408AF8,74714DE0,?,00000000), ref: 00408547

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 2894e20ff8e62f276ee57ea6bb544e549afc407e7d8dd5995aaef9341981b0db
Instruction ID: df29a6d271cedee1696c46cad330ee315263fd56498c9677d61263166b1cb08b
Opcode Fuzzy Hash: 2894e20ff8e62f276ee57ea6bb544e549afc407e7d8dd5995aaef9341981b0db
Instruction Fuzzy Hash: B1F0B433B02D3027C225BB37551162E93545C41B2832A413FF945776C19F3CBD5141EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040685A Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040685A(void* __edi) {
				void* __esi;
				intOrPtr _t11;
				signed int _t12;
				signed int _t13;
				signed int* _t15;
				void* _t21;
				signed int _t23;

				_t21 = __edi;
				_t11 =  *((intOrPtr*)(__edi + 0x28));
				if(_t11 != 0) {
					_push(_t11);
					L0040109E();
				}
				_t12 =  *(_t21 + 0x38);
				if(_t12 != 0) {
					_push(_t12);
					L0040109E();
				}
				_t13 =  *(_t21 + 0x1c0);
				if(_t13 != 0) {
					_push(_t13);
					L0040109E();
				}
				_t15 = _t21 + 0x1ac;
				_t23 =  *_t15;
				if(_t23 != 0) {
					_t13 = E00405581(_t23);
					_push(_t23);
					L0040109E();
				}
				 *_t15 =  *_t15 & 0x00000000;
				 *(_t21 + 0x28) =  *(_t21 + 0x28) & 0x00000000;
				 *(_t21 + 0x38) =  *(_t21 + 0x38) & 0x00000000;
				 *(_t21 + 0x1c0) =  *(_t21 + 0x1c0) & 0x00000000;
				return _t13;
			}

0x0040685a
0x0040685a
0x0040685f
0x00406861
0x00406862
0x00406867
0x00406868
0x0040686d
0x0040686f
0x00406870
0x00406875
0x00406876
0x0040687e
0x00406880
0x00406881
0x00406886
0x00406888
0x0040688f
0x00406893
0x00406895
0x0040689a
0x0040689b
0x004068a0
0x004068a1
0x004068a4
0x004068a8
0x004068ac
0x004068b5

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406862
??3@YAXPAX@Z.MSVCRT ref: 00406870
??3@YAXPAX@Z.MSVCRT ref: 00406881
??3@YAXPAX@Z.MSVCRT ref: 0040689B

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 9e56819af0c9e55bd4e5d9054ae5035dcc265fa0f17b8fae4b7232c98c92e0e5
Instruction ID: cd8ee3a7cc00217037cade8279bffa076b23806d7c1e17a483c0b38baf5ae4d8
Opcode Fuzzy Hash: 9e56819af0c9e55bd4e5d9054ae5035dcc265fa0f17b8fae4b7232c98c92e0e5
Instruction Fuzzy Hash: B0F0BB73701B116BEB14AA76D585BA67398BF04336F15052BF444F75C1CB7CE8A08698

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FB0(void* __eflags, intOrPtr _a4) {
				void* _v12;
				intOrPtr _v16;
				char _v24;
				char _v28;
				long _t21;
				void* _t26;

				_t26 = __eflags;
				if(E00402F05(_a4, _t26, GetCurrentProcess(),  &_v12) != 0) {
					E00402ED0(_a4, __eflags,  &_v24);
					_v28 = 1;
					_v16 = 2;
					E00402E99(_a4, __eflags, _v12,  &_v28);
					_t21 = GetLastError();
					CloseHandle(_v12);
					return _t21;
				}
				return GetLastError();
			}

0x00402fb0
0x00402fcc
0x00402fdd
0x00402fec
0x00402ff3
0x00402ffa
0x00402fff
0x0040300a
0x00000000
0x00403010
0x00000000

APIs

GetCurrentProcess.KERNEL32(?), ref: 00402FBB

Part of subcall function 00402F05: GetProcAddress.KERNEL32(?,OpenProcessToken), ref: 00402F1B

GetLastError.KERNEL32(00000000), ref: 00402FCE
GetLastError.KERNEL32(?,?,?,00000000), ref: 00402FFF
CloseHandle.KERNEL32(?), ref: 0040300A

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ErrorLast$AddressCloseCurrentHandleProcProcess
String ID:
API String ID: 3634693636-0
Opcode ID: a9fc471257d1a20b8f49f8081f5c8cb21eebaaec4fcfcdc0de4831cbb862a1aa
Instruction ID: 34acb41d2df045902c634c00220dc9942ce6b6e387b24a23f4b3dcd42e2d252e
Opcode Fuzzy Hash: a9fc471257d1a20b8f49f8081f5c8cb21eebaaec4fcfcdc0de4831cbb862a1aa
Instruction Fuzzy Hash: 5EF0F975900108ABCB10EFA4DD499DE7BBCAB08355F008036F905F2292D7749A89DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040789D Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040789D() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x412b50; // 0xbc36f0
				if(_t1 != 0) {
					_push(_t1);
					L0040109E();
				}
				_t2 =  *0x412b58; // 0xbcb6f8
				if(_t2 != 0) {
					_push(_t2);
					L0040109E();
				}
				_t3 =  *0x412b54; // 0xbcbf08
				if(_t3 != 0) {
					_push(_t3);
					L0040109E();
				}
				_t4 =  *0x412b5c; // 0xbcbb00
				if(_t4 != 0) {
					_push(_t4);
					L0040109E();
					return _t4;
				}
				return _t4;
			}

0x0040789d
0x004078a4
0x004078a6
0x004078a7
0x004078ac
0x004078ad
0x004078b4
0x004078b6
0x004078b7
0x004078bc
0x004078bd
0x004078c4
0x004078c6
0x004078c7
0x004078cc
0x004078cd
0x004078d4
0x004078d6
0x004078d7
0x00000000
0x004078dc
0x004078dd

APIs

??3@YAXPAX@Z.MSVCRT ref: 004078A7
??3@YAXPAX@Z.MSVCRT ref: 004078B7
??3@YAXPAX@Z.MSVCRT ref: 004078C7
??3@YAXPAX@Z.MSVCRT ref: 004078D7

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 17192fd809e84997641e4d20b4cd1796795e486df5e14e6998d4c48ab6d5ed33
Instruction ID: 06877ca6ad83b2ae15728561cf9c9a314d41464e766c8cbe8ded0b5179ca3d6f
Opcode Fuzzy Hash: 17192fd809e84997641e4d20b4cd1796795e486df5e14e6998d4c48ab6d5ed33
Instruction Fuzzy Hash: DEE01262B0824216DA24BE3AEA58E23239C5A00300314843BB400EBAE0CABCEC91813C

Uniqueness

Uniqueness Score: -1.00%

Function 00403315 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00403315(struct HWND__* _a4, int _a8, int _a12, unsigned int _a16) {
				void* __esi;
				intOrPtr _t25;
				intOrPtr _t32;
				intOrPtr* _t38;
				int _t40;
				intOrPtr* _t58;
				intOrPtr* _t59;

				_t40 = _a12;
				if(_a8 != 0x401) {
					L3:
					if(_a8 != 0x402) {
						L8:
						if(_a8 == 0x403) {
							_t58 = E00408342(0x41213c, _t40);
							if(_t58 != 0 &&  *(_t58 + 0xc) == _t40) {
								_t25 =  *((intOrPtr*)(_t58 + 8));
								if(_t25 != 0) {
									 *((intOrPtr*)( *_t58 + 0x20))(_t25, _a16 >> 0x10);
									E00403147(_t58);
									E00403231(_t58);
									 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
								}
							}
						}
						L13:
						L14:
						return DefWindowProcA(_a4, _a8, _t40, _a16);
					}
					_t59 = E00408342(0x41213c, _t40);
					if(_t59 == 0 ||  *(_t59 + 0xc) != _t40) {
						goto L13;
					} else {
						_t32 =  *((intOrPtr*)(_t59 + 8));
						if(_t32 == 0) {
							goto L13;
						} else {
							 *((intOrPtr*)( *_t59 + 0x1c))(_t32, _a16 >> 0x10);
							E00403147(_t59);
							E00403231(_t59);
							 *(_t59 + 0xc) =  *(_t59 + 0xc) & 0x00000000;
							goto L8;
						}
					}
				}
				_t38 = E00408342(0x412130, _t40);
				if(_t38 == 0) {
					goto L14;
				} else {
					 *((intOrPtr*)( *_t38))(_a16, _a16 >> 0x10);
					goto L3;
				}
			}

0x00403320
0x00403323
0x00403348
0x00403356
0x00403391
0x00403398
0x004033a2
0x004033a6
0x004033ad
0x004033b2
0x004033c0
0x004033c3
0x004033ca
0x004033cf
0x004033cf
0x004033b2
0x004033a6
0x004033d3
0x004033d5
0x004033e7
0x004033e7
0x00403360
0x00403364
0x00000000
0x0040336b
0x0040336b
0x00403370
0x00000000
0x00403372
0x0040337e
0x00403381
0x00403388
0x0040338d
0x00000000
0x0040338d
0x00403370
0x00403364
0x0040332b
0x00403332
0x00000000
0x00403338
0x00403346
0x00000000
0x00403346

APIs

DefWindowProcA.USER32(?,00000403,?,?), ref: 004033DF

Strings

<!A, xrefs: 00403351
0!A, xrefs: 00403326

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ProcWindow
String ID: 0!A$<!A
API String ID: 181713994-319397182
Opcode ID: ee33a22eb326f24c6a4119c2dc7f766755136b8b31b7c9b5d2ab51c1e863fbbd
Instruction ID: 3904bead1f95de25cbebf5ae52961d06e28e25bd1637153991ab2715d5a1410c
Opcode Fuzzy Hash: ee33a22eb326f24c6a4119c2dc7f766755136b8b31b7c9b5d2ab51c1e863fbbd
Instruction Fuzzy Hash: 472183757001059BDB209F16D884A6F7B9DEF44726B00803EFD86F6681CB78ED11CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00403DEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00403DEE(void* __ebx, intOrPtr _a4) {
				void _v267;
				char _v268;
				char _v535;
				char _v796;
				char _v804;
				void* __edi;
				void* __esi;
				char* _t22;
				char _t23;
				void* _t32;
				void* _t39;

				_t32 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x17c)) == 0) {
					_v268 = 0;
					memset( &_v267, 0, 0x104);
					E00409370( &_v268);
					_t22 = strrchr( &_v268, 0x2e);
					if(_t22 != 0) {
						 *_t22 = 0;
					}
					_t39 =  &_v268 - 1;
					do {
						_t23 =  *((intOrPtr*)(_t39 + 1));
						_t39 = _t39 + 1;
					} while (_t23 != 0);
					asm("movsd");
					_v796 = _t23;
					_v535 = _t23;
					asm("movsb");
					_v804 = 0x410500;
					E0040202F(_a4,  &_v804,  &_v268);
					E0040B277( *((intOrPtr*)(_t32 + 0x28c)),  &_v804);
					E0040D7F5(_t32,  &_v804);
					return E004067C5( &_v804,  *((intOrPtr*)(_t32 + 0x290)),  &_v804);
				}
				return E0040385F();
			}

0x00403dee
0x00403e00
0x00403e1a
0x00403e21
0x00403e30
0x00403e3f
0x00403e48
0x00403e4a
0x00403e4a
0x00403e53
0x00403e54
0x00403e54
0x00403e57
0x00403e58
0x00403e61
0x00403e62
0x00403e68
0x00403e7d
0x00403e7e
0x00403e88
0x00403e99
0x00403ea0
0x00000000
0x00403eab
0x00000000

APIs

memset.MSVCRT ref: 00403E21
strrchr.MSVCRT ref: 00403E3F

Part of subcall function 0040385F: RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\ProduKey), ref: 00403869

Strings

.cfg, xrefs: 00403E5C

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Deletememsetstrrchr
String ID: .cfg
API String ID: 1270183253-3410578098
Opcode ID: c2f7d7d7a2ba31ef9d5c8a1ef3851614d45877552c3972299e6f54d17043b12b
Instruction ID: 1244f09b322500d040489ad60c7a5431e0eaf5b8084ed082cf6da73c540f3780
Opcode Fuzzy Hash: c2f7d7d7a2ba31ef9d5c8a1ef3851614d45877552c3972299e6f54d17043b12b
Instruction Fuzzy Hash: B01193318042588ADB21EA55CC45BC97B789F15308F0400FBA5887B1C3DAB86FC98FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004037D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037D9(void* __eax, void* __edx, void* _a4) {
				void* _t13;

				 *((intOrPtr*)(_t13 + __eax + 0x33)) =  *((intOrPtr*)(_t13 + __eax + 0x33)) + __edx;
			}

0x004037df

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040380E
DialogBoxParamA.USER32 ref: 00403822

Strings

X$A, xrefs: 004037ED

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: DialogHandleModuleParam
String ID: X$A
API String ID: 3900296288-1843214010
Opcode ID: 190c32b13782fbbd67d3afd2f9774f7b5b2822113380fd680c4b3f8b70792bdc
Instruction ID: 90c0d700be8bfb353f8be0158d94e75308fb27c7c645674bd8d0e1a7a0188528
Opcode Fuzzy Hash: 190c32b13782fbbd67d3afd2f9774f7b5b2822113380fd680c4b3f8b70792bdc
Instruction Fuzzy Hash: F3F0E232648221ABD7208F14BE08B873BA4FB45722F124076F600EB6E0C3F94891D788

Uniqueness

Uniqueness Score: -1.00%

Function 00401A57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401A57(void* __eflags, void* _a4) {
				void _v267;
				char _v268;
				void* _t20;

				_t20 = __eflags;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(E0040197B( &_v268, _t20) == 0) {
					__eflags = 0;
					return 0;
				} else {
					return 0 | ShellExecuteA(_a4, 0,  &_v268, "http://www.nirsoft.net/utils/product_cd_key_viewer.html", 0, 1) - 0x00000020 > 0x00000000;
				}
			}

0x00401a57
0x00401a6e
0x00401a75
0x00401a8a
0x00401ab3
0x00401ab6
0x00401a8c
0x00401ab2
0x00401ab2

APIs

memset.MSVCRT ref: 00401A75

Part of subcall function 0040197B: memset.MSVCRT ref: 0040199F
Part of subcall function 0040197B: strchr.MSVCRT ref: 004019E4

ShellExecuteA.SHELL32(?,00000000,00000000,http://www.nirsoft.net/utils/product_cd_key_viewer.html,00000000,00000001), ref: 00401AA1

Strings

http://www.nirsoft.net/utils/product_cd_key_viewer.html, xrefs: 00401A90

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: memset$ExecuteShellstrchr
String ID: http://www.nirsoft.net/utils/product_cd_key_viewer.html
API String ID: 3249029333-3976276414
Opcode ID: 7910c29580df3ed6ac07a51e23887044d115204bc072dcbdba1745a0440d67a0
Instruction ID: 8db647bd59944366810ad3b0aef2d40b760e56b7f40e1eb93739e24e72902cbc
Opcode Fuzzy Hash: 7910c29580df3ed6ac07a51e23887044d115204bc072dcbdba1745a0440d67a0
Instruction Fuzzy Hash: CBF09B7174420866EB60E731DC83FC977A85B14704F1400B5B685F61D0EAF4EAC88A95

Uniqueness

Uniqueness Score: -1.00%

Function 004037DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037DA(void* __eax, void* __edx, void* _a4) {
				void* _t13;

				 *((intOrPtr*)(_t13 + __eax + 0x33)) =  *((intOrPtr*)(_t13 + __eax + 0x33)) + __edx;
			}

0x004037df

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040380E
DialogBoxParamA.USER32 ref: 00403822

Strings

X$A, xrefs: 004037ED

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: DialogHandleModuleParam
String ID: X$A
API String ID: 3900296288-1843214010
Opcode ID: b60036e23f27f118f55a4f1539dc6153b523afbcc56c089bdf2f11581cb3cf0e
Instruction ID: e8a0d1a2185aab55c80aaa6428992dcbcbb91e032915ca81eb7b28d26a32c44b
Opcode Fuzzy Hash: b60036e23f27f118f55a4f1539dc6153b523afbcc56c089bdf2f11581cb3cf0e
Instruction Fuzzy Hash: 1CF05E32648261ABE7208B54BE48B8A7B90AB45761F55407AEA04EB5E0C2F988519789

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040A4CC(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t5;

				_push(_t10);
				_v12 = 8;
				_v8 = 0xff;
				_t5 = E0040A22E( &_v12);
				if(_t5 != 0) {
					return 1;
				} else {
					MessageBoxA(_t5, "Error: Cannot load the common control classes.", "Error", 0x30);
					return 0;
				}
			}

0x0040a4d0
0x0040a4d5
0x0040a4dc
0x0040a4e3
0x0040a4eb
0x0040a508
0x0040a4ed
0x0040a4fa
0x0040a503
0x0040a503

APIs

Part of subcall function 0040A22E: LoadLibraryA.KERNEL32(comctl32.dll,74714DE0,?,00000000,0040A4E8,?,?,?,?,00404E3B,74714DE0), ref: 0040A23A
Part of subcall function 0040A22E: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040A24C
Part of subcall function 0040A22E: FreeLibrary.KERNEL32(00000000,?,00000000,0040A4E8,?,?,?,?,00404E3B,74714DE0), ref: 0040A260

MessageBoxA.USER32 ref: 0040A4FA

Strings

Error: Cannot load the common control classes., xrefs: 0040A4F4
Error, xrefs: 0040A4EF

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.
API String ID: 2780580303-1911744384
Opcode ID: 347022e2b0151828456a403b813ba8db09a8fa32962488bdcb6763e1a7d1da83
Instruction ID: b0344fcad59fbfba750fb188898cd5756b8df2bccf6c29a37ac4ddfc63068f63
Opcode Fuzzy Hash: 347022e2b0151828456a403b813ba8db09a8fa32962488bdcb6763e1a7d1da83
Instruction Fuzzy Hash: 88E0CD7165030576DB109BE0DC06F5B3EFC9B0070CF100079B001F55C0E9B8E5085719

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402ED0(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4) {
				void* __esi;
				_Unknown_base(*)()* _t5;
				void* _t7;
				struct HINSTANCE__** _t8;

				_t8 = __eax;
				_t7 = 0;
				if(E00402E44(__eax) != 0) {
					_t5 = GetProcAddress( *_t8, "LookupPrivilegeValueA");
					if(_t5 != 0) {
						_t7 =  *_t5(0, "SeRestorePrivilege", _a4);
					}
				}
				return _t7;
			}

0x00402ed2
0x00402ed4
0x00402edd
0x00402ee6
0x00402eee
0x00402efc
0x00402efc
0x00402eee
0x00402f02

APIs

Part of subcall function 00402E44: LoadLibraryA.KERNEL32(advapi32.dll,00402F10,?,?,00402FCA,00000000), ref: 00402E4E

GetProcAddress.KERNEL32(?,LookupPrivilegeValueA), ref: 00402EE6

Strings

SeRestorePrivilege, xrefs: 00402EF4
LookupPrivilegeValueA, xrefs: 00402EDF

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: LookupPrivilegeValueA$SeRestorePrivilege
API String ID: 2574300362-3629819652
Opcode ID: 89ce0f7b4f126065a1c7a65b511489be535fb811c086fb336b13717148c78a6e
Instruction ID: 1fe47dd537e7bcc40188d022c6eaf6a30b01017463a59bf03c137842652037d1
Opcode Fuzzy Hash: 89ce0f7b4f126065a1c7a65b511489be535fb811c086fb336b13717148c78a6e
Instruction Fuzzy Hash: F9D02B3238000477C261662ADE04A5B69976BD07603190037F418F21E5CAB88C016168

Uniqueness

Uniqueness Score: -1.00%

Function 0040A136 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A136(intOrPtr __eax, struct HWND__* _a4, int _a8, char _a12) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;

				_v32 = __eax;
				_v36 = 0;
				_v28 = 0;
				_v20 = 0;
				_v16 = 0;
				_t6 =  &_a12; // 0x406824
				_v12 =  *_t6;
				_v40 = 0x22;
				return SendMessageA(_a4, 0x101a, _a8,  &_v40);
			}

0x0040a13c
0x0040a141
0x0040a144
0x0040a147
0x0040a14a
0x0040a14d
0x0040a150
0x0040a15a
0x0040a170

APIs

SendMessageA.USER32(00000000,0000101A,?,?), ref: 0040A169

Strings

", xrefs: 0040A15A
$h@, xrefs: 0040A14D

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID: "$$h@
API String ID: 3850602802-3067084051
Opcode ID: de56f724fb9ae890c66ab502fb9fa9fe2f3facd50323fd4bb32e755243d8e3ab
Instruction ID: acf931b6209f60bcc2457a210b08fcf43fa9132fe176111a53f0c577b6300f7a
Opcode Fuzzy Hash: de56f724fb9ae890c66ab502fb9fa9fe2f3facd50323fd4bb32e755243d8e3ab
Instruction Fuzzy Hash: 8DE0CAB4D0020DAFCF40CFA8D845ADEBBF8FB08300F00806AE819F2240E3759A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 00408B01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B01(intOrPtr _a4) {
				struct _SHELLEXECUTEINFOA _v64;

				memset( &(_v64.fMask), 0, 0x38);
				_v64.lpParameters = _v64.lpParameters & 0x00000000;
				_v64.lpFile = _a4;
				_v64.cbSize = 0x3c;
				_v64.lpVerb = "RunAs";
				_v64.nShow = 5;
				return ShellExecuteExA( &_v64);
			}

0x00408b0f
0x00408b17
0x00408b1b
0x00408b25
0x00408b2c
0x00408b33
0x00408b41

APIs

memset.MSVCRT ref: 00408B0F
ShellExecuteExA.SHELL32(?), ref: 00408B3A

Strings

<, xrefs: 00408B25

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ExecuteShellmemset
String ID: <
API String ID: 3297275784-4251816714
Opcode ID: 7e5e6608a09380d2bd148108facc68ecf56d6020417a3b692463236840ad4062
Instruction ID: c198d35da42c218bcd810d9e50396ccbe93a7ad46f5a8d194a4f324d7ca2a9b2
Opcode Fuzzy Hash: 7e5e6608a09380d2bd148108facc68ecf56d6020417a3b692463236840ad4062
Instruction Fuzzy Hash: B3E09270D0020CABDB00EFD5E849BCD7BBCBB04345F404425F514FA291D7B855598F99

Uniqueness

Uniqueness Score: -1.00%

Function 004093AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004093AB(struct HWND__* _a4, long _a8) {
				int _t7;

				_t7 = SendMessageA(_a4, 0x143, 0, _a8);
				SendMessageA(_a4, 0x151, _t7, 0);
				return _t7;
			}

0x004093c6
0x004093d2
0x004093d8

APIs

SendMessageA.USER32(?,00000143,00000000,?), ref: 004093C2
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004093D2

Strings

Windows, xrefs: 004093AB

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: MessageSend
String ID: Windows
API String ID: 3850602802-744143879
Opcode ID: 5c012a00be2d7bd9015f11c1a330e23239ffca2387d3ffb02c142c258d5ad922
Instruction ID: 41ba91bf11372e2e2ddc00ea00c4f305c4c6c6a22ea4369fd248fc56a941c4a1
Opcode Fuzzy Hash: 5c012a00be2d7bd9015f11c1a330e23239ffca2387d3ffb02c142c258d5ad922
Instruction Fuzzy Hash: 86D0A73638431077DA114A05FC01F8B3FA5EBC4B50F04043AF300AA1F0C1A18C0A8BD0

Uniqueness

Uniqueness Score: -1.00%

Function 004073F7 Relevance: 5.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004073F7(void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				void* _t85;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t96;
				intOrPtr* _t98;
				signed int _t113;
				signed int _t116;
				signed int _t126;
				signed int _t128;
				void* _t130;
				signed int _t131;
				intOrPtr* _t142;
				signed int _t143;
				signed int _t147;
				signed int _t148;
				void* _t150;
				void* _t151;
				void* _t155;

				_t151 = __eflags;
				_t98 = _a4;
				 *((intOrPtr*)(_t98 + 4)) =  *((intOrPtr*)( *_t98 + 0x60))();
				E0040685A(_t98);
				 *(_t98 + 0x30) =  *(_t98 + 0x30) & 0x00000000;
				_t143 = 7;
				 *((intOrPtr*)(_t98 + 0x190)) = _a8;
				_t126 = 0x14;
				_t80 = _t143 * _t126;
				 *(_t98 + 0x1bc) = _t143;
				_push( ~(0 | _t151 > 0x00000000) | _t80);
				L004010A4();
				 *(_t98 + 0x1c0) = _t80;
				_t81 = _t143;
				_t128 = 0x10;
				_t82 = _t81 * _t128;
				_push( ~(0 | _t151 > 0x00000000) | _t82);
				L004010A4();
				_t130 = 0x412018;
				 *(_t98 + 0x38) = _t82;
				_v8 = 0x412018;
				do {
					_t83 =  *_t130;
					_v12 = _t83;
					_t113 = 5;
					_t85 = memcpy( *(_t98 + 0x1c0) + _t83 * 0x14, _t130, _t113 << 2);
					_t150 = _t150 + 0xc;
					_t116 = _v12 << 4;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t147 =  *( *(_t98 + 0x1c0) + _t85 + 0x10);
					_v16 = _t85;
					_v12 = _t116;
					 *(_t116 +  *(_t98 + 0x38) + 0xc) = _t147;
					if((_t147 & 0xffff0000) == 0) {
						_t96 = E00407C3F(_t147 & 0x0000ffff);
						_t142 = _a4;
						 *((intOrPtr*)( *((intOrPtr*)(_t142 + 0x1c0)) + _v16 + 0x10)) = _t96;
						 *((intOrPtr*)(_v12 +  *((intOrPtr*)(_t142 + 0x38)) + 0xc)) = E00407C3F(_t147 | 0x00010000);
						_t130 = _v8;
						_t98 = _t142;
					}
					_t130 = _t130 + 0x24;
					_t155 = _t130 - 0x412114;
					_v8 = _t130;
				} while (_t155 < 0);
				 *(_t98 + 0x3c) =  *(_t98 + 0x3c) & 0x00000000;
				_t148 = 7;
				 *((intOrPtr*)(_t98 + 0x40)) = _a12;
				_t131 = 4;
				_t89 = _t148 * _t131;
				 *(_t98 + 0x24) = _t148;
				 *((intOrPtr*)(_t98 + 0x20)) = 0x20;
				_push( ~(0 | _t155 > 0x00000000) | _t89);
				L004010A4();
				_push(0xc);
				 *(_t98 + 0x28) = _t89;
				L004010A4();
				_t149 = _t89;
				if(_t89 == 0) {
					_t90 = 0;
					__eflags = 0;
				} else {
					_t90 = E00405596(_a8,  *((intOrPtr*)(_t98 + 0x4c)), _t149);
				}
				 *(_t98 + 0x1a8) =  *(_t98 + 0x1a8) & 0x00000000;
				 *((intOrPtr*)(_t98 + 0x1ac)) = _t90;
				 *((intOrPtr*)(_t98 + 0x44)) = 1;
				 *((intOrPtr*)(_t98 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t98 + 0x1b0)) = 1;
				 *((intOrPtr*)(_t98 + 0x1b4)) = 1;
				 *((intOrPtr*)(_t98 + 0x1d0)) = 0x32;
				 *((intOrPtr*)(_t98 + 0x50)) = 0xffffff;
				return E00406CEB(_t98);
			}

0x004073f7
0x004073fe
0x0040740c
0x0040740f
0x00407417
0x0040741d
0x0040741e
0x00407428
0x0040742b
0x00407430
0x0040743a
0x0040743b
0x00407441
0x00407447
0x0040744c
0x0040744d
0x00407456
0x00407457
0x0040745d
0x00407463
0x00407466
0x00407469
0x00407469
0x00407471
0x0040747b
0x0040747e
0x0040747e
0x00407486
0x0040748e
0x0040748f
0x00407490
0x00407491
0x00407498
0x004074a2
0x004074a8
0x004074ab
0x004074af
0x004074b4
0x004074b9
0x004074cd
0x004074dc
0x004074e0
0x004074e3
0x004074e3
0x004074e5
0x004074e8
0x004074ee
0x004074ee
0x004074fa
0x00407500
0x00407501
0x00407508
0x0040750b
0x00407510
0x00407513
0x0040751e
0x0040751f
0x00407524
0x00407526
0x00407529
0x0040752e
0x00407534
0x00407543
0x00407543
0x00407536
0x0040753c
0x0040753c
0x00407545
0x0040754c
0x00407555
0x00407558
0x0040755e
0x00407564
0x0040756c
0x00407576
0x00407586

APIs

Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 00406862
Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 00406870
Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 00406881
Part of subcall function 0040685A: ??3@YAXPAX@Z.MSVCRT ref: 0040689B

??2@YAPAXI@Z.MSVCRT ref: 0040743B
??2@YAPAXI@Z.MSVCRT ref: 00407457
??2@YAPAXI@Z.MSVCRT ref: 0040751F
??2@YAPAXI@Z.MSVCRT ref: 00407529

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,?,004074B9,?,00000000), ref: 00407C68
Part of subcall function 00407C3F: LoadStringA.USER32 ref: 00407CF2
Part of subcall function 00407C3F: memcpy.MSVCRT ref: 00407D31

Part of subcall function 00407C3F: GetModuleHandleA.KERNEL32(00000000,?,?,004074B9,?,00000000), ref: 00407CC7

Memory Dump Source

Source File: 00000000.00000002.580357064.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.580349012.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580373729.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580390611.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.580396905.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ProduKey.jbxd

Similarity

API ID: ??2@??3@$HandleModule$LoadStringmemcpy
String ID:
API String ID: 3735328086-0
Opcode ID: e1956fb1710e1b637097be39055978df204d476d01dd7b53b542abee966fe4ae
Instruction ID: 2f9dee61db984c53b1155ff23c31f763096d0de7566c4a88c8be15059e7efcd5
Opcode Fuzzy Hash: e1956fb1710e1b637097be39055978df204d476d01dd7b53b542abee966fe4ae
Instruction Fuzzy Hash: 0C413A72A012009FDB18DF29C48169A7BA5BF48314F1581BFED09EF386D7B5E8418B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ProduKey.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: ProduKey.exePID: 4460, Parent PID: 3528

General

Chronological Activities

Windows Analysis Report
ProduKey.exe

Function 0040C73D Relevance: 49.3, APIs: 17, Strings: 11, Instructions: 292
registryCOMMON

Function 0040C06D Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 180
registryCOMMON

Function 004062A6 Relevance: 25.6, APIs: 17, Instructions: 103
windowCOMMON

Function 0040BC45 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 119
registryCOMMON

Function 00404E27 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 129
windownetworkCOMMON

Function 004047B6 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229
windowregistryCOMMON

Function 004010E0 Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Function 0040BDBF Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103
registryCOMMON

Function 0040C53D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 68
registryCOMMON

Function 0040B074 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 165
COMMON

Function 0040CFC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
registryCOMMON

Function 00403965 Relevance: 9.1, APIs: 6, Instructions: 64
COMMON

Function 0040D99C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45
COMMON

Function 0040B8BD Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 136
COMMON

Function 0040C2B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
registryCOMMON

Function 0040C6A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
registryCOMMON

Function 0040C61B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
registryCOMMON

Function 004043A7 Relevance: 6.0, APIs: 4, Instructions: 46
windowCOMMON

Function 00409425 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Function 0040CAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
registryCOMMON

Function 004046C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Function 0040B715 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
registryCOMMON

Function 00409D54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Function 0040781B Relevance: 5.0, APIs: 4, Instructions: 36
COMMON

Function 00405108 Relevance: 4.6, APIs: 3, Instructions: 95
windowCOMMON

Function 0040B452 Relevance: 4.5, APIs: 3, Instructions: 17
windowCOMMON

Function 00401F0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
registryCOMMON

Function 00409396 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 7
COMMON

Function 00409E38 Relevance: 3.0, APIs: 2, Instructions: 23
windowCOMMON

Function 0040D722 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00409923 Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Function 0040D5FD Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Function 0040A171 Relevance: 1.5, APIs: 1, Instructions: 29
windowCOMMON

Function 00402134 Relevance: 1.5, APIs: 1, Instructions: 29
registryCOMMON

Function 00401EC5 Relevance: 1.5, APIs: 1, Instructions: 18
registryCOMMON

Function 00409EC9 Relevance: 1.5, APIs: 1, Instructions: 16
windowCOMMON

Function 00409DF6 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 0040A208 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 00401EEC Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Function 00403870 Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Function 00401F5D Relevance: 1.5, APIs: 1, Instructions: 7
registryCOMMON

Function 00408C45 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 0040D83B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 0040D62E Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 00409370 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Function 0040D65F Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401ACF Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 75
libraryloaderCOMMON

Function 0040180A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21
libraryloaderCOMMON