Create Interactive Tour

Windows Analysis Report NoSleep!.exe

Overview

General Information

Sample Name:	NoSleep!.exe
Analysis ID:	464262
MD5:	720f91e9f818a0ac3122a12e95b76d48
SHA1:	47c44510621f92b61b3f8c9c19a8a672f89dfdff
SHA256:	91fd58d7d04718bb7845cf3f912fdebf99bff1dad2196ff5bf33244c3f7f19bf
Infos:
Most interesting Screenshot:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Found evasive API chain (date check)

PE file contains strange resources

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

NoSleep!.exe (PID: 5108 cmdline: 'C:\Users\user\Desktop\NoSleep!.exe' MD5: 720F91E9F818A0AC3122A12E95B76D48)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: NoSleep!.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: NoSleep!.exe	String found in binary or memory: http://go.to/;
Source: NoSleep!.exe	String found in binary or memory: http://go.to/;o
Source: NoSleep!.exe	String found in binary or memory: http://go.to/zeniko
Source: NoSleep!.exe, 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp	String found in binary or memory: http://go.to/zenikoopenControl
Source: NoSleep!.exe	String found in binary or memory: http://www.swatch.com/alu_beat/fs_itime.html

Source: C:\Users\user\Desktop\NoSleep!.exe

Code function: 0_2_00401570 keybd_event,keybd_event,keybd_event,keybd_event,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,NtdllDefWindowProc_A,

0_2_00401570

Source: NoSleep!.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NoSleep!.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: clean3.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\NoSleep!.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\NoSleep!.exe

Code function: 0_2_00401250 RtlZeroMemory,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,lstrcmpi,LoadStringA,MessageBoxA,FindWindowA,PostMessageA,PostMessageA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadStringA,MessageBoxA,RegisterClipboardFormatA,RtlZeroMemory,LoadCursorA,LoadIconA,RegisterClassA,CreateWindowExA,LoadStringA,MessageBoxA,TranslateMessage,DispatchMessageA,GetMessageA,FreeLibrary,

0_2_00401250

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\NoSleep!.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\NoSleep!.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-801

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\NoSleep!.exe

0_2_00401250

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\NoSleep!.exe

Code function: 0_2_00401570 keybd_event,keybd_event,keybd_event,keybd_event,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,NtdllDefWindowProc_A,

0_2_00401570

Source: NoSleep!.exe, 00000000.00000002.598194735.0000000000E30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NoSleep!.exe, 00000000.00000002.598194735.0000000000E30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NoSleep!.exe, 00000000.00000002.598194735.0000000000E30000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: NoSleep!.exe, 00000000.00000002.598194735.0000000000E30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NoSleep!.exe

Code function: 0_2_00402527 GetSystemTime,

0_2_00402527

Source: C:\Users\user\Desktop\NoSleep!.exe

Code function: 0_2_00402378 GetVersionExA,

0_2_00402378

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	Path Interception	Process Injection1	Software Packing1	OS Credential Dumping	System Time Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
NoSleep!.exe	3%	Virustotal	Browse
NoSleep!.exe	0%	Metadefender	Browse
NoSleep!.exe	4%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://go.to/;	0%	Avira URL Cloud	safe
http://go.to/;o	0%	Avira URL Cloud	safe
http://go.to/zeniko	0%	Avira URL Cloud	safe
http://go.to/zenikoopenControl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.to/;	NoSleep!.exe	false	Avira URL Cloud: safe	unknown
http://go.to/;o	NoSleep!.exe	false	Avira URL Cloud: safe	unknown
http://go.to/zeniko	NoSleep!.exe	false	Avira URL Cloud: safe	unknown
http://www.swatch.com/alu_beat/fs_itime.html	NoSleep!.exe	false		high
http://go.to/zenikoopenControl	NoSleep!.exe, 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	464262
Start date:	12.08.2021
Start time:	16:22:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NoSleep!.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.7% (good quality ratio 92.2%) Quality average: 76% Quality standard deviation: 31.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	6.429160675518865
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	NoSleep!.exe
File size:	11808
MD5:	720f91e9f818a0ac3122a12e95b76d48
SHA1:	47c44510621f92b61b3f8c9c19a8a672f89dfdff
SHA256:	91fd58d7d04718bb7845cf3f912fdebf99bff1dad2196ff5bf33244c3f7f19bf
SHA512:	662a523cc30db0456d1d7f5822aa0950fe178d3a973874918c63c2b1a6a76e821805c8343e90782b8079d5552505f2fc2da3583f8ff5c7be432399e389d70ab6
SSDEEP:	192:u++1ytmJ78iRJoIz0Ssp3X4rvy3OSbO0mi:u++1ytc8oJoIz0T3X4rKLbO0mi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".V>...............7. ... ...p..0.............@........................................................................

File Icon


Icon Hash:	0cfcf2eaeee06004

Static PE Info

General
Entrypoint:	0x409830
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x3E56A122 [Fri Feb 21 21:58:58 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	f993086505d693897b9a8112da5bd018

Entrypoint Preview

Instruction
pushad
mov esi, 00408015h
lea edi, dword ptr [esi-00007015h]
push edi
or ebp, FFFFFFFFh
jmp 00007F9C30819FE2h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F9C30819FD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F9C30819FBFh
mov eax, 00000001h
add ebx, ebx
jne 00007F9C30819FD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F9C30819FC1h
jne 00007F9C30819FDBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F9C30819FB6h
xor ecx, ecx
sub eax, 03h
jc 00007F9C30819FDFh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F9C3081A046h
mov ebp, eax
add ebx, ebx
jne 00007F9C30819FD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F9C30819FD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F9C30819FF2h
inc ecx
add ebx, ebx
jne 00007F9C30819FD9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F9C30819FC1h
jne 00007F9C30819FDBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F9C30819FB6h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F9C30819FE1h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F9C30819FC9h
jmp 00007F9C30819F38h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaee0	0x134	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0xee0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x7000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x8000	0x2000	0x1a00	False	0.958233173077	data	7.73395527482	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x2000	0x1200	False	0.368489583333	data	3.80979067444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x63a0	0xe8	empty	English	United States
RT_BITMAP	0x6488	0x68	empty	English	United States
RT_ICON	0xa3a4	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xa4d0	0x2e8	data	English	United States
RT_ICON	0x6900	0x128	empty	English	United States
RT_ICON	0x6a28	0x2e8	empty	English	United States
RT_MENU	0x6d10	0xc8	empty	English	United States
RT_MENU	0x6dd8	0x7c	empty	English	United States
RT_DIALOG	0x6e54	0x1a8	empty	English	United States
RT_DIALOG	0x6ffc	0x21c	empty	English	United States
RT_STRING	0x7218	0x2b2	empty	English	United States
RT_GROUP_ICON	0xa7bc	0x22	data	English	United States
RT_GROUP_ICON	0x74f0	0x22	empty	English	United States
RT_VERSION	0xa7e4	0x4b0	data	English	United States
RT_MANIFEST	0xac98	0x246	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.DLL	RegCloseKey
CRTDLL.DLL	pow
GDI32.DLL	BitBlt
USER32.DLL	GetDC

Version Infos

Description	Data
LegalCopyright	Copyleft 2001 - 2003 Simon Bnzli
zeniko's Corollary	Perfect software isn't.
FileVersion	2.18
License	NoSleep! is FREEWARE. You are licensed to do anything with this software, as long as you don't modify it or make money out of it. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND.
About Internet Time	http://www.swatch.com/alu_beat/fs_itime.html
Contact	eMail: zeniko@gmx.ch \| Website: http://go.to/zeniko
FileDescription	Prevents any screen saving feature.

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• NoSleep!.exe

Click to jump to process

Memory Usage

• NoSleep!.exe

Click to jump to process

System Behavior

Analysis Process: NoSleep!.exe PID: 5108 Parent PID: 5764

Function Logs

General

Start time:	16:23:52
Start date:	12/08/2021
Path:	C:\Users\user\Desktop\NoSleep!.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NoSleep!.exe'
Imagebase:	0x400000
File size:	11808 bytes
MD5 hash:	720F91E9F818A0AC3122A12E95B76D48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Found

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: NoSleep!.exe PID: 5108 Parent PID: 5764 NoSleep!.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.4%
Total number of Nodes:	350
Total number of Limit Nodes:	3

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401250, Relevance: 68.5, APIs: 28, Strings: 11, Instructions: 237
windowstringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00401250(void* __ecx, struct HINSTANCE__* _a4, char _a12) {
				struct tagMSG _v32;
				char _v33;
				struct _WNDCLASSA _v73;
				struct HINSTANCE__* _v80;
				signed int _v84;
				signed int _v92;
				char _t47;
				char _t48;
				char _t49;
				char _t50;
				char _t51;
				char _t52;
				struct HWND__* _t59;
				struct HWND__* _t60;
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t65;
				CHAR* _t71;
				struct HICON__* _t73;
				struct HWND__* _t76;
				long _t91;
				void* _t92;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				_Unknown_base(*)()* _t96;
				signed int _t101;
				char* _t103;
				char* _t104;

				_t92 = __ecx;
				_t1 =  &_a12; // 0x404024
				_t104 =  *_t1;
				_v84 = _v84 & 0x00000000;
				_t91 = 0;
				 *0x403124 = _a4;
				_v32.wParam = _v32.wParam & 0x00000000;
				_push(0x10);
				_push(0x403134);
				L004029B8();
				while(( *( *_t104 + 0x404225) & 0x00000008) != 0) {
					_t104 = _t104 + 1;
				}
				while( *_t104 == 0x2f) {
					_t103 = _t104 + 1;
					while(1) {
						_t47 =  *_t103;
						if(( *(_t47 + 0x404225) & 0x00000008) != 0 || _t47 == 0x2f || _t47 == 0) {
							break;
						}
						_t103 = _t103 + 1;
					}
					_t48 =  *_t103;
					_v33 = _t48;
					if( *_t103 != 0) {
						 *_t103 = 0;
						_t103 = _t103 + 1;
					}
					_push("/off");
					_push(_t104);
					L004029D0();
					_t49 = _t48;
					if(_t49 != 0) {
						_push("/tgl");
						_push(_t104);
						L004029D0();
						_t50 = _t49;
						if(_t50 != 0) {
							_push("/on");
							_push(_t104);
							L004029D0();
							_t51 = _t50;
							if(_t51 != 0) {
								_push("/x");
								_push(_t104);
								L004029D0();
								_t52 = _t51;
								if(_t52 != 0) {
									_push("/tray");
									_push(_t104);
									L004029D0();
									if(_t52 != 0) {
										LoadStringA( *0x403124, 0xf, 0x403144, 0x20e);
										MessageBoxA(0, 0x403144,  *0x404038, 0x40);
										L41:
										if(_v80 != 0) {
											FreeLibrary(_v80);
										}
										return _v32.wParam;
									}
									_v84 = 1;
									goto L22;
								}
								_t91 = 0x3eb;
								goto L22;
							}
							_t91 = 0x3e9;
							goto L22;
						}
						_t91 = 0x3e8;
						goto L22;
					} else {
						_t91 = 0x3ea;
						L22:
						if(_v33 == 0x2f) {
							_t103 = _t103 - 1;
							 *_t103 = 0x2f;
						}
						_t104 = _t103;
						while(( *( *_t104 + 0x404225) & 0x00000008) != 0) {
							_t104 = _t104 + 1;
						}
						continue;
					}
				}
				_t59 = FindWindowA( *0x40403c,  *0x404038); // executed
				 *0x403114 = _t59;
				_t60 = _t59;
				if(_t60 == 0) {
					if(_t91 == 0x3eb) {
						goto L41;
					}
					_t61 = LoadLibraryA("SHELL32"); // executed
					_t94 = _t61;
					_v80 = _t94;
					_t95 = _t94;
					if(_t95 == 0) {
						L35:
						LoadStringA( *0x403124, 0xa, 0x403144, 0x20e);
						MessageBoxA(0, 0x403144,  *0x404038, 0x30);
						_v32.wParam = 3;
						goto L41;
					}
					_t96 = GetProcAddress(_t95, "Shell_NotifyIconA");
					 *0x40312c = _t96;
					if(_t96 == 0) {
						goto L35;
					}
					_t65 = GetProcAddress(_v80, "ShellExecuteA");
					 *0x403128 = _t65;
					if(_t65 != 0) {
						 *0x403104 = RegisterClipboardFormatA("TaskbarCreated");
						_push(0x28);
						_push( &_v73);
						L004029B8();
						_v73.lpfnWndProc = E00401570;
						_v73.hInstance =  *0x403124;
						_t71 =  *0x40403c; // 0x404169
						_v73.lpszClassName = _t71;
						_v73.hCursor = LoadCursorA(0, 0x7f00);
						_t73 = LoadIconA( *0x403124, 0x64); // executed
						_v73.hIcon = _t73;
						RegisterClassA( &_v73);
						_t76 = CreateWindowExA(0,  *0x40403c,  *0x404038, 0x80000000, 0, 0, 0, 0, 0, 0,  *0x403124, 0); // executed
						 *0x403114 = _t76;
						if(_t76 != 0) {
							E00401850(_t92, _t91); // executed
							while(GetMessageA( &_v32, 0, 0, 0) != 0) {
								TranslateMessage( &_v32);
								DispatchMessageA( &_v32);
							}
							goto L41;
						}
						LoadStringA( *0x403124, 0xb, 0x403144, 0x20e);
						MessageBoxA(0, 0x403144,  *0x404038, 0x30);
						_v32.wParam = 4;
						goto L41;
					}
					goto L35;
				}
				_v32.wParam = 0 | PostMessageA(_t60, 0x404, 0, _t91) == 0x00000000;
				if(_v84 != 0) {
					_t101 = 0 | PostMessageA( *0x403114, 0x402, 0, 0) == 0x00000000;
					_v92 = _t101;
					_v32.wParam = _v32.wParam + _t101;
				}
				goto L41;
			}

0x00401250
0x00401259
0x00401259
0x0040125c
0x00401260
0x00401265
0x0040126a
0x0040126e
0x00401270
0x00401275
0x0040127d
0x0040127c
0x0040127c
0x00401378
0x00401291
0x00401295
0x00401295
0x004012a0
0x00000000
0x00000000
0x00401294
0x00401294
0x004012ab
0x004012ad
0x004012b3
0x004012b5
0x004012b8
0x004012b8
0x004012b9
0x004012be
0x004012bf
0x004012c4
0x004012c6
0x004012d2
0x004012d7
0x004012d8
0x004012dd
0x004012df
0x004012e8
0x004012ed
0x004012ee
0x004012f3
0x004012f5
0x004012fe
0x00401303
0x00401304
0x00401309
0x0040130b
0x00401314
0x00401319
0x0040131a
0x00401321
0x0040133e
0x00401352
0x00401558
0x0040155c
0x00401561
0x00401561
0x0040156d
0x0040156d
0x00401323
0x00000000
0x00401323
0x0040130d
0x00000000
0x0040130d
0x004012f7
0x00000000
0x004012f7
0x004012e1
0x00000000
0x004012c8
0x004012c8
0x0040135c
0x00401360
0x00401362
0x00401363
0x00401363
0x00401366
0x0040136b
0x0040136a
0x0040136a
0x00000000
0x0040136b
0x004012c6
0x0040138d
0x00401392
0x00401397
0x00401399
0x004013e9
0x00000000
0x00000000
0x004013f4
0x004013f9
0x004013fb
0x004013fe
0x00401400
0x0040142f
0x00401441
0x00401455
0x0040145a
0x00000000
0x0040145a
0x0040140d
0x0040140f
0x00401417
0x00000000
0x00000000
0x00401421
0x00401426
0x0040142d
0x00401470
0x00401475
0x0040147a
0x0040147b
0x00401486
0x0040148e
0x00401491
0x00401496
0x004014a5
0x004014b0
0x004014b5
0x004014bc
0x004014e8
0x004014ed
0x004014f4
0x0040152b
0x00401545
0x00401537
0x00401540
0x00401540
0x00000000
0x00401545
0x00401508
0x0040151c
0x00401521
0x00000000
0x00401521
0x00000000
0x0040142d
0x004013b0
0x004013b7
0x004013d5
0x004013d8
0x004013db
0x004013db
0x00000000

APIs

RtlZeroMemory.NTDLL(00403134,00000010), ref: 00401275
lstrcmpi.KERNEL32($@@(@@,/off), ref: 004012BF
lstrcmpi.KERNEL32($@@(@@,/tgl), ref: 004012D8
lstrcmpi.KERNEL32($@@(@@,/on), ref: 004012EE
lstrcmpi.KERNEL32($@@(@@,00404134), ref: 00401304
lstrcmpi.KERNEL32($@@(@@,/tray), ref: 0040131A
FindWindowA.USER32($@@(@@,/tray), ref: 0040138D
PostMessageA.USER32(00000000,00000404,00000000,00000000), ref: 004013A4
PostMessageA.USER32(00000402,00000000,00000000,00000000), ref: 004013CC
LoadLibraryA.KERNEL32(SHELL32,$@@(@@,00404134,$@@(@@,/on,$@@(@@,/tgl,00000000), ref: 004013F4
GetProcAddress.KERNEL32(00000000,Shell_NotifyIconA), ref: 00401408
GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 00401421
LoadStringA.USER32(0000000A,00403144,0000020E,SHELL32), ref: 00401441
MessageBoxA.USER32(00000000,00403144,00000030,0000000A), ref: 00401455
RegisterClipboardFormatA.USER32(TaskbarCreated), ref: 0040146B
RtlZeroMemory.NTDLL(?,00000028), ref: 0040147B
LoadCursorA.USER32(00000000,00007F00), ref: 004014A0
LoadIconA.USER32(00000064,?), ref: 004014B0
RegisterClassA.USER32(?), ref: 004014BC
CreateWindowExA.USER32(00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000028,?,ShellExecuteA), ref: 004014E8
LoadStringA.USER32(0000000B,00403144,0000020E,SHELL32), ref: 00401508
MessageBoxA.USER32(00000000,00403144,00000030,0000000B), ref: 0040151C
TranslateMessage.USER32(?), ref: 00401537
DispatchMessageA.USER32(?), ref: 00401540
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040154F
FreeLibrary.KERNEL32(00000000,$@@(@@,00404134,$@@(@@,/on,$@@(@@,/tgl,00000000), ref: 00401561

Strings

SHELL32, xrefs: 004013EF
/, xrefs: 0040135C
/tgl, xrefs: 004012D2
Shell_NotifyIconA, xrefs: 00401402
/tray, xrefs: 00401314
/off, xrefs: 004012B9
TaskbarCreated, xrefs: 00401466
$@@(@@, xrefs: 00401259, 004012BE, 004012D7, 004012ED, 00401303, 00401319
ShellExecuteA, xrefs: 00401419
/on, xrefs: 004012E8
iA@, xrefs: 00401491

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Message$Loadlstrcmpi$AddressLibraryMemoryPostProcRegisterStringWindowZero$ClassClipboardCreateCursorDispatchFindFormatFreeIconTranslate
String ID: $@@(@@$/$/off$/on$/tgl$/tray$SHELL32$ShellExecuteA$Shell_NotifyIconA$TaskbarCreated$iA@
API String ID: 2903750531-1350653465
Opcode ID: 1d545d61fa5a38dda128e662e33ad3413b295f45b268f6390ea24e417a57f585
Instruction ID: 13e4c5fa770c644b28289dd90d039d1eeda3c4caecab0da8a573fd70f472a3ea
Opcode Fuzzy Hash: 1d545d61fa5a38dda128e662e33ad3413b295f45b268f6390ea24e417a57f585
Instruction Fuzzy Hash: A881E7B0A403447AEB11AFA19E0AF6E7FB8AB58745F20403BF741B91E1DAFC4541971D

Uniqueness

Uniqueness Score: -1.00%

Function 00401570, Relevance: 12.1, APIs: 8, Instructions: 144
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401570(intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				void _v8;
				signed int _v16;
				signed int _v20;
				signed int _t20;
				intOrPtr _t38;
				signed int _t39;
				void* _t43;
				signed int _t45;
				void* _t46;
				void* _t47;
				void* _t50;
				void* _t51;

				_t45 = _a8;
				if(_t45 ==  *0x403104) {
					_t45 = 0x402;
				}
				_t20 = _t45;
				_t50 = _t20 - 0x1a;
				if(_t50 == 0) {
					 *0x404044 = E004023A7(_t43);
					__eflags =  *0x403134;
					if( *0x403134 != 0) {
						__eflags =  *0x40313c;
						if( *0x40313c != 0) {
							__eflags =  *0x403134;
							_t33 = 0 |  *0x403134 == 0x00000000;
							_v16 =  *0x403134 == 0;
							E00401DDB(_t33, 0);
							__eflags =  *0x403134;
							_t9 =  *0x403134 == 0;
							__eflags = _t9;
							_t36 = 0 | _t9;
							_v20 = _t9;
							E00401DDB(_t36, 0);
							_t46 = _t46 + 0x10;
						}
					}
					__eflags =  *0x403134;
					if( *0x403134 != 0) {
						__eflags =  *0x40313c;
						if(__eflags == 0) {
							SystemParametersInfoA(0x10, 0,  &_v8, 0);
							E00402435(_t43, __eflags, 0x403144, 0x104);
							_t47 = _t46 + 8;
							__eflags = _v8;
							if(_v8 != 0) {
								__eflags =  *0x403144;
								if(__eflags != 0) {
									 *0x403110 = 1;
									E00402435(_t43, __eflags, 0x403000, 0x104);
									_t47 = _t47 + 8;
								}
							}
							SystemParametersInfoA(0x53, 0,  &_v8, 0);
							__eflags = _v8;
							if(_v8 != 0) {
								 *0x40310c = 1;
							}
							SystemParametersInfoA(0x54, 0,  &_v8, 0);
							__eflags = _v8;
							if(_v8 != 0) {
								 *0x403108 = 1;
							}
							E00402406(0, 0, 0);
						}
					}
					L34:
					__eflags = 0;
					return 0;
				}
				if(_t50 > 0) {
					__eflags = _t20 - 0x113;
					if(__eflags == 0) {
						_t38 = _a12;
						__eflags = _t38 - 0x1f4;
						if(_t38 == 0x1f4) {
							_push(0);
							_push(1);
							_push(0x45);
							_push(0x90);
							L00402B5C();
							_push(0);
							_push(3);
							_push(0x45);
							_push(0x90);
							L00402B5C();
							_push(0);
							_push(1);
							_push(0x45);
							_push(0x90);
							L00402B5C();
							_push(0);
							_push(3);
							_push(0x45);
							_push(0x90);
							L00402B5C();
						} else {
							__eflags = _t38 - 0x1f5;
							if(__eflags == 0) {
								_t39 = E00402586(__eflags);
								__eflags = _t39;
								if(_t39 != 0) {
									E00401BEC(1);
								}
							}
						}
						goto L34;
					}
					if(__eflags < 0) {
						L33:
						_push(_a16);
						_push(_a12);
						_push(_t45);
						_push(_a4);
						L00402BBC(); // executed
						return _t20;
					}
					__eflags = _t20 - 0x401;
					if(_t20 < 0x401) {
						goto L33;
					} else {
						__eflags = _t20 - 0x404;
						if(_t20 > 0x404) {
							goto L33;
						} else {
							goto ( *((intOrPtr*)(_t20 * 4 +  &M00403044)));
						}
					}
				}
				_t51 = _t20 - 2;
				if(_t51 == 0 || _t51 >= 0 && _t20 == 0x16) {
					E004018DE();
					goto L34;
				} else {
					goto L33;
				}
			}

0x00401579
0x00401582
0x00401584
0x00401584
0x00401589
0x0040158b
0x0040158e
0x00401733
0x00401738
0x0040173f
0x00401741
0x00401748
0x0040174e
0x00401755
0x00401758
0x0040175c
0x00401765
0x0040176c
0x0040176c
0x0040176c
0x0040176f
0x00401773
0x00401778
0x00401778
0x00401748
0x0040177b
0x00401782
0x00401788
0x0040178f
0x0040179f
0x004017ae
0x004017b3
0x004017b6
0x004017ba
0x004017bc
0x004017c3
0x004017c5
0x004017d9
0x004017de
0x004017de
0x004017c3
0x004017eb
0x004017f0
0x004017f4
0x004017f6
0x004017f6
0x0040180a
0x0040180f
0x00401813
0x00401815
0x00401815
0x00401825
0x0040182a
0x0040178f
0x00401847
0x00401847
0x00000000
0x00401847
0x00401594
0x004015b3
0x004015b8
0x004016b9
0x004016bc
0x004016c1
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016da
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016ea
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016fa
0x004016ff
0x00401701
0x00401703
0x00401705
0x0040170a
0x004016c3
0x004016c3
0x004016c8
0x00401714
0x00401719
0x0040171b
0x00401723
0x00401728
0x0040171b
0x004016c8
0x00000000
0x004016c1
0x004015be
0x00401836
0x00401836
0x00401839
0x0040183c
0x0040183d
0x00401840
0x00000000
0x00401840
0x004015c4
0x004015c9
0x00000000
0x004015cf
0x004015cf
0x004015d4
0x00000000
0x004015da
0x004015da
0x004015da
0x004015d4
0x004015c9
0x00401596
0x00401599
0x0040182f
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00401840

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 0c514c6b030c73baec22b80078c21294ed9de75387da74f7d5d0cbd2a1bfecf9
Instruction ID: badb4a2990715c543f51918868077801d52b1d795603c4bdd195ee5fd9fa5078
Opcode Fuzzy Hash: 0c514c6b030c73baec22b80078c21294ed9de75387da74f7d5d0cbd2a1bfecf9
Instruction Fuzzy Hash: 37418272640204BAFB30BF659E4BBAA7A699704709F244437F300B91F2DAFC5780C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00402435, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00402435(void* __ecx, void* __eflags, CHAR* _a4, long _a8) {
				void* _v8;
				long _t15;
				long _t16;

				if(E00402378() == 0) {
					RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 0x20019,  &_v8); // executed
					_t15 = E0040277C(_v8, "SCRNSAVE.EXE", _a4, _a8); // executed
					_t16 = _t15;
					if(_t16 == 0) {
						_push(0x4041ca);
						_push(_a4);
						L004029DC();
					}
					if(_v8 != 0) {
						return RegCloseKey(_v8);
					}
				} else {
					_t16 = GetPrivateProfileStringA("boot", "SCRNSAVE.EXE", 0, _a4, _a8, "System.ini");
					if(_t16 == 0) {
						_push(0x4041ca);
						_push(_a4);
						L004029DC();
						return _t16;
					}
				}
				return _t16;
			}

0x00402440
0x00402486
0x00402499
0x004024a1
0x004024a3
0x004024a5
0x004024aa
0x004024ad
0x004024ad
0x004024b6
0x00000000
0x004024bb
0x00402442
0x0040245e
0x00402460
0x00402462
0x00402467
0x0040246a
0x00000000
0x0040246a
0x00402460
0x004024c1

APIs

Part of subcall function 00402378: GetVersionExA.KERNEL32(00000094,00000000), ref: 00402393

GetPrivateProfileStringA.KERNEL32(boot,SCRNSAVE.EXE,00000000,00000000,?,System.ini), ref: 00402459
lstrcpy.KERNEL32(00000000,004041CA), ref: 0040246A
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00020019,00000000,?,?,00401E3F,00403000,00000104,?,?,004018BE,?,00000000,00000000), ref: 00402486
lstrcpy.KERNEL32(00000000,004041CA), ref: 004024AD
RegCloseKey.ADVAPI32(00000000,004018BE,?,00000000), ref: 004024BB

Strings

Control Panel\Desktop, xrefs: 0040247C
System.ini, xrefs: 00402442
SCRNSAVE.EXE, xrefs: 0040244F, 00402491
boot, xrefs: 00402454

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: lstrcpy$CloseOpenPrivateProfileStringVersion
String ID: Control Panel\Desktop$SCRNSAVE.EXE$System.ini$boot
API String ID: 118532346-440963436
Opcode ID: 811f8bfb71e23998c535ae4f37b4342d9e88e68c31027cd6d3c22b15c45a9a59
Instruction ID: 3afbbcfe94d17605778bb6f4bea1633d0e93d539b08910848cb031dd4d02b7aa
Opcode Fuzzy Hash: 811f8bfb71e23998c535ae4f37b4342d9e88e68c31027cd6d3c22b15c45a9a59
Instruction Fuzzy Hash: 7001A9B4650208F9DF116F61CE0FF8C3A60AB64748F3080377E04780D1D6FD8A90A65C

Uniqueness

Uniqueness Score: -1.00%

Function 00401A98, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401A98(intOrPtr _a4) {
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				int _v84;
				intOrPtr _v88;
				char _v92;
				int _v96;
				void* __edi;
				void* __esi;
				void* _t35;

				_v88 =  *0x403114;
				_v84 = 1;
				_v76 = 0x401;
				_v96 = GetSystemMetrics(0x31);
				_v72 = LoadImageA( *0x403124, (0 |  *0x403134 == 0x00000000) + 0x00000064 & 0x0000ffff, 1, _v96, GetSystemMetrics(0x32), 0);
				 *((char*)("NoSleep!" + 8)) = (( *0x403134 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x20;
				E00402920("NoSleep!", (( *0x403134 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x20,  &_v68, "NoSleep!");
				_v80 = 7;
				_v92 = 0x58;
				_t35 =  *0x40312c(_a4,  &_v92); // executed
				return _t35;
			}

0x00401aac
0x00401aaf
0x00401ab6
0x00401ac4
0x00401af9
0x00401b12
0x00401b1a
0x00401b1f
0x00401b26
0x00401b34
0x00401b3e

APIs

GetSystemMetrics.USER32(00000031), ref: 00401ABF
GetSystemMetrics.USER32(00000032), ref: 00401AC9
LoadImageA.USER32(-00000064,00000001,?,00000000,00000000,00000032), ref: 00401AF4
Shell_NotifyIcon.SHELL32(004018A9,00000058,?,NoSleep!,$@@(@@,?,00000000), ref: 00401B34

Strings

$@@(@@, xrefs: 00401AA0
X, xrefs: 00401B26
NoSleep!, xrefs: 00401AA1, 00401B15

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: MetricsSystem$IconImageLoadNotifyShell_
String ID: $@@(@@$NoSleep!$X
API String ID: 527389361-1849863362
Opcode ID: 17016a5142002bcf7f42d9b96eb855a299ebf983d8695a6a74766683d5277c76
Instruction ID: 46a89e01bbf06c503c51705a7206fed786798c2b844568d406f6ea4d37e3e024
Opcode Fuzzy Hash: 17016a5142002bcf7f42d9b96eb855a299ebf983d8695a6a74766683d5277c76
Instruction Fuzzy Hash: 2311A0B2D00268AEDB11DFD5DE45E8EBFB8AB08B55F004039E944BF2D6C7B469058BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE2, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 51
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401CE2(void* __ecx) {
				void* _v8;
				long _t9;
				intOrPtr _t11;
				long _t14;
				intOrPtr _t15;
				void* _t18;
				void* _t20;
				void* _t21;

				_t9 = RegOpenKeyExA(0x80000001,  *0x404040, 0, 0x20019,  &_v8); // executed
				_t23 = _t9;
				if(_t9 != 0) {
					_t18 = 0;
					__eflags = 0;
				} else {
					_t18 = _v8;
				}
				_v8 = _t18;
				_t11 = E004027AD(_t23, _t18, "Remember", 0);
				_t21 = _t20 + 0xc;
				 *0x403138 = _t11;
				_t24 = _t11;
				if(_t11 == 0) {
					 *0x403134 = 1;
				} else {
					_t15 = E004027AD(_t24, _t18, "Active", 1);
					_t21 = _t21 + 0xc;
					 *0x403134 = _t15;
				}
				 *0x40313c = E004027AD(_t24, _v8, "CompMode", 0);
				_t14 = E004027AD(_t24, _v8, "IneTVisible", 0);
				 *0x403140 = _t14;
				if(_v8 != 0) {
					_t14 = RegCloseKey(_v8);
				}
				return _t14;
			}

0x00401cfd
0x00401d02
0x00401d04
0x00401d0b
0x00401d0b
0x00401d06
0x00401d06
0x00401d06
0x00401d0d
0x00401d18
0x00401d1d
0x00401d20
0x00401d25
0x00401d27
0x00401d40
0x00401d29
0x00401d31
0x00401d36
0x00401d39
0x00401d39
0x00401d59
0x00401d68
0x00401d70
0x00401d79
0x00401d7e
0x00401d7e
0x00401d85

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00020019,00000000,$@@(@@,?,?,00401861,$@@(@@,$@@(@@,00000000), ref: 00401CFD
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,$@@(@@,$@@(@@), ref: 00401D7E

Strings

Active, xrefs: 00401D2B
CompMode, xrefs: 00401D4C
IneTVisible, xrefs: 00401D60
Remember, xrefs: 00401D12
$@@(@@, xrefs: 00401CE6

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: CloseOpen
String ID: $@@(@@$Active$CompMode$IneTVisible$Remember
API String ID: 47109696-967634453
Opcode ID: 63d4e146887f92cfb4dafacb82365ab5b8e6a1facea1ca8a9a70f147b4791fda
Instruction ID: e0e2a7642721215730f1d54be7bebdb46e0bc6d54efedfe37aa68bc4b756bb92
Opcode Fuzzy Hash: 63d4e146887f92cfb4dafacb82365ab5b8e6a1facea1ca8a9a70f147b4791fda
Instruction Fuzzy Hash: 610192B0940204FBEB20AF51EE47B5D7AB5AB84714F20007BF6017B1E1E6FD6B009A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040124F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040124F(void* __edx, struct HINSTANCE__* _a4, char _a12) {
				struct tagMSG _v32;
				char _v33;
				struct _WNDCLASSA _v73;
				struct HINSTANCE__* _v80;
				signed int _v84;
				signed int _v92;
				intOrPtr _v119;
				char _t49;
				char _t50;
				char _t51;
				char _t52;
				char _t53;
				char _t54;
				struct HWND__* _t61;
				struct HWND__* _t62;
				struct HINSTANCE__* _t63;
				_Unknown_base(*)()* _t67;
				CHAR* _t73;
				struct HICON__* _t75;
				struct HWND__* _t78;
				long _t94;
				void* _t96;
				struct HINSTANCE__* _t99;
				struct HINSTANCE__* _t100;
				_Unknown_base(*)()* _t101;
				signed int _t106;
				char* _t109;
				char* _t112;

				_v119 = _v119 + __edx;
				_t3 =  &_a12; // 0x404024
				_t112 =  *_t3;
				_v84 = _v84 & 0x00000000;
				_t94 = 0;
				 *0x403124 = _a4;
				_v32.wParam = _v32.wParam & 0x00000000;
				_push(0x10);
				_push(0x403134);
				L004029B8();
				while(( *( *_t112 + 0x404225) & 0x00000008) != 0) {
					_t112 = _t112 + 1;
				}
				while( *_t112 == 0x2f) {
					_t109 = _t112 + 1;
					while(1) {
						_t49 =  *_t109;
						if(( *(_t49 + 0x404225) & 0x00000008) != 0 || _t49 == 0x2f || _t49 == 0) {
							break;
						}
						_t109 = _t109 + 1;
					}
					_t50 =  *_t109;
					_v33 = _t50;
					if( *_t109 != 0) {
						 *_t109 = 0;
						_t109 = _t109 + 1;
					}
					_push("/off");
					_push(_t112);
					L004029D0();
					_t51 = _t50;
					if(_t51 != 0) {
						_push("/tgl");
						_push(_t112);
						L004029D0();
						_t52 = _t51;
						if(_t52 != 0) {
							_push("/on");
							_push(_t112);
							L004029D0();
							_t53 = _t52;
							if(_t53 != 0) {
								_push("/x");
								_push(_t112);
								L004029D0();
								_t54 = _t53;
								if(_t54 != 0) {
									_push("/tray");
									_push(_t112);
									L004029D0();
									if(_t54 != 0) {
										LoadStringA( *0x403124, 0xf, 0x403144, 0x20e);
										MessageBoxA(0, 0x403144,  *0x404038, 0x40);
									} else {
										_v84 = 1;
										goto L23;
									}
								} else {
									_t94 = 0x3eb;
									goto L23;
								}
							} else {
								_t94 = 0x3e9;
								goto L23;
							}
						} else {
							_t94 = 0x3e8;
							goto L23;
						}
					} else {
						_t94 = 0x3ea;
						L23:
						if(_v33 == 0x2f) {
							_t109 = _t109 - 1;
							 *_t109 = 0x2f;
						}
						_t112 = _t109;
						while(( *( *_t112 + 0x404225) & 0x00000008) != 0) {
							_t112 = _t112 + 1;
						}
						continue;
					}
					L42:
					if(_v80 != 0) {
						FreeLibrary(_v80);
					}
					return _v32.wParam;
				}
				_t61 = FindWindowA( *0x40403c,  *0x404038); // executed
				 *0x403114 = _t61;
				_t62 = _t61;
				if(_t62 == 0) {
					if(_t94 != 0x3eb) {
						_t63 = LoadLibraryA("SHELL32"); // executed
						_t99 = _t63;
						_v80 = _t99;
						_t100 = _t99;
						if(_t100 == 0) {
							L36:
							LoadStringA( *0x403124, 0xa, 0x403144, 0x20e);
							MessageBoxA(0, 0x403144,  *0x404038, 0x30);
							_v32.wParam = 3;
						} else {
							_t101 = GetProcAddress(_t100, "Shell_NotifyIconA");
							 *0x40312c = _t101;
							if(_t101 == 0) {
								goto L36;
							} else {
								_t67 = GetProcAddress(_v80, "ShellExecuteA");
								 *0x403128 = _t67;
								if(_t67 != 0) {
									 *0x403104 = RegisterClipboardFormatA("TaskbarCreated");
									_push(0x28);
									_push( &_v73);
									L004029B8();
									_v73.lpfnWndProc = E00401570;
									_v73.hInstance =  *0x403124;
									_t73 =  *0x40403c; // 0x404169
									_v73.lpszClassName = _t73;
									_v73.hCursor = LoadCursorA(0, 0x7f00);
									_t75 = LoadIconA( *0x403124, 0x64); // executed
									_v73.hIcon = _t75;
									RegisterClassA( &_v73);
									_t78 = CreateWindowExA(0,  *0x40403c,  *0x404038, 0x80000000, 0, 0, 0, 0, 0, 0,  *0x403124, 0); // executed
									 *0x403114 = _t78;
									if(_t78 != 0) {
										E00401850(_t96, _t94); // executed
										while(GetMessageA( &_v32, 0, 0, 0) != 0) {
											TranslateMessage( &_v32);
											DispatchMessageA( &_v32);
										}
									} else {
										LoadStringA( *0x403124, 0xb, 0x403144, 0x20e);
										MessageBoxA(0, 0x403144,  *0x404038, 0x30);
										_v32.wParam = 4;
									}
								} else {
									goto L36;
								}
							}
						}
					}
				} else {
					_v32.wParam = 0 | PostMessageA(_t62, 0x404, 0, _t94) == 0x00000000;
					if(_v84 != 0) {
						_t106 = 0 | PostMessageA( *0x403114, 0x402, 0, 0) == 0x00000000;
						_v92 = _t106;
						_v32.wParam = _v32.wParam + _t106;
					}
				}
				goto L42;
			}

0x0040124f
0x00401259
0x00401259
0x0040125c
0x00401260
0x00401265
0x0040126a
0x0040126e
0x00401270
0x00401275
0x0040127d
0x0040127c
0x0040127c
0x00401378
0x00401291
0x00401295
0x00401295
0x004012a0
0x00000000
0x00000000
0x00401294
0x00401294
0x004012ab
0x004012ad
0x004012b3
0x004012b5
0x004012b8
0x004012b8
0x004012b9
0x004012be
0x004012bf
0x004012c4
0x004012c6
0x004012d2
0x004012d7
0x004012d8
0x004012dd
0x004012df
0x004012e8
0x004012ed
0x004012ee
0x004012f3
0x004012f5
0x004012fe
0x00401303
0x00401304
0x00401309
0x0040130b
0x00401314
0x00401319
0x0040131a
0x00401321
0x0040133e
0x00401352
0x00401323
0x00401323
0x00000000
0x00401323
0x0040130d
0x0040130d
0x00000000
0x0040130d
0x004012f7
0x004012f7
0x00000000
0x004012f7
0x004012e1
0x004012e1
0x00000000
0x004012e1
0x004012c8
0x004012c8
0x0040135c
0x00401360
0x00401362
0x00401363
0x00401363
0x00401366
0x0040136b
0x0040136a
0x0040136a
0x00000000
0x0040136b
0x00401558
0x0040155c
0x00401561
0x00401561
0x0040156d
0x0040156d
0x0040138d
0x00401392
0x00401397
0x00401399
0x004013e9
0x004013f4
0x004013f9
0x004013fb
0x004013fe
0x00401400
0x0040142f
0x00401441
0x00401455
0x0040145a
0x00401402
0x0040140d
0x0040140f
0x00401417
0x00000000
0x00401419
0x00401421
0x00401426
0x0040142d
0x00401470
0x00401475
0x0040147a
0x0040147b
0x00401486
0x0040148e
0x00401491
0x00401496
0x004014a5
0x004014b0
0x004014b5
0x004014bc
0x004014e8
0x004014ed
0x004014f4
0x0040152b
0x00401545
0x00401537
0x00401540
0x00401540
0x004014f6
0x00401508
0x0040151c
0x00401521
0x00401521
0x00000000
0x00000000
0x00000000
0x0040142d
0x00401417
0x00401400
0x0040139b
0x004013b0
0x004013b7
0x004013d5
0x004013d8
0x004013db
0x004013db
0x004013b7
0x00000000

APIs

RtlZeroMemory.NTDLL(00403134,00000010), ref: 00401275
FindWindowA.USER32($@@(@@,/tray), ref: 0040138D
PostMessageA.USER32(00000000,00000404,00000000,00000000), ref: 004013A4
PostMessageA.USER32(00000402,00000000,00000000,00000000), ref: 004013CC
FreeLibrary.KERNEL32(00000000,$@@(@@,00404134,$@@(@@,/on,$@@(@@,/tgl,00000000), ref: 00401561

Strings

$@@(@@, xrefs: 00401259

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: MessagePost$FindFreeLibraryMemoryWindowZero
String ID: $@@(@@
API String ID: 2118593938-1592000314
Opcode ID: 0860e6d5f356608261d538ba11bcdbfb8943625d54e10f743d4fc45178c9c843
Instruction ID: f91c46b075610cc5bcc6e38767ee170ad56264c4756594eddd3e3227e3348eaf
Opcode Fuzzy Hash: 0860e6d5f356608261d538ba11bcdbfb8943625d54e10f743d4fc45178c9c843
Instruction Fuzzy Hash: FF110871A01345AEEB209FA5DE45BAE7FB4BB80755F24803BE640B51E1C7BC0A44D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00401DDB, Relevance: 3.0, APIs: 2, Instructions: 48
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401DDB(intOrPtr _a4, intOrPtr _a8) {
				int _t3;
				void* _t8;
				intOrPtr _t10;
				intOrPtr _t11;

				_t10 = _a4;
				if( *0x403134 == _t10) {
					L10:
					return _t3;
				}
				if( *0x40313c == 0) {
					_t11 = _t10;
					__eflags = _t11;
					if(__eflags == 0) {
						E00402406( *0x403110,  *0x40310c,  *0x403108);
						_t3 = E004024C2(_t8, __eflags, 0x403000);
					} else {
						E00402435(_t8, __eflags, 0x403000, 0x104); // executed
						_t3 = E00402406(0, 0, 0);
					}
				} else {
					_t11 = _t10;
					if(_t11 == 0) {
						_t3 = KillTimer( *0x403114, 0x1f4);
					} else {
						_t3 = SetTimer( *0x403114, 0x1f4,  *0x404044 * 0x3e8, 0);
					}
				}
				 *0x403134 = _t11;
				if(_a8 == 0) {
					goto L10;
				} else {
					return E00401A98(1);
				}
			}

0x00401ddf
0x00401de8
0x00401e89
0x00401e89
0x00401e89
0x00401df5
0x00401e2c
0x00401e2c
0x00401e2e
0x00401e61
0x00401e6b
0x00401e30
0x00401e3a
0x00401e45
0x00401e4a
0x00401df7
0x00401df7
0x00401df9
0x00401e25
0x00401dfb
0x00401e13
0x00401e13
0x00401df9
0x00401e73
0x00401e7d
0x00000000
0x00401e7f
0x00000000
0x00401e86

APIs

SetTimer.USER32(000001F4,00000000,00000000,?), ref: 00401E13
KillTimer.USER32(000001F4,?,?,004018BE,?,00000000,00000000,$@@(@@,$@@(@@,00000000), ref: 00401E25

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Timer$Kill
String ID:
API String ID: 3307318486-0
Opcode ID: 624d4b4f9f4bb13929f8daea1e426a1d9d637cc519f5cf9af27c3bb0e1a8d5f5
Instruction ID: 432bd3c2bc4da93f67da02d1b658a3efab3b7ef354ebf4881fe148087d036815
Opcode Fuzzy Hash: 624d4b4f9f4bb13929f8daea1e426a1d9d637cc519f5cf9af27c3bb0e1a8d5f5
Instruction Fuzzy Hash: CC01FC71540200A7E3116F56DF07F6A7E1C6394B07F10003BF9083D1F28AFE06519A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004028BC, Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004028BC(void* __ecx) {
				intOrPtr _v8;
				char _t4;
				char _t6;
				void* _t8;
				intOrPtr _t10;
				intOrPtr _t11;
				char* _t14;

				_t12 = __ecx;
				_push(__ecx);
				_t14 = GetCommandLineA();
				if( *_t14 != 0x22) {
					while(1) {
						_t4 =  *_t14;
						if(_t4 == 0 || _t4 == 0x20) {
							break;
						}
						_t14 = _t14 + 1;
					}
					while(1) {
						_t6 =  *_t14;
						if(_t6 == 0 || _t6 != 0x20) {
							goto L13;
						}
						_t14 = _t14 + 1;
					}
				} else {
					_push(0x22);
					_t10 = _t14 + 1;
					_push(_t10);
					L00402CA0();
					_v8 = _t10;
					_t11 = _t10;
					if(_t11 != 0) {
						_t14 = _t11 + 1;
						while( *_t14 == 0x20) {
							_t14 = _t14 + 1;
						}
					}
				}
				L13:
				_t8 = E00401250(_t12, GetModuleHandleA(0), 0, _t14, 1); // executed
				return _t8;
			}

0x004028bc
0x004028bf
0x004028c6
0x004028cb
0x004028f0
0x004028f3
0x004028f5
0x00000000
0x00000000
0x004028ef
0x004028ef
0x004028ff
0x00402902
0x00402904
0x00000000
0x00000000
0x004028fe
0x004028fe
0x004028cd
0x004028cd
0x004028d1
0x004028d2
0x004028d3
0x004028db
0x004028de
0x004028e0
0x004028e4
0x004028e8
0x004028e7
0x004028e7
0x004028ed
0x004028e0
0x0040290b
0x00402918
0x0040291f

APIs

GetCommandLineA.KERNEL32(?,?,?,00401236,00404020,00404024,00404028,00000000,00000000), ref: 004028C1
GetModuleHandleA.KERNEL32(00000000,?,?,?,00401236,00404020,00404024,00404028,00000000,00000000), ref: 0040290D

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: CommandHandleLineModule
String ID:
API String ID: 2123368496-0
Opcode ID: e53d461586ee877e2855a5fa8b3221997a3ec155f6f9bef2937c9faf7b744f2e
Instruction ID: 6e323e109686210b583c3504000e2277bb611f77b4be2c96b35449a1bd1008c3
Opcode Fuzzy Hash: e53d461586ee877e2855a5fa8b3221997a3ec155f6f9bef2937c9faf7b744f2e
Instruction Fuzzy Hash: 3FF0685660424528EB7131764E4D73B66886B52358F244537E582F62D2E5FCCC42721D

Uniqueness

Uniqueness Score: -1.00%

Function 004028BB, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004028BB(void* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v119;
				char _t6;
				char _t8;
				void* _t10;
				intOrPtr _t12;
				intOrPtr _t13;
				char* _t17;

				_t14 = __ecx;
				_v119 = _v119 + __edx;
				_push(__ecx);
				_t17 = GetCommandLineA();
				if( *_t17 != 0x22) {
					while(1) {
						_t6 =  *_t17;
						if(_t6 == 0 || _t6 == 0x20) {
							break;
						}
						_t17 = _t17 + 1;
					}
					while(1) {
						_t8 =  *_t17;
						if(_t8 == 0 || _t8 != 0x20) {
							goto L14;
						}
						_t17 = _t17 + 1;
					}
				} else {
					_push(0x22);
					_t12 = _t17 + 1;
					_push(_t12);
					L00402CA0();
					_v8 = _t12;
					_t13 = _t12;
					if(_t13 != 0) {
						_t17 = _t13 + 1;
						while( *_t17 == 0x20) {
							_t17 = _t17 + 1;
						}
					}
				}
				L14:
				_t10 = E00401250(_t14, GetModuleHandleA(0), 0, _t17, 1); // executed
				return _t10;
			}

0x004028bb
0x004028bb
0x004028bf
0x004028c6
0x004028cb
0x004028f0
0x004028f3
0x004028f5
0x00000000
0x00000000
0x004028ef
0x004028ef
0x004028ff
0x00402902
0x00402904
0x00000000
0x00000000
0x004028fe
0x004028fe
0x004028cd
0x004028cd
0x004028d1
0x004028d2
0x004028d3
0x004028db
0x004028de
0x004028e0
0x004028e4
0x004028e8
0x004028e7
0x004028e7
0x004028ed
0x004028e0
0x0040290b
0x00402918
0x0040291f

APIs

GetCommandLineA.KERNEL32(?,?,?,00401236,00404020,00404024,00404028,00000000,00000000), ref: 004028C1
GetModuleHandleA.KERNEL32(00000000,?,?,?,00401236,00404020,00404024,00404028,00000000,00000000), ref: 0040290D

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: CommandHandleLineModule
String ID:
API String ID: 2123368496-0
Opcode ID: 68e95ebf9b15e8e62db23d087f8a7c7d6a6bcf7b5db5700cfc6c08bda03c05bb
Instruction ID: ddbd233adeddf7de5b8de90ac6c8d897205c3750619593661a236f8b5de777cf
Opcode Fuzzy Hash: 68e95ebf9b15e8e62db23d087f8a7c7d6a6bcf7b5db5700cfc6c08bda03c05bb
Instruction Fuzzy Hash: FBE09BA6B4834635EF3132B10D4EB2D5A445B8275CF24017BF041B61C3E5FC8442931D

Uniqueness

Uniqueness Score: -1.00%

Function 0040277C, Relevance: 1.5, APIs: 1, Instructions: 26
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040277C(void* _a4, char* _a8, char* _a12, int _a16) {
				long _t7;
				void* _t10;
				void* _t11;

				_t10 = _a4;
				if(_t10 == 0) {
					L3:
					_t11 = 0;
				} else {
					_t7 = RegQueryValueExA(_t10, _a8, 0, 0, _a12,  &_a16); // executed
					if(_t7 != 0) {
						goto L3;
					} else {
						_t11 = 1;
					}
				}
				return _t11;
			}

0x00402784
0x00402786
0x004027a5
0x004027a5
0x00402788
0x00402797
0x0040279e
0x00000000
0x004027a0
0x004027a2
0x004027a2
0x0040279e
0x004027ac

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,004027C4,00000000,?,?,004027C4,?,?,?,0000000C,$@@(@@,$@@(@@), ref: 00402797

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 88fa190469d3ec9d3baf9c2ba739974063ba69bed0754f3e9704af3bbf08f8bb
Instruction ID: 0a6f8cf885be98642950d34edcc8db40febd00bda6d8408be0ebf12fe2798950
Opcode Fuzzy Hash: 88fa190469d3ec9d3baf9c2ba739974063ba69bed0754f3e9704af3bbf08f8bb
Instruction Fuzzy Hash: 48E0863760412877EB2549869D05BABB75DE7C5B70F500032FA08A31C0D1F9981243D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040277B, Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040277B(void* __edx, void* _a4, char* _a8, char* _a12, int _a16) {
				intOrPtr _v119;
				long _t9;
				void* _t14;
				void* _t17;

				_v119 = _v119 + __edx;
				_t14 = _a4;
				if(_t14 == 0) {
					L4:
					_t17 = 0;
				} else {
					_t9 = RegQueryValueExA(_t14, _a8, 0, 0, _a12,  &_a16); // executed
					if(_t9 != 0) {
						goto L4;
					} else {
						_t17 = 1;
					}
				}
				return _t17;
			}

0x0040277b
0x00402784
0x00402786
0x004027a5
0x004027a5
0x00402788
0x00402797
0x0040279e
0x00000000
0x004027a0
0x004027a2
0x004027a2
0x0040279e
0x004027ac

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,004027C4,00000000,?,?,004027C4,?,?,?,0000000C,$@@(@@,$@@(@@), ref: 00402797

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 731b743380e3f2a1ae4f87096b4bf7054ba9242ed0fc3982f32057843d18cd8c
Instruction ID: 530f76004e697c8c3772cee854eca7f0a4fed17352f8e1afd1a5e135becd8341
Opcode Fuzzy Hash: 731b743380e3f2a1ae4f87096b4bf7054ba9242ed0fc3982f32057843d18cd8c
Instruction Fuzzy Hash: 2EE08C3A64805876EB258D959D00BAEA729ABC4B60F50003AFA08B70D0D2B898168798

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402527, Relevance: 1.5, APIs: 1, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00402527(void* __edx) {
				struct _SYSTEMTIME _v20;
				intOrPtr _v119;

				_v119 = _v119 + __edx;
				GetSystemTime( &_v20);
				asm("cdq");
				return (((((((_v20.wHour & 0x0000ffff) + 1) % 0x18 * 0x3c + (_v20.wMinute & 0x0000ffff)) * 0x3c + (_v20.wSecond & 0x0000ffff)) * 0x3e8 + (_v20.wMilliseconds & 0x0000ffff)) * 0xc22e4507 >> 0x20) + ((((_v20.wHour & 0x0000ffff) + 1) % 0x18 * 0x3c + (_v20.wMinute & 0x0000ffff)) * 0x3c + (_v20.wSecond & 0x0000ffff)) * 0x3e8 + (_v20.wMilliseconds & 0x0000ffff) >> 0x10) - (_t19 >> 0x1f);
			}

0x00402527
0x00402534
0x00402545
0x00402585

APIs

GetSystemTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00402534

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 31bcbed9f365fa23fd149f8f200db670ebb606fe9ea8d939c8f5dca36f7cdad3
Instruction ID: 65d284d7c217768197aac9e01d3a6d7e7d398b6e24f25b873aad2ebaea1221f7
Opcode Fuzzy Hash: 31bcbed9f365fa23fd149f8f200db670ebb606fe9ea8d939c8f5dca36f7cdad3
Instruction Fuzzy Hash: FBF0E967B0513C4FCB1C839D8C121ADA7AB9BC9605B5A503BE445EFBC5C8749A059790

Uniqueness

Uniqueness Score: -1.00%

Function 00402378, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402378() {
				struct _OSVERSIONINFOA _v152;

				_v152.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v152);
				return 0 | _v152.dwPlatformId == 0x00000001;
			}

0x00402382
0x00402393
0x004023a6

APIs

GetVersionExA.KERNEL32(00000094,00000000), ref: 00402393

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a357e76dd2bb81c14a3fdd700fe6dfac65788ce11a3cb26446c14fbb1ea40f7b
Instruction ID: a7e439bc0a3eb5df323bfb2173bc4cef812ee9e6c84d7dddfefbcf90b6ca787c
Opcode Fuzzy Hash: a357e76dd2bb81c14a3fdd700fe6dfac65788ce11a3cb26446c14fbb1ea40f7b
Instruction Fuzzy Hash: 93D0127691032856DF24A679DE0EF8AB7FC6B44218F0004F59709E20C2E6B8968BCA51

Uniqueness

Uniqueness Score: -1.00%

Function 0040259A, Relevance: 33.2, APIs: 22, Instructions: 158
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0040259A(struct HDC__* __eax, long long __fp0) {
				struct HDC__* _v8;
				struct _ICONINFO _v28;
				struct HDC__* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				struct HICON__* _v52;
				long long _v60;
				struct HBITMAP__* _t51;
				struct HBITMAP__* _t52;
				void* _t57;
				signed int _t63;
				struct HDC__* _t81;
				signed int _t89;
				long long* _t90;
				long long* _t91;
				long long _t96;
				long long _t97;

				_t96 = __fp0;
				_v28.fIcon = 1;
				_push(0);
				L00402B38();
				_push(__eax);
				L00402BEC();
				_v8 = __eax;
				_push(__eax);
				L00402BEC();
				_v32 = __eax;
				_push(__eax);
				L00402BEC();
				_push(__eax);
				_push(0);
				L00402B44();
				if(__eax == 0 || _v8 == 0 || _v32 == 0) {
					L4:
					return 0;
				} else {
					_t81 = __eax;
					if(_t81 != 0) {
						_t51 = LoadBitmapA( *0x403124, 0x96);
						_v28.hbmColor = _t51;
						_push(0x10);
						_push(0x10);
						_push(_v32);
						L00402BE0();
						_v28.hbmMask = _t51;
						_t52 = LoadBitmapA( *0x403124, 0x97);
						_v48 = _t52;
						__eflags = _v28.hbmColor;
						if(_v28.hbmColor == 0) {
							L8:
							return 0;
						}
						__eflags = _v28.hbmMask;
						if(_v28.hbmMask == 0) {
							goto L8;
						}
						__eflags = _t52;
						if(_t52 != 0) {
							_v36 = SelectObject(_v8, _v28.hbmColor);
							_v40 = SelectObject(_v32, _v28.hbmMask);
							_t57 = SelectObject(_t81, _v48);
							_v44 = _t57;
							__eflags = _v36;
							if(_v36 == 0) {
								L12:
								return 0;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								goto L12;
							}
							__eflags = _t57;
							if(_t57 != 0) {
								 *0x40420c = E00402528();
								_t89 = 0;
								__eflags = 0;
								do {
									_push(2);
									_push(2 - _t89);
									asm("fild dword [esp]");
									 *_t90 = _t96;
									_t97 =  *0x40421c;
									_t91 = _t90 - 8;
									 *_t91 = _t97;
									L00402C7C();
									_t90 = _t91 + 0x10;
									_v60 = _t97;
									_push(0xcc0020);
									_push(0);
									_t96 = _v60;
									asm("fidivr dword [0x40420c]");
									_t63 = E00402898(__eflags);
									asm("cdq");
									_push(_t63 % 0xa << 2);
									_push(_t81);
									_push(7);
									_push(4);
									_push(8);
									_push(_t89 + _t89 * 4 + 1);
									_push(_v8);
									L00402BC8();
									_t89 = _t89 + 1;
									__eflags = _t89 - 3;
								} while (__eflags < 0);
								_push(0x42);
								_push(0);
								_push(0);
								_push(0);
								_push(0x10);
								_push(0x10);
								_push(0);
								_push(0);
								_push(_v32);
								L00402BC8();
								SelectObject(_v8, _v36);
								SelectObject(_v32, _v40);
								SelectObject(_t81, _v44);
								_v52 = CreateIconIndirect( &_v28);
								DeleteObject(_v28.hbmColor);
								DeleteObject(_v28.hbmMask);
								DeleteObject(_v48);
								DeleteObject(_v36);
								DeleteObject(_v40);
								DeleteObject(_v44);
								DeleteDC(_v8);
								DeleteDC(_v32);
								DeleteDC(_t81);
								return _v52;
							}
							goto L12;
						}
						goto L8;
					}
					goto L4;
				}
			}

0x0040259a
0x004025a3
0x004025aa
0x004025ac
0x004025b3
0x004025b4
0x004025b9
0x004025bc
0x004025bd
0x004025c2
0x004025c5
0x004025c6
0x004025cd
0x004025ce
0x004025d0
0x004025d7
0x004025e9
0x00000000
0x004025e5
0x004025e5
0x004025e7
0x004025fb
0x00402600
0x00402603
0x00402605
0x00402607
0x0040260a
0x0040260f
0x0040261d
0x00402622
0x00402625
0x00402629
0x00402635
0x00000000
0x00402635
0x0040262b
0x0040262f
0x00000000
0x00000000
0x00402631
0x00402633
0x00402647
0x00402655
0x0040265c
0x00402661
0x00402664
0x00402668
0x00402674
0x00000000
0x00402674
0x0040266a
0x0040266e
0x00000000
0x00000000
0x00402670
0x00402672
0x00402680
0x00402685
0x00402685
0x00402687
0x0040268e
0x0040268f
0x00402690
0x00402693
0x00402696
0x0040269c
0x0040269f
0x004026a2
0x004026a7
0x004026aa
0x004026ad
0x004026b2
0x004026b4
0x004026b7
0x004026bd
0x004026c7
0x004026cf
0x004026d0
0x004026d1
0x004026d3
0x004026d5
0x004026db
0x004026dc
0x004026df
0x004026e4
0x004026e5
0x004026e5
0x004026ea
0x004026ec
0x004026ee
0x004026f0
0x004026f2
0x004026f4
0x004026f6
0x004026f8
0x004026fa
0x004026fd
0x00402708
0x00402713
0x0040271c
0x0040272a
0x00402730
0x00402738
0x00402740
0x00402748
0x00402750
0x00402758
0x00402760
0x00402768
0x0040276e
0x00000000
0x00402773
0x00000000
0x00402672
0x00000000
0x00402633
0x00000000
0x004025e7

APIs

73BBAC50.USER32(00000000,00000000,?,00000000), ref: 004025AC
LoadBitmapA.USER32(00000096,00000000), ref: 004025FB
LoadBitmapA.USER32(00000097,00000000), ref: 0040261D
SelectObject.GDI32(00000000,00000000), ref: 00402642
SelectObject.GDI32(00000000,00000000), ref: 00402650
SelectObject.GDI32(00000000,?), ref: 0040265C
100276B0.CRTDLL(?,00000000), ref: 004026A2
73BC97E0.GDI32(00000000,?,00000008,00000004,00000007,00000000,?,00000000,00CC0020), ref: 004026DF
73BC97E0.GDI32(00000000,00000000,00000000,00000010,00000010,00000000,00000000,00000000,00000042,00000000,?,00000008,00000004,00000007,00000000), ref: 004026FD
SelectObject.GDI32(00000000,00000000), ref: 00402708
SelectObject.GDI32(00000000,00000000), ref: 00402713
SelectObject.GDI32(00000000,?), ref: 0040271C
CreateIconIndirect.USER32(00000001), ref: 00402725
DeleteObject.GDI32(00000000), ref: 00402730
DeleteObject.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(?), ref: 00402740
DeleteObject.GDI32(00000000), ref: 00402748
DeleteObject.GDI32(00000000), ref: 00402750
DeleteObject.GDI32(?), ref: 00402758
DeleteDC.GDI32(00000000), ref: 00402760
DeleteDC.GDI32(00000000), ref: 00402768
DeleteDC.GDI32(00000000), ref: 0040276E

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Object$Delete$Select$BitmapLoad$100276CreateIconIndirect
String ID:
API String ID: 3332651429-0
Opcode ID: e3eed70fdb0676fcbb08dd1a6d1379097fe2abbcac2e59aa8eefd3a0740e4214
Instruction ID: c4290f395b1199e4d6fef57eac03cc16b922b4c5feb15b2c5c63faba105d7eeb
Opcode Fuzzy Hash: e3eed70fdb0676fcbb08dd1a6d1379097fe2abbcac2e59aa8eefd3a0740e4214
Instruction Fuzzy Hash: 5F513A71D00208BADF256FA6DE4ABEEBB75AB08308F10447AF240751E2DAF91951DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00402016, Relevance: 18.2, APIs: 12, Instructions: 191
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00402016(void* __eax, void* __ecx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12) {
				int _v12;
				intOrPtr _t44;
				void* _t48;
				signed int _t67;
				int _t85;
				int _t91;
				int _t97;
				void* _t111;
				void* _t127;

				_t44 = _a8;
				_t127 = _t44 - 0x10;
				if(_t127 == 0) {
					 *0x404194 =  *0x404194 & 0x00000000;
					EndDialog(_a4, 0);
					SetActiveWindow(0);
					_t48 = 1;
				} else {
					if(_t127 < 0) {
						L28:
						_t48 = 0;
					} else {
						if(_t44 == 0x110) {
							 *0x404194 = _a4;
							 *0x403120 =  *0x403138;
							 *0x40311c =  *0x40313c;
							 *0x403118 =  *0x403140;
							SendDlgItemMessageA(_a4, 0x12e, 0xf1, 0 |  *0x403120 != 0x00000000, 0);
							SendDlgItemMessageA(_a4, 0x12f, 0xf1, 0 |  *0x40311c != 0x00000000, 0);
							SendDlgItemMessageA(_a4, 0x130, 0xf1, 0 |  *0x403118 != 0x00000000, 0);
							_t48 = 1;
						} else {
							if(_t44 == 0x111) {
								_t67 = _a12 & 0xffff;
								if(_t67 == 1) {
									E00401D86( *0x403118);
									_pop(_t111);
									if( *0x403134 == 0) {
										 *0x40313c =  *0x40311c;
									} else {
										E00401DDB(0, 0);
										 *0x40313c =  *0x40311c;
										E00401DDB(1, 0);
									}
									 *0x403138 =  *0x403120;
									E00401E8A(_t111);
									 *0x404194 =  *0x404194 & 0x00000000;
									EndDialog(_a4, 1);
									SetActiveWindow(0);
									_t48 = 1;
								} else {
									if(_t67 == 2) {
										 *0x404194 =  *0x404194 & 0x00000000;
										EndDialog(_a4, 0);
										SetActiveWindow(0);
										_t48 = 1;
									} else {
										if(_t67 < 1) {
											goto L28;
										} else {
											if(_t67 == 0x12e) {
												if((_a12 >> 0x00000010 & 0x0000ffff) == 0) {
													 *0x403120 = 0 |  *0x403120 == 0x00000000;
													_t85 = 0 |  *0x403120 != 0x00000000;
													_v12 = _t85;
													SendDlgItemMessageA(_a4, 0x12e, 0xf1, _t85, 0);
												}
												_t48 = 1;
											} else {
												if(_t67 == 0x12f) {
													if((_a12 >> 0x00000010 & 0x0000ffff) == 0) {
														 *0x40311c = 0 |  *0x40311c == 0x00000000;
														_t91 = 0 |  *0x40311c != 0x00000000;
														_v12 = _t91;
														SendDlgItemMessageA(_a4, 0x12f, 0xf1, _t91, 0);
													}
													_t48 = 1;
												} else {
													if(_t67 == 0x130) {
														if((_a12 >> 0x00000010 & 0x0000ffff) == 0) {
															 *0x403118 = 0 |  *0x403118 == 0x00000000;
															_t97 = 0 |  *0x403118 != 0x00000000;
															_v12 = _t97;
															SendDlgItemMessageA(_a4, 0x130, 0xf1, _t97, 0);
														}
														_t48 = 1;
													} else {
														goto L28;
													}
												}
											}
										}
									}
								}
							} else {
								goto L28;
							}
						}
					}
				}
				return _t48;
			}

0x0040201e
0x00402021
0x00402024
0x0040228b
0x00402297
0x0040229e
0x004022a5
0x0040202a
0x0040202a
0x004022a8
0x004022a8
0x00402030
0x00402035
0x0040204a
0x00402054
0x0040205e
0x00402068
0x0040208a
0x004020ac
0x004020ce
0x004020d5
0x00402037
0x0040203c
0x004020df
0x004020e7
0x00402127
0x0040212c
0x00402134
0x0040215c
0x00402136
0x0040213a
0x00402144
0x0040214d
0x00402152
0x00402166
0x0040216b
0x00402170
0x0040217c
0x00402183
0x0040218a
0x004020e9
0x004020ec
0x00402190
0x0040219c
0x004021a3
0x004021aa
0x004020f2
0x004020f5
0x00000000
0x004020fb
0x00402100
0x004021bc
0x004021ca
0x004021da
0x004021dd
0x004021ee
0x004021ee
0x004021f5
0x00402106
0x0040210b
0x00402207
0x00402215
0x00402225
0x00402228
0x00402239
0x00402239
0x00402240
0x00402111
0x00402116
0x0040224f
0x0040225d
0x0040226d
0x00402270
0x00402281
0x00402281
0x00402288
0x0040211c
0x00000000
0x0040211c
0x00402116
0x0040210b
0x00402100
0x004020f5
0x004020ec
0x00402042
0x00000000
0x00402042
0x0040203c
0x00402035
0x0040202a
0x004022ae

APIs

SendDlgItemMessageA.USER32(?,0000012E,000000F1,00000000,00000000), ref: 0040208A
SendDlgItemMessageA.USER32(?,0000012F,000000F1,00000000,00000000), ref: 004020AC
SendDlgItemMessageA.USER32(?,00000130,000000F1,00000000,00000000), ref: 004020CE
EndDialog.USER32(?,00000000), ref: 00402297
SetActiveWindow.USER32(00000000,?,00000000), ref: 0040229E

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: ItemMessageSend$ActiveDialogWindow
String ID:
API String ID: 1797882305-0
Opcode ID: 8c004eebe3c7b1ca93cbbaa69c084f83580c7c2530ed4e6e44cad5f1f63cb333
Instruction ID: 565af91bbbe1e63c609db0044b8076d1221ea01034131f3520e2057ff88044aa
Opcode Fuzzy Hash: 8c004eebe3c7b1ca93cbbaa69c084f83580c7c2530ed4e6e44cad5f1f63cb333
Instruction Fuzzy Hash: 8C51A631690211BFE7209F65DE4ABAA3AA4EB0D755F10443BF505FD1E1C7FC8A81DA88

Uniqueness

Uniqueness Score: -1.00%

Function 00401E8A, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 66
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401E8A(void* __ecx) {
				void* _v8;
				signed int _t9;
				signed int _t11;
				signed int _t15;
				signed int _t16;
				signed int _t17;
				signed int _t26;
				signed int _t31;
				void* _t34;

				_push(__ecx);
				_t9 = E0040283A(__ecx, 0x80000001, "Software", "zeniko\'s software");
				_t26 = _t9 & 0x00000001 & E0040283A(__ecx, 0x80000001, "Software\\zeniko\'s software",  *0x404038);
				if(_t26 == 0) {
					L5:
					_t11 = 0;
				} else {
					if(RegOpenKeyExA(0x80000001,  *0x404040, 0, 0x20006,  &_v8) != 0) {
						_t34 = 0;
					} else {
						_t34 = _v8;
					}
					if(_t34 != 0) {
						_t15 = E00402812(_v8, "Remember",  *0x403138);
						_t16 = E00402812(_v8, "Active",  *0x403134);
						_t17 = E00402812(_v8, "CompMode",  *0x40313c);
						_t31 = _t26 & _t15 & _t16 & _t17 & E00402812(_v8, "IneTVisible",  *0x403140);
						if(_v8 != 0) {
							RegCloseKey(_v8);
						}
						_t11 = _t31;
					} else {
						goto L5;
					}
				}
				return _t11;
			}

0x00401e8d
0x00401ea2
0x00401ec4
0x00401ec6
0x00401ef2
0x00401ef2
0x00401ec8
0x00401ee5
0x00401eec
0x00401ee7
0x00401ee7
0x00401ee7
0x00401ef0
0x00401f04
0x00401f19
0x00401f2e
0x00401f4b
0x00401f51
0x00401f56
0x00401f56
0x00401f5b
0x00000000
0x00000000
0x00000000
0x00401ef0
0x00401f60

APIs

Part of subcall function 0040283A: RegOpenKeyExA.ADVAPI32(?,00000002,00000000,00020006,00401935,00000001,?,00000002,?,00401EA7,80000001,Software,zeniko's software,?,?,00000002), ref: 00402851

Part of subcall function 0040283A: RegCreateKeyA.ADVAPI32(00401935,?,?), ref: 00402873
Part of subcall function 0040283A: RegCloseKey.ADVAPI32(00000000,?,00000002,00000000,00020006,00401935,00000001,?,00000002,?,00401EA7,80000001,Software,zeniko's software,?), ref: 0040288A

RegOpenKeyExA.ADVAPI32(80000001,00000000,00020006,00401935,?,?,?,00000002,?,00401935), ref: 00401EDE
RegCloseKey.ADVAPI32(00000000), ref: 00401F56

Strings

Active, xrefs: 00401F11
CompMode, xrefs: 00401F26
Software, xrefs: 00401E98
IneTVisible, xrefs: 00401F3B
Software\zeniko's software, xrefs: 00401EB2
Remember, xrefs: 00401EFC
zeniko's software, xrefs: 00401E93

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: CloseOpen$Create
String ID: Active$CompMode$IneTVisible$Remember$Software$Software\zeniko's software$zeniko's software
API String ID: 3815150309-1170939792
Opcode ID: cea7e33ebf3be49cd970c1956f60221faef830543cbe3149301bdd08cff41b72
Instruction ID: 8d09962d876b3c62d4fe2e7cd0f771f5f83eae9a509df763de9082a96a141beb
Opcode Fuzzy Hash: cea7e33ebf3be49cd970c1956f60221faef830543cbe3149301bdd08cff41b72
Instruction Fuzzy Hash: 51119073A50110BADB117BA1DE06EAD7A66D7D4744F254176FB00720E1D6B90F10A69C

Uniqueness

Uniqueness Score: -1.00%

Function 004022B1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004022B1(struct HWND__* _a4, intOrPtr _a8, signed short _a12) {
				intOrPtr _t7;
				signed int _t18;
				void* _t26;

				_t7 = _a8;
				_t26 = _t7 - 0x10;
				if(_t26 == 0) {
					 *0x404194 =  *0x404194 & 0x00000000;
					EndDialog(_a4, 0);
					SetActiveWindow(0);
					return 1;
				}
				if(_t26 < 0) {
					L13:
					return 0;
				}
				if(_t7 == 0x110) {
					 *0x404194 = _a4;
					SendDlgItemMessageA(_a4, 0x193, 0xb1, 0, 0x13);
					return 1;
				}
				if(_t7 == 0x111) {
					_t18 = _a12 & 0xffff;
					__eflags = _t18 - 2;
					if(__eflags == 0) {
						 *0x404194 =  *0x404194 & 0x00000000;
						EndDialog(_a4, 1);
						SetActiveWindow(0);
						return 1;
					}
					if(__eflags < 0) {
						goto L13;
					}
					__eflags = _t18 - 0x194;
					if(_t18 == 0x194) {
						 *0x403128(0, "open", "http://go.to/zeniko", 0, 0, 5);
						return 1;
					}
					goto L13;
				}
				goto L13;
			}

0x004022b6
0x004022b9
0x004022bc
0x00402351
0x0040235d
0x00402364
0x00000000
0x0040236b
0x004022c2
0x0040236e
0x00000000
0x0040236e
0x004022cd
0x004022de
0x004022f4
0x00000000
0x004022fb
0x004022d4
0x00402302
0x00402307
0x0040230a
0x00402317
0x00402323
0x0040232a
0x00000000
0x00402331
0x0040230c
0x00000000
0x00000000
0x0040230e
0x00402313
0x00402346
0x00000000
0x0040234e
0x00000000
0x00402315
0x00000000

APIs

SendDlgItemMessageA.USER32(?,00000193,000000B1,00000000,00000013), ref: 004022F4
EndDialog.USER32(?,00000000), ref: 0040235D
SetActiveWindow.USER32(00000000,?,00000000), ref: 00402364

Strings

open, xrefs: 0040233F
http://go.to/zeniko, xrefs: 0040233A

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: ActiveDialogItemMessageSendWindow
String ID: http://go.to/zeniko$open
API String ID: 528025223-3543118226
Opcode ID: 8bafaa0efd235d46bf7b2a8e4dfd87bcb6bfeda57c75d75a6881111a23f0b27e
Instruction ID: 16f5f67bf37c400b7f6e5125c9d5c5fc372a027b91482e0ee9a05aa90a01e01b
Opcode Fuzzy Hash: 8bafaa0efd235d46bf7b2a8e4dfd87bcb6bfeda57c75d75a6881111a23f0b27e
Instruction Fuzzy Hash: F411A0313942047AFB346A75CF0FF6A2544AB45756F200837FA06F80E1D6FC9982955E

Uniqueness

Uniqueness Score: -1.00%

Function 004024C2, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 30
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024C2(void* __ecx, void* __eflags, CHAR* _a4) {
				void* _v8;
				void* _t11;

				if(E00402378() != 0) {
					return WritePrivateProfileStringA("boot", "SCRNSAVE.EXE", _a4, "System.ini");
				}
				_t11 = E004027DC(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 0x20006,  &_v8), _v8, "SCRNSAVE.EXE", _a4);
				if(_v8 != 0) {
					return RegCloseKey(_v8);
				}
				return _t11;
			}

0x004024cd
0x00000000
0x004024e1
0x0040250d
0x00402519
0x00000000
0x0040251e
0x00402524

APIs

Part of subcall function 00402378: GetVersionExA.KERNEL32(00000094,00000000), ref: 00402393

WritePrivateProfileStringA.KERNEL32(boot,SCRNSAVE.EXE,00000000,System.ini), ref: 004024E1
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00020006,00000000,?,?,00401E70,00403000,?,?,004018BE,?,00000000,00000000,$@@(@@), ref: 004024FD
RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 0040251E

Strings

Control Panel\Desktop, xrefs: 004024F3
System.ini, xrefs: 004024CF
SCRNSAVE.EXE, xrefs: 004024D7, 00402505
boot, xrefs: 004024DC

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: CloseOpenPrivateProfileStringVersionWrite
String ID: Control Panel\Desktop$SCRNSAVE.EXE$System.ini$boot
API String ID: 1628122841-440963436
Opcode ID: 1847485fe65f190367c140e2c7bdb417f71765861a7c931d29e713c3ccafc45f
Instruction ID: 3520a33a632866ecf5e246aa0f81f02147e1066d69f95cfeee06a5b93d78d8e1
Opcode Fuzzy Hash: 1847485fe65f190367c140e2c7bdb417f71765861a7c931d29e713c3ccafc45f
Instruction Fuzzy Hash: 66F065B0A80208BAEF21AB92DF0FF9D76659B64748F2000777B00750D1DAFE8B94E55D

Uniqueness

Uniqueness Score: -1.00%

Function 0040196C, Relevance: 12.1, APIs: 8, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196C(intOrPtr _a4) {
				struct HMENU__* _v8;
				struct tagPOINT _v16;
				struct HMENU__* _v20;
				intOrPtr _t13;
				struct HMENU__* _t18;
				struct HMENU__* _t19;
				signed int _t21;

				_t13 = _a4;
				if(_t13 == 0x202) {
					E00401DDB(0 |  *0x403134 == 0x00000000, 1);
					return E00401F64( *0x403114, 0);
				}
				if(_t13 == 0x205) {
					GetCursorPos( &_v16);
					_t18 = LoadMenuA( *0x403124, 0xc8);
					_v8 = _t18;
					_t19 = GetSubMenu(_t18, 0);
					_v20 = _t19;
					if( *0x403134 != 0) {
						CheckMenuItem(_t19, 0xca, 8);
					}
					SetForegroundWindow( *0x403114);
					_t21 = TrackPopupMenu(_v20, 0x102, _v16, _v16.y, 0,  *0x403114, 0);
					if(_t21 < 0xca || _t21 > 0xcd) {
						PostMessageA( *0x403114, 0, 0, 0);
						return DestroyMenu(_v8);
					} else {
						goto ( *((intOrPtr*)(_t21 * 4 +  &M00403D40)));
					}
				}
				return _t13;
			}

0x00401975
0x0040197d
0x00401a7e
0x00000000
0x00401a90
0x00401988
0x00401992
0x004019a2
0x004019a7
0x004019ad
0x004019b2
0x004019bc
0x004019c6
0x004019c6
0x004019d1
0x004019ee
0x004019f8
0x00401a61
0x00000000
0x00401a01
0x00401a01
0x00401a01
0x004019f8
0x00401a97

APIs

GetCursorPos.USER32(?), ref: 00401992
LoadMenuA.USER32(000000C8), ref: 004019A2
GetSubMenu.USER32(00000000,00000000), ref: 004019AD
CheckMenuItem.USER32(00000000,000000CA,00000008), ref: 004019C6
SetForegroundWindow.USER32 ref: 004019D1
TrackPopupMenu.USER32(?,00000102,?,?,00000000,00000000), ref: 004019EE

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Menu$CheckCursorForegroundItemLoadPopupTrackWindow
String ID:
API String ID: 3628260469-0
Opcode ID: 86da403e0e5152b8a668bded5b5284a1fdbe7041994365af25b1cbd8892e5516
Instruction ID: 3a5f7b92c9222e23bbada2491c6c3fae48905ce9c593eec6ba5afb473e26eb5f
Opcode Fuzzy Hash: 86da403e0e5152b8a668bded5b5284a1fdbe7041994365af25b1cbd8892e5516
Instruction Fuzzy Hash: 3D114931B41204BAEB216FA6DE4BF5D7A39EB44705F100437F201790F2CAB95A549A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B3F, Relevance: 12.1, APIs: 8, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401B3F(intOrPtr _a4) {
				struct HMENU__* _v8;
				struct tagPOINT _v16;
				struct HMENU__* _v20;
				intOrPtr _t9;
				struct HMENU__* _t13;

				_t9 = _a4;
				if(_t9 == 0x202) {
					return E00401BEC(1);
				}
				if(_t9 == 0x205) {
					GetCursorPos( &_v16);
					_t13 = LoadMenuA( *0x403124, 0xfa);
					_v8 = _t13;
					_v20 = GetSubMenu(_t13, 0);
					SetForegroundWindow( *0x403114);
					if(TrackPopupMenu(_v20, 0x102, _v16, _v16.y, 0,  *0x403114, 0) == 0xfc) {
						E00401D86(0);
						SetActiveWindow(0);
					}
					PostMessageA( *0x403114, 0, 0, 0);
					return DestroyMenu(_v8);
				}
				return _t9;
			}

0x00401b47
0x00401b4f
0x00000000
0x00401be7
0x00401b5a
0x00401b64
0x00401b74
0x00401b79
0x00401b84
0x00401b8d
0x00401bb4
0x00401bb8
0x00401bc0
0x00401bc0
0x00401bd1
0x00000000
0x00401bd9
0x00401beb

APIs

GetCursorPos.USER32(?), ref: 00401B64
LoadMenuA.USER32(000000FA,?), ref: 00401B74
GetSubMenu.USER32(00000000,00000000), ref: 00401B7F
SetForegroundWindow.USER32(00000000), ref: 00401B8D
TrackPopupMenu.USER32(?,00000102,?,?,00000000,00000000,00000000), ref: 00401BAA
SetActiveWindow.USER32(00000000,?,00000102,?,?,00000000,00000000,00000000,00000000,000000FA,?), ref: 00401BC0
PostMessageA.USER32(00000000,00000000,00000000,?), ref: 00401BD1
DestroyMenu.USER32(?,00000000,00000000,00000000,?,00000102,?,?,00000000,00000000,00000000,00000000,000000FA,?), ref: 00401BD9

Part of subcall function 00401D86: SetTimer.USER32(000001F5,000006C0,00000000,?), ref: 00401DB3

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Menu$Window$ActiveCursorDestroyForegroundLoadMessagePopupPostTimerTrack
String ID:
API String ID: 1372655081-0
Opcode ID: 7f9825d3b10da310ea5f19fb4e7d2e66aede0fe9890fbcf6763c44d50de3e4b5
Instruction ID: 042c7d50a2f843531f83fd06cb463a2cfb4226ea3ca4c0ed38c6e8cd1db48d3d
Opcode Fuzzy Hash: 7f9825d3b10da310ea5f19fb4e7d2e66aede0fe9890fbcf6763c44d50de3e4b5
Instruction Fuzzy Hash: AF019231A80204BAEB217BA2CE0BF9D7A799B40B05F100037F200780F2DFF97A509A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401BEC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00401BEC(intOrPtr _a4) {
				char _v68;
				struct HICON__* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				struct HWND__* _v88;
				char _v92;
				void* _t18;
				long long _t23;

				_v88 =  *0x403114;
				_v84 = 2;
				_v76 = 0x403;
				_v72 = E0040259A( *0x403114, _t23);
				_push("Swatch Internet Time");
				_push( &_v68);
				L004029DC();
				_v80 = 7;
				_v92 = 0x58;
				if(_v72 == 0) {
					KillTimer( *0x403114, 0x1f5);
					_t18 =  *0x40312c(2,  &_v92);
					 *0x403140 =  *0x403140 & 0x00000000;
					return _t18;
				}
				 *0x40312c(_a4,  &_v92);
				return DestroyCursor(_v72);
			}

0x00401bf7
0x00401bfa
0x00401c01
0x00401c0d
0x00401c10
0x00401c18
0x00401c19
0x00401c1e
0x00401c25
0x00401c30
0x00401c54
0x00401c5f
0x00401c65
0x00000000
0x00401c65
0x00401c39
0x00000000

APIs

Part of subcall function 0040259A: 73BBAC50.USER32(00000000,00000000,?,00000000), ref: 004025AC

lstrcpy.KERNEL32(?,Swatch Internet Time), ref: 00401C19
DestroyCursor.USER32(00000000), ref: 00401C42
KillTimer.USER32(000001F5,?,Swatch Internet Time), ref: 00401C54

Strings

Swatch Internet Time, xrefs: 00401C10
X, xrefs: 00401C25

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: CursorDestroyKillTimerlstrcpy
String ID: Swatch Internet Time$X
API String ID: 3129459611-1593171742
Opcode ID: f78eb45b5a3bfcadbe7dd2124ea950007f0bf941619b89f664a33267a153c1c0
Instruction ID: 83ec2fb2adf74c494f8416ba9bd02ec2f0a4e37bd28f919cd14767979bd4ee6e
Opcode Fuzzy Hash: f78eb45b5a3bfcadbe7dd2124ea950007f0bf941619b89f664a33267a153c1c0
Instruction Fuzzy Hash: ED01FF709002489FDB10DFD1CE0AB9DBFB8BB08709F104036E604791D5DBB89959CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401F64, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F64(struct HWND__* _a4, intOrPtr _a8) {
				intOrPtr _t5;

				_t5 = _a8;
				if(_t5 == 0xffffffff) {
					if( *0x404194 != 0) {
						return EndDialog( *0x404194, 0);
					}
				} else {
					_t5 = _t5;
					if(_t5 == 0) {
						if( *0x404194 != 0) {
							return SetForegroundWindow( *0x404194);
						}
					} else {
						if(_t5 >= 0xffffffff) {
							if(_t5 == 0xcb || _t5 == 0xcc) {
								if( *0x404194 != 0) {
									return SetForegroundWindow( *0x404194);
								}
								if(_a8 != 0xcb) {
									return DialogBoxParamA( *0x403124, 0x190, _a4, E004022B1, 0);
								}
								return DialogBoxParamA( *0x403124, 0x12c, _a4, E00402016, 0);
							} else {
								return _t5;
							}
						}
					}
				}
				return _t5;
			}

0x00401f68
0x00401f6e
0x00401f97
0x00000000
0x00401fa1
0x00401f70
0x00401f70
0x00401f72
0x00401faf
0x00000000
0x00401fb7
0x00401f74
0x00401f77
0x00401f82
0x00401fc5
0x00000000
0x0040200e
0x00401fce
0x00000000
0x00402001
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f82
0x00401f77
0x00401f72
0x00402015

APIs

EndDialog.USER32(00000000,?), ref: 00401FA1
SetForegroundWindow.USER32(?), ref: 00401FB7
DialogBoxParamA.USER32(0000012C,?,00402016,00000000,?), ref: 00401FE5
DialogBoxParamA.USER32(00000190,?,004022B1,00000000,?), ref: 00402001

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Dialog$Param$ForegroundWindow
String ID:
API String ID: 3237959421-0
Opcode ID: 508c2a613d9d6abe25c7084caf35a403fbe2a44df7234297726a5ff3b3921951
Instruction ID: dcdb556a97261e97dc628eb19835391fb053787c39f850a9b191d947782dfa27
Opcode Fuzzy Hash: 508c2a613d9d6abe25c7084caf35a403fbe2a44df7234297726a5ff3b3921951
Instruction Fuzzy Hash: 97014C30244301AAEA315F55EF4EB563A6597C4324F20427BF318781F1C7FD8992EA1E

Uniqueness

Uniqueness Score: -1.00%

Function 00401C6E, Relevance: 7.5, APIs: 5, Instructions: 37
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401C6E(void* __ecx) {
				void _v8;
				int _t3;

				if( *0x403134 != 0) {
					if( *0x40313c != 0) {
						return SendMessageA( *0x403114, 0x113, 0x1f4, 0);
					}
					_t3 = SystemParametersInfoA(0x72, 0,  &_v8, 0);
					if(_t3 == 0) {
						return SendMessageA( *0x403114, 0x113, 0x1f4, 0);
					}
					if(_v8 != 0) {
						return PostMessageA(GetForegroundWindow(), 0x10, 0, 0);
					}
				}
				return _t3;
			}

0x00401c79
0x00401c82
0x00000000
0x00401c96
0x00401cac
0x00401cae
0x00000000
0x00401cdb
0x00401cb4
0x00000000
0x00401cc2
0x00401cb4
0x00401ce1

APIs

SendMessageA.USER32(00000113,000001F4,00000000), ref: 00401C96
SystemParametersInfoA.USER32(00000072,00000000,00000000,00000000), ref: 00401CA7
GetForegroundWindow.USER32(00000072,00000000,00000000,00000000,?,?,004018C3,?,00000000), ref: 00401CB6
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00401CC2

Memory Dump Source

Source File: 00000000.00000002.597621386.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.597609564.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.597628582.0000000000404000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.597640977.0000000000409000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.597647260.000000000040A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NoSleep!.jbxd

Similarity

API ID: Message$ForegroundInfoParametersPostSendSystemWindow
String ID:
API String ID: 3660655552-0
Opcode ID: 82b7d6401e520e6db2cd9d5b9c2c04b84284b580d9c97fecd2b1d58a0c328b3d
Instruction ID: a9b883a68e3c780e7f83ca665cf6781e098526bd6ee3db36d64a8ef9dddd174f
Opcode Fuzzy Hash: 82b7d6401e520e6db2cd9d5b9c2c04b84284b580d9c97fecd2b1d58a0c328b3d
Instruction Fuzzy Hash: D2F0DA307D4305B6F6246EA29E4BFA676A86704B89F10043A72007D1E28AF8AA54D56E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NoSleep!.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: NoSleep!.exe PID: 5108 Parent PID: 5764

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Function 00401250, Relevance: 68.5, APIs: 28, Strings: 11, Instructions: 237
windowstringlibraryCOMMON

Function 00401570, Relevance: 12.1, APIs: 8, Instructions: 144
nativeCOMMON

Function 00402435, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43
registrystringCOMMON

Function 00401A98, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57
windowCOMMON

Function 00401CE2, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 51
registryCOMMON

Function 0040124F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
windowCOMMON

Function 00401DDB, Relevance: 3.0, APIs: 2, Instructions: 48
timeCOMMON

Function 004028BC, Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Function 004028BB, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0040277C, Relevance: 1.5, APIs: 1, Instructions: 26
registryCOMMON

Function 0040277B, Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Function 00402527, Relevance: 1.5, APIs: 1, Instructions: 36
timeCOMMON

Function 00402378, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 0040259A, Relevance: 33.2, APIs: 22, Instructions: 158
windowCOMMON

Function 00402016, Relevance: 18.2, APIs: 12, Instructions: 191
windowCOMMON

Function 00401E8A, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 66
registryCOMMON

Function 004022B1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65
windowCOMMON

Function 004024C2, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 30
registryCOMMON

Function 0040196C, Relevance: 12.1, APIs: 8, Instructions: 66
windowCOMMON

Function 00401B3F, Relevance: 12.1, APIs: 8, Instructions: 53
windowCOMMON

Function 00401BEC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
stringtimeCOMMON