Create Interactive Tour

Windows Analysis Report PcAppStore.exe

Overview

General Information

Sample Name:	PcAppStore.exe
Analysis ID:	467000
MD5:	9ab7a1ded9e826b1ec086fb4d62cd29a
SHA1:	da64dd3893618541d23895d5f8daa7186e6926ab
SHA256:	2cc1925eab0ccf06550086ed4a9f2c463e3de2416053d0562455a4c94078c0a7
Infos:
Most interesting Screenshot:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

PcAppStore.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\PcAppStore.exe' MD5: 9AB7A1DED9E826B1EC086FB4D62CD29A)

WerFault.exe (PID: 6688 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 708 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PcAppStore.exe

ReversingLabs: Detection: 15%

Source: PcAppStore.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 34.195.48.210:443 -> 192.168.2.3:49714 version: TLS 1.2

Source: PcAppStore.exe

Static PE information: certificate valid

Source: PcAppStore.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\veryfast\AppStore\engine\Release\fa_rss.pdb source: PcAppStore.exe

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 34.195.48.210 34.195.48.210

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: PcAppStore.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PcAppStore.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: PcAppStore.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: PcAppStore.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: PcAppStore.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PcAppStore.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: PcAppStore.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: PcAppStore.exe	String found in binary or memory: https://pcapp.store/verify.php?nocache=
Source: PcAppStore.exe	String found in binary or memory: https://pcapp.store/verify.php?nocache=TEMPverified
Source: PcAppStore.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: PcAppStore.exe	String found in binary or memory: https://sectigo.com/CPS0D
Source: PcAppStore.exe	String found in binary or memory: https://secure.comodo.com/CPS0L

Source: unknown

DNS traffic detected: queries for: pcapp.store

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00BBEC2D __EH_prolog3_GS,GetTickCount,URLDownloadToFileW,

0_2_00BBEC2D

Source: unknown

HTTPS traffic detected: 34.195.48.210:443 -> 192.168.2.3:49714 version: TLS 1.2

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00BD340E __EH_prolog3_GS,PeekMessageW,TranslateMessage,DispatchMessageW,GetAsyncKeyState,GetWindowRect,GetPhysicalCursorPos,GetClassNameW,Sleep,SetWindowPos,

0_2_00BD340E

Source: PcAppStore.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\PcAppStore.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 708

Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00BC8200	0_2_00BC8200
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C6D0B5	0_2_00C6D0B5
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C68066	0_2_00C68066
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00BC4135	0_2_00BC4135
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C00110	0_2_00C00110
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C7B294	0_2_00C7B294
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00BFF2C0	0_2_00BFF2C0
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C4C3C0	0_2_00C4C3C0
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00B92380	0_2_00B92380
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C52561	0_2_00C52561
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00BD8510	0_2_00BD8510
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C706D7	0_2_00C706D7
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C52793	0_2_00C52793
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: 0_2_00C227B0	0_2_00C227B0

Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: String function: 00BAC468 appears 38 times
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: String function: 00BDB5F0 appears 34 times
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: String function: 00C89968 appears 118 times
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: String function: 00C33AB0 appears 32 times
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: String function: 00C8999C appears 36 times

Source: PcAppStore.exe, 00000000.00000002.235549032.00000000039D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs PcAppStore.exe
Source: PcAppStore.exe, 00000000.00000000.222309813.0000000003B30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PcAppStore.exe

Source: PcAppStore.exe

ReversingLabs: Detection: 15%

Source: PcAppStore.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PcAppStore.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PcAppStore.exe 'C:\Users\user\Desktop\PcAppStore.exe'
Source: C:\Users\user\Desktop\PcAppStore.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 708

Source: C:\Users\user\Desktop\PcAppStore.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PcAppStore.exe

File created: C:\Users\user\AppData\Roaming\PCAppStore

Jump to behavior

Source: C:\Users\user\Desktop\PcAppStore.exe

File created: C:\Users\user\AppData\Local\Temp\verify

Jump to behavior

Source: classification engine

Classification label: sus36.winEXE@2/8@1/1

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00BBE692 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,CoSetProxyBlanket,VariantClear,CoUninitialize,

0_2_00BBE692

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6424

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00BAE2A7 LoadResource,LockResource,SizeofResource,

0_2_00BAE2A7

Source: PcAppStore.exe	String found in binary or memory: id-cmc-addExtensions
Source: PcAppStore.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\PcAppStore.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PcAppStore.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PcAppStore.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PcAppStore.exe

Static file information: File size 1450040 > 1048576

Source: PcAppStore.exe

Static PE information: certificate valid

Source: PcAppStore.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x102c00

Source: PcAppStore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PcAppStore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PcAppStore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PcAppStore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PcAppStore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PcAppStore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PcAppStore.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: PcAppStore.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\veryfast\AppStore\engine\Release\fa_rss.pdb source: PcAppStore.exe

Source: PcAppStore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PcAppStore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PcAppStore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PcAppStore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PcAppStore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C822EB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C822EB

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C227B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

0_2_00C227B0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PcAppStore.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PcAppStore.exe

API coverage: 5.8 %

Source: C:\Users\user\Desktop\PcAppStore.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C54218 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C54218

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C822EB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C822EB

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00BAE16F GetProcessHeap,__Init_thread_footer,__Init_thread_footer,

0_2_00BAE16F

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C5A271 mov eax, dword ptr fs:[00000030h]

0_2_00C5A271

Source: C:\Users\user\Desktop\PcAppStore.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PcAppStore.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C54218 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C54218

Source: PcAppStore.exe, 00000000.00000000.223629141.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PcAppStore.exe, 00000000.00000000.223629141.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PcAppStore.exe, 00000000.00000000.223629141.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PcAppStore.exe, 00000000.00000000.223629141.00000000019D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: GetLocaleInfoEx,___wcsnicmp_ascii,	0_2_00C4A2A6
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	0_2_00C4A371
Source: C:\Users\user\Desktop\PcAppStore.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00C6D604

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C33755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C33755

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C697B8 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00C697B8

Source: C:\Users\user\Desktop\PcAppStore.exe

Code function: 0_2_00C842F5 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,

0_2_00C842F5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Application Shimming1	Process Injection2	Masquerading1	Input Capture11	System Time Discovery2	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Application Shimming1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery4	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery22	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PcAppStore.exe	15%	ReversingLabs	Win32.Trojan.Cerbu

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
pcapp.store	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://pcapp.store/verify.php?nocache=	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://pcapp.store/verify.php?nocache=TEMPverified	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pcapp.store	34.195.48.210	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	PcAppStore.exe	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0L	PcAppStore.exe	false		high
https://pcapp.store/verify.php?nocache=	PcAppStore.exe	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	PcAppStore.exe	false	URL Reputation: safe	unknown
https://pcapp.store/verify.php?nocache=TEMPverified	PcAppStore.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	PcAppStore.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	PcAppStore.exe	false	URL Reputation: safe	unknown
http://www.openssl.org/support/faq.html	PcAppStore.exe	false		high
https://sectigo.com/CPS0D	PcAppStore.exe	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.195.48.210	pcapp.store	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	467000
Start date:	17.08.2021
Start time:	19:17:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PcAppStore.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus36.winEXE@2/8@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 2.5% (good quality ratio 2.5%) Quality average: 78.3% Quality standard deviation: 19.1%
HCA Information:	Successful, ratio: 81% Number of executed functions: 23 Number of non-executed functions: 104
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.5.146, 23.211.6.115, 13.89.179.12, 23.211.4.86 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, onedsblobprdcus17.centralus.cloudapp.azure.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:18:43	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
34.195.48.210	appstore.exe	Get hash	malicious	Browse
	appstore.exe	Get hash	malicious	Browse
	fa_rss.exe	Get hash	malicious	Browse
	SetupFA.exe	Get hash	malicious	Browse
	Fast! Installer.exe	Get hash	malicious	Browse
	{C57CA5B7-A655-48F9-AF02-CA9C6BB0E91B}.exe	Get hash	malicious	Browse
	fa_rss.exe	Get hash	malicious	Browse
	v77C369u1p.exe	Get hash	malicious	Browse
	Setup.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pcapp.store	appstore.exe	Get hash	malicious	Browse	34.195.48.210
	appstore.exe	Get hash	malicious	Browse	34.195.48.210
	SetupFA.exe	Get hash	malicious	Browse	34.195.48.210
	Fast! Installer.exe	Get hash	malicious	Browse	34.195.48.210
	{C57CA5B7-A655-48F9-AF02-CA9C6BB0E91B}.exe	Get hash	malicious	Browse	34.195.48.210

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	0OBKA8AwTn.exe	Get hash	malicious	Browse	52.0.219.100
	1lHMXoDyPa.exe	Get hash	malicious	Browse	100.24.208.97
	3dpRxPpnQd.exe	Get hash	malicious	Browse	52.203.81.245
	1w8JEa5zZD.exe	Get hash	malicious	Browse	100.24.147.96
	CoTBJ1Q7aG.exe	Get hash	malicious	Browse	100.24.208.97
	NhsgVwaPuE	Get hash	malicious	Browse	44.204.236.106
	BunfEuaoK5	Get hash	malicious	Browse	44.221.119.238
	94VG.arm7	Get hash	malicious	Browse	35.153.246.183
	94VG.x86	Get hash	malicious	Browse	54.31.66.189
	bot.arm7	Get hash	malicious	Browse	44.194.145.163
	jn4UArS4R1	Get hash	malicious	Browse	18.233.233.194
	8BzsRiOWfD	Get hash	malicious	Browse	54.54.60.67
	yeeted.x86	Get hash	malicious	Browse	52.201.111.168
	Hg6JfXaYGH	Get hash	malicious	Browse	54.20.32.210
	WXhCn63d5K	Get hash	malicious	Browse	18.233.22.16
	appstore.exe	Get hash	malicious	Browse	34.195.48.210
	appstore.exe	Get hash	malicious	Browse	34.195.48.210
	94VG.arm7	Get hash	malicious	Browse	54.33.108.151
	94VG.x86	Get hash	malicious	Browse	34.194.44.168
	bot.exe	Get hash	malicious	Browse	35.174.142.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Po#84472837.exe	Get hash	malicious	Browse	34.195.48.210
	REQUEST FOR BID 17-08-2021#U00b7pdf.exe	Get hash	malicious	Browse	34.195.48.210
	PO Fwd PURCHASE REQUISITION 300321,pdf.exe	Get hash	malicious	Browse	34.195.48.210
	Agreement Ref _switf 38l.htm	Get hash	malicious	Browse	34.195.48.210
	0OBKA8AwTn.exe	Get hash	malicious	Browse	34.195.48.210
	dschanke@qualitytool.com_PaymentSwift.HTML	Get hash	malicious	Browse	34.195.48.210
	VieFT.dll	Get hash	malicious	Browse	34.195.48.210
	TT082112.docx	Get hash	malicious	Browse	34.195.48.210
	David.reeder_InvNUMBERHLYMKZDV.html	Get hash	malicious	Browse	34.195.48.210
	ACCOUNTINGSEC_SANB.US_CTC_LCL_Import_Tariffs.2021.08.16.65262571.xlsm	Get hash	malicious	Browse	34.195.48.210
	Simplydisk_TPEB_Tariff_CtoC_16082021_Rev_9_983055157.xlsm	Get hash	malicious	Browse	34.195.48.210
	ACCOUNTINGSEC_SANB.US_CTC_LCL_Import_Tariffs.2021.08.16.46034995.xlsm	Get hash	malicious	Browse	34.195.48.210
	4cg1l2hda9.exe	Get hash	malicious	Browse	34.195.48.210
	Pyuocuaciwkzcgnbgekomyddfwoonhzxzg.exe	Get hash	malicious	Browse	34.195.48.210
	0kF7Dl7eUA.exe	Get hash	malicious	Browse	34.195.48.210
	0kF7Dl7eUA.exe	Get hash	malicious	Browse	34.195.48.210
	listahan ng order UPD016082021.exe	Get hash	malicious	Browse	34.195.48.210
	Purchase order.docx	Get hash	malicious	Browse	34.195.48.210
	Simplydisk_TPEB_Tariff_CtoC_16082021_Rev_2_0263688.xlsm	Get hash	malicious	Browse	34.195.48.210
	Stolen Images Evidence.js	Get hash	malicious	Browse	34.195.48.210

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PcAppStore.exe_111ad96e4f766b776852bb31a9ef6587d34406c_ee288f81_1a6cc0dd\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13792
Entropy (8bit):	3.765175566082864
Encrypted:	false
SSDEEP:	96:oK/RJJhcg+EKcRf9pXIQcQvc6QcEDMcw3D7+HbHg/8BRTfFMFoqzWAMmuwqim7Od:bZRVHBUZMX4jPKgFg/u7stS274ItyE
MD5:	1D02BDAB8CEC238734C5946D96A39ACF
SHA1:	4269136DE5506D4C9490BA81B447825C553D7BCE
SHA-256:	0AA995F3BD00EFBCC6B33024C224AFD703EDADD7C6E46F4FBEE6BA0677C2379E
SHA-512:	7C7F2BD39393A5EA9DC7FF151BB7D6735A79DDBD28087001E854322171FE4947B5D744595E4C46541DE369550E60F87E4C6D32042B825F6471F5714FA9AF6AE4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.3.7.2.6.7.2.0.9.0.6.9.3.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.3.7.2.6.7.2.2.1.5.6.9.5.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.d.2.9.e.1.e.-.5.e.c.d.-.4.7.7.c.-.8.8.9.c.-.c.0.2.5.8.a.6.d.d.1.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.2.0.6.1.8.5.-.a.5.0.6.-.4.7.d.4.-.a.3.8.2.-.9.7.f.2.4.b.8.8.8.e.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.c.A.p.p.S.t.o.r.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.C.A.p.p.S.t.o.r.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.1.8.-.0.0.0.1.-.0.0.1.7.-.b.b.c.0.-.1.e.5.9.d.7.9.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.3.a.3.2.b.4.0.1.a.f.e.7.9.2.5.9.4.8.a.1.b.d.1.b.d.0.5.7.2.6.0.0.0.0.0.9.0.4.!.0.0.0.0.d.a.6.4.d.d.3.8.9.3.6.1.8.5.4.1.d.2.3.8.9.5.d.5.f.8.d.a.a.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7A6.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Aug 18 02:18:41 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	117994
Entropy (8bit):	1.876823954845953
Encrypted:	false
SSDEEP:	384:6+iPXZKeO8Bh3japIktqgjePom7UEOkz5nbHKUj7dYW5OK:6+Wp99Xjaik4Epvd45e+5OK
MD5:	963B53938630F2A89CE5A2703E2471C7
SHA1:	FC5B95B097644AEEECAF3B8EC77E42FBBF65C9FF
SHA-256:	B7C0400DDE99C6805CCA75ABF5A7AA0CFE437D0FB6592A7B81F32CF3B319E808
SHA-512:	E3E651F63683F1320D1A16E2522A52B116A058BF2CB5D98A79067C50EE4E349A8EFE66442BDAB416C1944212ED8A613833F84CBB741303D5F571B6C3FDB1C375
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........n.a...................U...........B......4'......GenuineIntelW...........T............m.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB02.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8304
Entropy (8bit):	3.6941477061010035
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiIb6cA6YSuSUeAZgmfWZSRCprZ89bEGsfqsm:RrlsNiE6J6YbSUeAZgmfWZS/Elfg
MD5:	E504385DB2D9BE6C2C09568D13F67B4D
SHA1:	C4BFE60A98032BD4E180C09F6029C5EBD0548B3B
SHA-256:	5737E1DBB4F9362D45E9C7ECB82049103317924F7B8A6C53589EE1028C3198A0
SHA-512:	25380E598096A59A5A9933541FCA687B15567341B65C033BFEF209BC59F4AE8193E3B4BCD0C65F67CC5635E5B6B1D4AD560640F1D889D2BB7B95E36FB65FF7A6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.2.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBFD.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4645
Entropy (8bit):	4.467866655384495
Encrypted:	false
SSDEEP:	48:cvIwSD8zsMJgtWI9nvWSC8Bq/8fm8M4JwUY9YFBR+q8ZmTaGKSgCWd:uITfKs+SNtJwemrfCWd
MD5:	33449568EC69E83B5C16471210B78C94
SHA1:	26ADA4EFF18230E82D3EB55228813F4C4448CE7C
SHA-256:	F217D7A82A69921F859C0A4AA6AF7A3A2470D356514A1EE867963AAFD5986237
SHA-512:	490F00793972CCB75C18EC4A024C4BE0061B3765B2DB5E508248787BAA5946736322C61E318FA17FAD815FBD4A6D7AD987FA924145E8715F2AD75F4F21F05240
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1126769" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\pixel[1].gif Download File
Process:	C:\Users\user\Desktop\PcAppStore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:	3:CUXPQE/xlEy:1QEoy
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	GIF89a.............!.......,...........D.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\verify[1].htm Download File
Process:	C:\Users\user\Desktop\PcAppStore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.5
Encrypted:	false
SSDEEP:	3:WPAB:WPk
MD5:	723AA82A83C278D5E7E7BE9B109B406A
SHA1:	EC734B651574683F36974C7F12847FBBE084DBE2
SHA-256:	1C34F88707B55E6104C4EB20E71FFA3D33E414B71EF689A15FAD0640D0AC58CB
SHA-512:	4531C2506478AFD163726A5D6FFD8C64C24819545D906526AA749361E634556595D3B0F6B606C2BFD069E4938168D7CDE18C60EA44475E339707472729EFF10D
Malicious:	false
Reputation:	low
Preview:	verified

C:\Users\user\AppData\Local\Temp\verify Download File
Process:	C:\Users\user\Desktop\PcAppStore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.5
Encrypted:	false
SSDEEP:	3:WPAB:WPk
MD5:	723AA82A83C278D5E7E7BE9B109B406A
SHA1:	EC734B651574683F36974C7F12847FBBE084DBE2
SHA-256:	1C34F88707B55E6104C4EB20E71FFA3D33E414B71EF689A15FAD0640D0AC58CB
SHA-512:	4531C2506478AFD163726A5D6FFD8C64C24819545D906526AA749361E634556595D3B0F6B606C2BFD069E4938168D7CDE18C60EA44475E339707472729EFF10D
Malicious:	false
Reputation:	low
Preview:	verified

C:\Users\user\AppData\Roaming\PCAppStore\Data\temp_event Download File
Process:	C:\Users\user\Desktop\PcAppStore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9881439641616536
Encrypted:	false
SSDEEP:	3:CUXPQE/xlEy:1QEoy
MD5:	D89746888DA2D9510B64A9F031EAECD5
SHA1:	D5FCEB6532643D0D84FFE09C40C481ECDF59E15A
SHA-256:	EF1955AE757C8B966C83248350331BD3A30F658CED11F387F8EBF05AB3368629
SHA-512:	D5DA26B5D496EDB0221DF1A4057A8B0285D15592A8F8DC7016A294DF37ED335F3FDE6A2252962E0DF38B62847F8B771463A0124EF3F84299F262ED9D9D3CEE4C
Malicious:	false
Preview:	GIF89a.............!.......,...........D.;

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.71672000186488
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PcAppStore.exe
File size:	1450040
MD5:	9ab7a1ded9e826b1ec086fb4d62cd29a
SHA1:	da64dd3893618541d23895d5f8daa7186e6926ab
SHA256:	2cc1925eab0ccf06550086ed4a9f2c463e3de2416053d0562455a4c94078c0a7
SHA512:	65b39f5fa58ac67a0eb430754bd00567402b18975785afbf800fc332a585f0feda6e45685be8bc955b7e78df7e2240be5e38e662b168f155d9737fdc029ea144
SSDEEP:	24576:PISZRucBjzofb93mRbg+NG5HZMKF+vw3Wgwg6/ysitr2feSeczzp0PYlxuMbCxbM:AS7RjsFqyHZMKF+IGgG/sr2fJpzzp0P6
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........=...\...\...\...4...\...4...\..}-..[\..}-...\..}-...\...4...\...4...\...4...\...\..=\...\...\..U....]..V....\..V....\...\d..\.

File Icon


Icon Hash:	c280cecccececcce

Static PE Info

General
Entrypoint:	0x4a2d62
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x610BC7A8 [Thu Aug 5 11:12:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	de4ef704fa96538215d448011a06f407

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO RSA Extended Validation Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/23/2021 5:00:00 PM 5/24/2022 4:59:59 PM
Subject Chain	CN=Fast Corporate LTD, O=Fast Corporate LTD, L=Ramat Gan, C=IL, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL, SERIALNUMBER=515636181
Version:	3
Thumbprint MD5:	62A015C71BC0E5F111E169F9C138459E
Thumbprint SHA-1:	05C81CCC0A70E2C8B51E494E9632D86B0F4BA478
Thumbprint SHA-256:	B96F7147DE90CDE56A3CB23F360734DC4736448B208F24433E05286A5FE0693E
Serial:	00B8400D8775B548083F5174D21EB68B8F

Entrypoint Preview

Instruction
call 00007F40E0AD8D00h
jmp 00007F40E0AD813Fh
cmp ecx, dword ptr [0054AF54h]
jne 00007F40E0AD82C5h
ret
jmp 00007F40E0AD82EEh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00504244h]
push dword ptr [ebp+08h]
call dword ptr [00504240h]
push C0000409h
call dword ptr [0050405Ch]
push eax
call dword ptr [0050403Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F40E0B2EE3Bh
test eax, eax
je 00007F40E0AD82C7h
push 00000002h
pop ecx
int 29h
mov dword ptr [005503F8h], eax
mov dword ptr [005503F4h], ecx
mov dword ptr [005503F0h], edx
mov dword ptr [005503ECh], ebx
mov dword ptr [005503E8h], esi
mov dword ptr [005503E4h], edi
mov word ptr [00550410h], ss
mov word ptr [00550404h], cs
mov word ptr [005503E0h], ds
mov word ptr [005503DCh], es
mov word ptr [005503D8h], fs
mov word ptr [005503D4h], gs
pushfd
pop dword ptr [00550408h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [005503FCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00550400h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0055040Ch], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x147c00	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15b000	0x48a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x15de00	0x4238
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x160000	0xc810	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13a998	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13aac0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13a9f0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x104000	0x3b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x102bec	0x102c00	False	0.520548384662	data	6.74636011341	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x104000	0x45186	0x45200	False	0.417414246157	data	5.39866362749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14a000	0x103e0	0x4800	False	0.230902777778	data	4.73321657994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15b000	0x48a0	0x4a00	False	0.0683065878378	data	3.05940225337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x160000	0xc810	0xca00	False	0.605217357673	data	6.56057828466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x15b478	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4280098075, next used block 4280098075	English	United States
RT_MENU	0x15f6b8	0x64	data	English	United States
RT_GROUP_ICON	0x15f6a0	0x14	data	English	United States
RT_VERSION	0x15b180	0x2f8	data	English	United States
RT_MANIFEST	0x15f720	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
urlmon.dll	URLDownloadToFileW
KERNEL32.dll	DeleteFileW, Sleep, GetModuleFileNameW, WinExec, TerminateProcess, GetProcAddress, GetModuleHandleA, CreateDirectoryW, GetCommandLineW, LocalFree, OpenEventW, CreateEventW, GetCurrentProcess, GetLastError, K32EnumProcesses, OpenProcess, QueryFullProcessImageNameW, CloseHandle, InitializeCriticalSectionEx, RaiseException, DecodePointer, DeleteCriticalSection, GetStdHandle, GetFileType, WriteFile, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, FreeLibrary, LoadLibraryA, GlobalMemoryStatus, FlushConsoleInputBuffer, TlsGetValue, TlsAlloc, SwitchToThread, SetLastError, LoadLibraryW, CreateTimerQueue, UnregisterWaitEx, QueryDepthSList, InterlockedPopEntrySList, ReleaseSemaphore, DuplicateHandle, HeapDestroy, VirtualProtect, VirtualAlloc, GetVersionExW, GetThreadTimes, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SignalObjectAndWait, SetEndOfFile, WriteConsoleW, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, ReadConsoleInputW, SetConsoleMode, CreateFileW, SetStdHandle, GetTimeZoneInformation, ReadConsoleW, GetFileSizeEx, SetFilePointerEx, GetConsoleMode, FlushFileBuffers, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, WideCharToMultiByte, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetTimeFormatW, GetDateFormatW, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, MultiByteToWideChar, GetTickCount, GlobalFree, GlobalAlloc, TlsSetValue, VirtualFree, TryEnterCriticalSection, GetStringTypeW, GetConsoleCP, ReadFile, SetConsoleCtrlHandler, FreeLibraryAndExitThread, ResumeThread, ExitThread, CreateThread, GetModuleHandleExW, ExitProcess, LoadLibraryExW, InterlockedFlushSList, InterlockedPushEntrySList, QueryPerformanceFrequency, OutputDebugStringW, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetModuleHandleW, WaitForSingleObjectEx, RtlUnwind, GetCPInfo, GetLocaleInfoW, LCMapStringW, CompareStringW, EncodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, TlsFree
USER32.dll	SystemParametersInfoW, PostQuitMessage, KillTimer, GetClientRect, SetWindowLongW, wsprintfW, UpdateWindow, SetTimer, DispatchMessageW, ShowWindow, RegisterClassExW, CreateWindowExW, MessageBoxW, SetWindowPos, TranslateMessage, DestroyWindow, PostMessageW, DefWindowProcW, MessageBoxA, GetUserObjectInformationW, GetProcessWindowStation, UnhookWindowsHookEx, SetWindowsHookExW, GetParent, GetMonitorInfoA, MonitorFromPoint, FindWindowExW, SetLayeredWindowAttributes, GetDesktopWindow, CallNextHookEx, GetForegroundWindow, EnumChildWindows, GetWindowTextW, SetRect, PeekMessageW, SetWinEventHook, GetClassNameW, LoadIconW, TrackPopupMenu, SetForegroundWindow, InsertMenuW, CreatePopupMenu, GetCursorPos, GetWindowRect, FindWindowW, MoveWindow, GetWindowThreadProcessId, WindowFromPoint, GetPhysicalCursorPos, GetAsyncKeyState, GetSystemMetrics, GetWindowLongW, GetMessageW
WINSPOOL.DRV	EnumPrintersW
ADVAPI32.dll	ReportEventA, RegisterEventSourceA, DeregisterEventSource, RegSetValueExW, RegDeleteValueW, RegSetKeyValueW, RegCreateKeyW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW
SHELL32.dll	Shell_NotifyIconW, CommandLineToArgvW, ShellExecuteW
ole32.dll	CoGetClassObject, OleInitialize, CoCreateInstance, CoSetProxyBlanket, CoInitialize, OleSetContainedObject, CoUninitialize, CoInitializeEx, OleUninitialize, CoInitializeSecurity
OLEAUT32.dll	VariantInit, SysAllocString, SysFreeString, VariantClear
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
SHLWAPI.dll	PathFindFileNameW

Version Infos

Description	Data
LegalCopyright	Copyright Fast Corporate LTD.
InternalName	fa_rss.exe
FileVersion	1.0.0.1034
CompanyName	Fast Corporate LTD.
ProductName	PC App Store
ProductVersion	1.0.0.1034
FileDescription	PC App Store
OriginalFilename	PCAppStore.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 19
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 17, 2021 19:18:36.139820099 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.280122042 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.280288935 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.311254025 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.456578016 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.456612110 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.456634045 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.456655025 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.456671953 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.456677914 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.456702948 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.456717014 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.456739902 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.456773996 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.513664007 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.652637005 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.652668953 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.652762890 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.665602922 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.804275036 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.806435108 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.806607008 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.838177919 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:36.978955030 CEST	443	49714	34.195.48.210	192.168.2.3
Aug 17, 2021 19:18:36.979332924 CEST	49714	443	192.168.2.3	34.195.48.210
Aug 17, 2021 19:18:43.448802948 CEST	49714	443	192.168.2.3	34.195.48.210

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 17, 2021 19:18:26.381546021 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 17, 2021 19:18:26.448148012 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 17, 2021 19:18:29.685000896 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 17, 2021 19:18:29.746992111 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 17, 2021 19:18:36.088753939 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 17, 2021 19:18:36.124033928 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 17, 2021 19:18:41.998008013 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 17, 2021 19:18:42.026582003 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 17, 2021 19:18:55.984117985 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 17, 2021 19:18:56.026592970 CEST	53	53195	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 17, 2021 19:18:36.088753939 CEST	192.168.2.3	8.8.8.8	0xc19c	Standard query (0)	pcapp.store	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 17, 2021 19:18:36.124033928 CEST	8.8.8.8	192.168.2.3	0xc19c	No error (0)	pcapp.store		34.195.48.210	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 17, 2021 19:18:36.456717014 CEST	34.195.48.210	443	192.168.2.3	49714	CN=pcapp.store CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Jun 25 11:47:07 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Thu Sep 23 11:47:06 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

• PcAppStore.exe
• WerFault.exe

Click to jump to process

Memory Usage

• PcAppStore.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• PcAppStore.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: PcAppStore.exe PID: 6424 Parent PID: 2408

Function Logs

General

Start time:	19:18:35
Start date:	17/08/2021
Path:	C:\Users\user\Desktop\PcAppStore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PcAppStore.exe'
Imagebase:	0xb90000
File size:	1450040 bytes
MD5 hash:	9AB7A1DED9E826B1EC086FB4D62CD29A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Read

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Value Queried

Show Windows behavior

COM Activities

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: WerFault.exe PID: 6688 Parent PID: 6424

Function Logs

General

Start time:	19:18:39
Start date:	17/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 708
Imagebase:	0x960000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Monitored

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: PcAppStore.exe PID: 6424 Parent PID: 2408 PcAppStore.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.2%
Total number of Nodes:	680
Total number of Limit Nodes:	47

Executed Functions

Function 00BC8200, Relevance: 44.5, APIs: 10, Strings: 15, Instructions: 722
sleepwindowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00BC8200(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				char _v40;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				WCHAR* _v84;
				WCHAR* _v88;
				intOrPtr _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				void* _v132;
				signed int _v136;
				intOrPtr _v140;
				char _v144;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				int _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				void* _v188;
				void* __ebp;
				signed int _t176;
				void* _t197;
				void* _t203;
				intOrPtr* _t207;
				void* _t208;
				signed int _t237;
				intOrPtr* _t243;
				signed int _t252;
				void* _t259;
				void* _t270;
				void* _t272;
				signed int _t286;
				signed int _t295;
				signed int _t296;
				char _t298;
				signed int _t303;
				WCHAR** _t315;
				signed int _t344;
				signed int _t345;
				void* _t354;
				void* _t357;
				void* _t359;
				intOrPtr* _t363;
				void* _t369;
				char* _t386;
				intOrPtr _t387;
				void* _t409;
				void* _t438;
				intOrPtr _t443;
				void* _t445;
				void* _t455;
				void* _t460;
				WCHAR** _t477;
				signed int _t478;
				void* _t485;
				void* _t493;
				void* _t498;
				void** _t539;
				intOrPtr* _t542;
				void* _t553;
				intOrPtr _t554;
				void* _t557;
				intOrPtr _t562;
				intOrPtr _t564;
				intOrPtr* _t576;
				signed int _t586;
				signed int _t587;
				intOrPtr* _t589;
				signed int _t602;
				signed int _t603;
				void* _t609;
				signed int _t612;
				signed int _t616;
				void* _t617;
				signed int _t618;
				signed int _t620;
				intOrPtr* _t621;
				signed int _t622;
				signed int _t623;
				void* _t626;
				void* _t629;
				void* _t630;
				void* _t631;
				void* _t632;

				_t632 = __eflags;
				_t592 = __esi;
				_t569 = __edi;
				_t565 = __edx;
				_t367 = __ebx;
				_t620 = (_t618 & 0xfffffff8) - 0x6c;
				_t176 =  *0xcdaf54; // 0x8a028f78
				_v8 = _t176 ^ _t620;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(L"Tcpqgml");
				 *0xce19b8 = _a4;
				E00BCC079(__ebx,  &_v76, __edx, __edi, __esi);
				_push(L"NA?nnQrmpc");
				E00BCC079(__ebx,  &_v84, __edx, __edi, __esi);
				_push(L"?NNB?R?");
				E00BCC079(__ebx,  &_v48, __edx, __edi, __esi);
				_push(L"npmbsar");
				E00BCC079(__ebx,  &_v100, __edx, __edi, __esi);
				_push(L"af_llcj");
				E00BCC079(__ebx,  &_v100, __edx, __edi, __esi);
				_push(L"bcd_sjr");
				E00BCC079(__ebx,  &_v64, __edx, __edi, __esi);
				_push(L"gb;+/");
				E00BCC079(_t367,  &_v72, __edx, _t569, _t592);
				_push(L"gb;+0");
				E00BCC079(_t367,  &_v80, _t565, _t569, _t592);
				_push(L"gb;+1");
				E00BCC079(_t367,  &_v88, _t565, _t569, _t592);
				_push(L"Jma_j");
				E00BCC079(_t367,  &_v96, _t565, _t569, _t592);
				_push(L"_argtc");
				E00BCC079(_t367,  &_v76, _t565, _t569, _t592);
				_push(L"qfmuK");
				_t386 =  &_v108;
				E00BCC079(_t367, _t386, _t565, _t569, _t592);
				_push(_t386);
				_t387 =  *0xce1a14; // 0x1239bc0
				 *_t620 = L00BADF62(_t387 - 0x10, _t620, _t386) + 0x10;
				L00BBEA69(_t367, _t620, _t620, _t620);
				_t571 = _t620;
				 *_t620 = L00BADF62(_v124 - 0x10, _t620, _t620) + 0x10;
				L00BBEA69(_t367, _t620, _t620, _t620);
				_t197 = E00BBFF8C(_t367,  &_v152, _t620, _t620); // executed
				E00BAE6AB(L00BB188E(0xce1a00, _t620, _t617, _t197), _v156 + 0xfffffff0);
				_push( *0xce1a00);
				 *_t620 = L00BADF62(_v128 - 0x10, _t620, _v156 + 0xfffffff0) + 0x10;
				_t203 = E00BA9179(_t632, L"%ws: %ws",  *((intOrPtr*)(L00BBEA69(_t367,  &_v156, _t620, _t620))));
				_t621 = _t620 + 0xc;
				E00BAE6AB(_t203, _v156 + 0xfffffff0);
				 *_t621 = L00BADF62(_v92 - 0x10, _t571, _v156 + 0xfffffff0) + 0x10;
				_t207 = L00BBEA69(_t367,  &_v156, _t571, _t621);
				_pop(_t409);
				_t208 = L00C5983E(_t409, _t565, _t632,  *_t207);
				_t572 = 0xce1a0c;
				E00BAE6AB(E00BCC03F(_t367, 0xce1a0c, _t208), _v160 - 0x10);
				_push("\\");
				E00BAE641(_t367,  &_v164, _t565, 0xce1a0c, _t621); // executed
				 *_t621 = L00BADF62(_v140 - 0x10, 0xce1a0c,  &_v164) + 0x10;
				_push(L00BBEA69(_t367,  &_v160, 0xce1a0c, _t621));
				_t566 =  &_v168;
				E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAC791(_t367, 0xce1a0c, _t621, _t617,  *((intOrPtr*)(E00BAC03C(_t367,  &_v164,  &_v168, 0xce1a0c, _t621))),  *((intOrPtr*)( *((intOrPtr*)(E00BAC03C(_t367,  &_v164,  &_v168, 0xce1a0c, _t621))) - 0xc))), _v172 - 0x10), _v168 - 0x10), _v176 - 0x10);
				_t598 = CreateDirectoryW;
				CreateDirectoryW( *0xce1a0c, 0); // executed
				_t428 = 0xce1a0c;
				E00BAC791(0, 0xce1a0c, CreateDirectoryW, _t617, L"\\Data", 5);
				CreateDirectoryW( *0xce1a0c, 0); // executed
				E00BBFC4F(0,  &_v168, 0xce1a0c, CreateDirectoryW); // executed
				E00BC814F(CreateDirectoryW);
				E00C5A5A9(0xce1a0c, 0xbc7dba, 0, 0); // executed
				_t622 = _t621 + 0xc;
				_t369 = CommandLineToArgvW(GetCommandLineW(),  &_v168);
				_v188 = _t369;
				if(_v176 < 4) {
					L11:
					if(_t369 == 0) {
						L17:
						 *_t622 = L00BADF62(_v88 - 0x10, _t622, _t428) + 0x10;
						L00BBEA69(_t369, _t622, _t622, _t622);
						 *_t622 = L00BADF62(_v124 - 0x10, _t622, _t622) + 0x10;
						L00BBEA69(_t369, _t622, _t622, _t622);
						_t237 = L00BADF62(_v128 - 0x10, _t622, _t622) + 0x10;
						__eflags = _t237;
						 *_t622 = _t237;
						L00BBEA69(_t369, _t622, _t622, _t622);
						_t438 = _t428;
						L00BC7C63(_t369, _t438, _t566, _t622, _t622, __eflags);
						_t622 = _t622 + 0xc;
						L18:
						_t576 =  *((intOrPtr*)(_t369 + 8));
						_t602 = _t622;
						 *_t602 = L00BADF62(_v72 - 0x10, _t576, _t438) + 0x10;
						_t243 =  *((intOrPtr*)(L00BBEA69(_t369,  &_v128, _t576, _t602)));
						while(1) {
							_t443 =  *_t243;
							if(_t443 !=  *_t576) {
								break;
							}
							if(_t443 == 0) {
								L23:
								_t603 = 0;
								_t578 = 1;
								L25:
								_t445 = _v124 + 0xfffffff0;
								E00BAE6AB(_t243, _t445);
								if(_t603 == 0) {
									 *_t622 = L00BADF62(_v80 - 0x10, _t622, _t445) + 0x10;
									L00BBEA69(_t369, _t622, _t622, _t622);
									 *_t622 = L00BADF62(_v108 - 0x10, _t622, _t622) + 0x10;
									L00BBEA69(_t369, _t622, _t622, _t622);
									_t578 = _t622;
									_t606 = _t622;
									_t252 = L00BADF62(_v112 - 0x10, _t622, _t622) + 0x10;
									__eflags = _t252;
									 *_t622 = _t252;
									L00BBEA69(_t369, _t622, _t622, _t622);
									_t455 = _t445;
									L00BC7C63(_t369, _t455, _t566, _t622, _t622, __eflags);
									_t623 = _t622 + 0xc;
									L37:
									LocalFree(_t369);
									_push("\\");
									E00BAE641(_t369,  &_v120, _t566, _t578, _t606);
									 *_t623 = L00BADF62(_v96 - 0x10, _t578,  &_v120) + 0x10;
									_t259 = L00BBEA69(_t369,  &_v128, _t578, _t623);
									_pop(_t460);
									_push(_t259);
									_push( &_v124);
									 *_t623 = L00BADF62(_v76 - 0x10, _t578, _t460) + 0x10;
									_t568 = E00BAC03C(_t369,  &_v116, L00BBEA69(_t369,  &_v120, _t578, _t623), _t578, _t623);
									E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAC03C(_t369,  &_v88, _t264, _t578, _t623), _v116 - 0x10), _v120 - 0x10), _v128 - 0x10), _v124 - 0x10);
									_t270 = OpenEventW(0x1f0003, 1, _v88);
									_push(0xcc9470);
									_t477 =  &_v84;
									_t609 = _t270;
									E00BCC079(_t369, _t477, _t264, 1, _t609);
									_t272 = E00BC6160(_t369, 1, _t609, _t658);
									if(_t609 == 0 || _t272 == 2) {
										CreateEventW(0, 0, 0, _v84);
										_push(_t477);
										_t478 = _t623;
										_push(0xcc5734);
										E00BCC079(0, _t478, _t568, 1, _t609);
										 *_t623 = L00BADF62(_v52 - 0x10, _t623, _t478) + 0x10;
										L00BBEA69(0, _t623, _t623, _t623);
										_t584 = _t623;
										 *_t623 = L00BADF62(_v104 - 0x10, _t623, _t623) + 0x10;
										L00BBEA69(0, _t623, _t623, _t623);
										_t485 = _t478;
										L00BC7C63(0, _t485, _t568, _t623, _t623, __eflags);
										 *0xce19b4 = GetCurrentProcess();
										E00BC62F7(0, _t623, _t623, __eflags);
										E00C5A5A9(_t485, 0xbc2903, 0, 0);
										E00C5A5A9(_t485, 0xbc3008, 0, 0);
										_t286 =  *0xce13e4; // 0x3
										_t626 = _t623 + 0x24;
										__eflags = _t286 - 3;
										if(_t286 == 3) {
											L42:
											E00C5A5A9(_t485, E00BC2604, 0, 0);
											_t626 = _t626 + 0xc;
											L43:
											E00C5A5A9(_t485, 0xbc34c2, 0, 0);
											E00C5A5A9(_t485, 0xbc7426, 0, 0);
											E00C5A5A9(_t485, 0xbc6a60, 0, 0);
											_t629 = _t626 + 0x24;
											__eflags =  *0xcdbb80; // 0x1
											if(__eflags != 0) {
												E00C5A5A9(_t485, 0xbc7b6e, 0, 0);
												_t629 = _t629 + 0xc;
											}
											__eflags =  *0xcdba91; // 0x1
											if(__eflags != 0) {
												E00C5A5A9(_t485, 0xbc255f, 0, 0);
												_t629 = _t629 + 0xc;
											}
											E00C5A5A9(_t485, 0xbc3666, 0, 0);
											_t630 = _t629 + 0xc;
											_t612 = 0;
											L48:
											__eflags =  *0xcdba93; // 0x1
											if(__eflags != 0) {
												E00BC13D8(0, _t568, _t584, _t612, __eflags);
											}
											_v24 = 0;
											_v20 = 7;
											_v40 = 0;
											E00BAC468(0xcc5734);
											_t295 = _t612 & 0x80000003;
											__eflags = _t295;
											if(__eflags < 0) {
												__eflags = (_t295 - 0x00000001 | 0xfffffffc) + 1;
											}
											if(__eflags == 0) {
												_t303 = E00BC0180(0,  &_v40, _t568, _t584, _t612, __eflags);
												__eflags = _t303;
												if(_t303 == 0) {
													_t631 = _t630 - 0x18;
													_t493 = _t631;
													 *((intOrPtr*)(_t493 + 0x10)) = 0;
													 *((intOrPtr*)(_t493 + 0x14)) = 0;
													E00BAC48D( &_v40, _t493,  &_v40);
													L00BC0B00(0, _t568, _t584, _t612, __eflags);
													_t630 = _t631 + 0x18;
												}
											}
											_t612 = _t612 + 1;
											Sleep(0x1b7740);
											_t296 = _v20;
											__eflags = _t296 - 8;
											if(_t296 >= 8) {
												_t487 = _v40;
												_t298 = 2 + _t296 * 2;
												_v116 = _t298;
												_v112 = _v40;
												__eflags = _t298 - 0x1000;
												if(_t298 >= 0x1000) {
													E00BAE6CD(0, _t584, _t617,  &_v112,  &_v116);
													_t298 = _v116;
													_t487 = _v112;
												}
												_push(_t298);
												L00C32F7D(_t487);
											}
											goto L48;
										}
										__eflags = _t286;
										if(_t286 != 0) {
											goto L43;
										}
										goto L42;
									} else {
										_push(0xcc9490);
										E00BCC079(_t369,  &_v120, _t568, 1, _t609);
										 *_t623 = L00BADF62(_v84 - 0x10, 1,  &_v120) + 0x10;
										_t315 = L00BBEA69(_t369,  &_v116, 1, _t623);
										_t498 = 0x40;
										 *_t623 = L00BADF62(_v124 - 0x10, 1, _t498) + 0x10;
										E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(MessageBoxW( *(L00BBEA69(_t369,  &_v128, 1, _t623)),  *_t315, ??, ??), _v128 - 0x10), _v116 - 0x10), _v124 - 0x10), _v84 - 0x10), _v88 - 0x10), _v80 - 0x10), _v52 - 0x10), _v76 - 0x10), _v72 - 0x10), _v68 - 0x10), _v64 - 0x10), _v60 - 0x10), _v100 - 0x10), _v104 - 0x10), _v56 - 0x10), _v96 - 0x10), _v92 - 0x10);
										return L00C32D6C(_v24 ^ _t623, 0);
									}
								}
								_t539 =  &_v132;
								E00BAC123(_t539, _t603);
								_push(_t539);
								_push("20D83542-CB48-FFC7-AA5E-D037A04953D7");
								E00BCC079(_t369, _t622, _t566, _t578, _t603);
								L00BAC838( &_v136, L"%u", L00BBEAC6(_t369, _t578, _t603));
								_t606 = _v136;
								_t623 = _t622 + 0xc;
								_t542 =  *((intOrPtr*)(_t369 + 8));
								_t344 = _v136;
								while(1) {
									_t566 =  *_t344;
									if(_t566 !=  *_t542) {
										break;
									}
									if(_t566 == 0) {
										L31:
										_t345 = 0;
										L33:
										if(_t345 != 0) {
											_t586 = _t623;
											 *_t586 = L00BADF62(_v80 - 0x10, _t586, _t542) + 0x10;
											L00BBEA69(_t623, _t623, _t586, _t606);
											_t587 = _t623;
											 *_t587 = L00BADF62(_v112 - 0x10, _t587, _t623) + 0x10;
											L00BBEA69(_t623, _t623, _t587, _t606);
											_t578 = _t623;
											_t354 = L00BADF62(_v116 - 0x10, _t578, _t623) + 0x10;
											_t658 = _t354;
											 *_t578 = _t354;
											L00BBEA69(_t623, _t623, _t578, _t606);
											_t553 = _t542;
											_t345 = L00BC7C63(_t623, _t553, _t566, _t578, _t606, _t354);
											_t369 = _v132;
											_t623 = _t623 + 0xc;
										}
										E00BAE6AB(_t345, _t606 - 0x10);
										goto L37;
									}
									_t566 =  *((intOrPtr*)(_t344 + 2));
									if(_t566 !=  *((intOrPtr*)(_t542 + 2))) {
										break;
									}
									_t344 = _t344 + 4;
									_t542 = _t542 + 4;
									if(_t566 != 0) {
										continue;
									}
									goto L31;
								}
								asm("sbb eax, eax");
								_t345 = _t344 | _t578;
								__eflags = _t345;
								goto L33;
							}
							_t554 =  *((intOrPtr*)(_t243 + 2));
							if(_t554 !=  *((intOrPtr*)(_t576 + 2))) {
								break;
							}
							_t243 = _t243 + 4;
							_t576 = _t576 + 4;
							if(_t554 != 0) {
								continue;
							}
							goto L23;
						}
						asm("sbb esi, esi");
						_t578 = 1;
						_t603 = _t602 | 1;
						__eflags = _t603;
						goto L25;
					}
					_push(_t428);
					_push( *((intOrPtr*)(_t369 + 4)));
					E00BCC079(_t369, _t622, _t566, _t572, _t598);
					_t357 = L00BBEAC6(_t369, _t572, _t598);
					_pop(_t428);
					if(_t357 != 0x628374a0) {
						goto L17;
					}
					if( *0xce13e8 != 0) {
						__eflags = _v136 - 4;
						if(_v136 == 4) {
							goto L18;
						}
						goto L17;
					}
					if(_v136 != 3) {
						goto L17;
					}
					goto L18;
				}
				_push(0xce1a0c);
				_push( *((intOrPtr*)(_t369 + 0xc)));
				E00BCC079(_t369, _t622,  &_v168, _t572, CreateDirectoryW);
				_t359 = L00BBEAC6(_t369, _t572, CreateDirectoryW);
				_pop(_t557);
				if(_t359 == 0xd4cab8d3) {
					_v136 = _v136 - 1;
				}
				_t589 =  *((intOrPtr*)(_t369 + 0xc));
				_t616 = _t622;
				 *_t616 = L00BADF62(_v108 - 0x10, _t589, _t557) + 0x10;
				_t363 =  *((intOrPtr*)(L00BBEA69(_t369,  &_v144, _t589, _t616)));
				while(1) {
					_t562 =  *_t363;
					if(_t562 !=  *_t589) {
						break;
					}
					if(_t562 == 0) {
						L8:
						_t598 = 0;
						_t572 = 1;
						L10:
						_t428 = _v140 + 0xfffffff0;
						E00BAE6AB(_t363, _t428);
						_t366 =  ==  ? _t572 :  *0xce13e8 & 0x000000ff;
						 *0xce13e8 =  ==  ? _t572 :  *0xce13e8 & 0x000000ff;
						goto L11;
					}
					_t564 =  *((intOrPtr*)(_t363 + 2));
					if(_t564 !=  *((intOrPtr*)(_t589 + 2))) {
						break;
					}
					_t363 = _t363 + 4;
					_t589 = _t589 + 4;
					if(_t564 != 0) {
						continue;
					}
					goto L8;
				}
				asm("sbb esi, esi");
				_t572 = 1;
				_t598 = _t616 | 1;
				__eflags = _t616 | 1;
				goto L10;
			}

0x00bc8200
0x00bc8200
0x00bc8200
0x00bc8200
0x00bc8200
0x00bc8206
0x00bc8209
0x00bc8210
0x00bc821b
0x00bc821c
0x00bc821d
0x00bc821e
0x00bc8223
0x00bc8228
0x00bc822d
0x00bc8236
0x00bc823b
0x00bc8244
0x00bc8249
0x00bc8252
0x00bc8257
0x00bc8260
0x00bc8265
0x00bc826e
0x00bc8273
0x00bc827c
0x00bc8281
0x00bc828a
0x00bc828f
0x00bc8298
0x00bc829d
0x00bc82a6
0x00bc82ab
0x00bc82b4
0x00bc82b9
0x00bc82be
0x00bc82c2
0x00bc82c7
0x00bc82cb
0x00bc82e0
0x00bc82e2
0x00bc82e7
0x00bc82fd
0x00bc82ff
0x00bc8309
0x00bc8322
0x00bc8327
0x00bc833f
0x00bc8352
0x00bc835b
0x00bc8361
0x00bc837c
0x00bc837e
0x00bc8383
0x00bc8386
0x00bc838c
0x00bc83a0
0x00bc83a5
0x00bc83ae
0x00bc83c9
0x00bc83d1
0x00bc83d2
0x00bc840c
0x00bc8411
0x00bc8420
0x00bc8429
0x00bc842b
0x00bc8437
0x00bc8439
0x00bc843e
0x00bc844a
0x00bc844f
0x00bc8469
0x00bc846b
0x00bc846f
0x00bc8501
0x00bc8503
0x00bc8536
0x00bc854d
0x00bc854f
0x00bc856a
0x00bc856c
0x00bc8582
0x00bc8582
0x00bc8587
0x00bc8589
0x00bc858e
0x00bc858f
0x00bc8594
0x00bc8597
0x00bc8597
0x00bc859f
0x00bc85b0
0x00bc85b8
0x00bc85ba
0x00bc85ba
0x00bc85c0
0x00000000
0x00000000
0x00bc85c5
0x00bc85dc
0x00bc85de
0x00bc85e0
0x00bc85ea
0x00bc85ee
0x00bc85f1
0x00bc85f8
0x00bc86ea
0x00bc86ec
0x00bc8707
0x00bc8709
0x00bc870e
0x00bc8715
0x00bc871f
0x00bc871f
0x00bc8724
0x00bc8726
0x00bc872b
0x00bc872c
0x00bc8731
0x00bc8734
0x00bc8735
0x00bc873b
0x00bc8744
0x00bc875f
0x00bc8761
0x00bc8766
0x00bc8767
0x00bc876c
0x00bc8783
0x00bc8797
0x00bc87ce
0x00bc87e0
0x00bc87e6
0x00bc87eb
0x00bc87ef
0x00bc87f1
0x00bc87f6
0x00bc87fd
0x00bc894f
0x00bc8955
0x00bc8956
0x00bc8958
0x00bc895d
0x00bc8979
0x00bc897b
0x00bc8980
0x00bc8996
0x00bc8998
0x00bc899d
0x00bc899e
0x00bc89ac
0x00bc89b1
0x00bc89bd
0x00bc89cc
0x00bc89d1
0x00bc89d6
0x00bc89d9
0x00bc89dc
0x00bc89e2
0x00bc89e9
0x00bc89ee
0x00bc89f1
0x00bc89f8
0x00bc8a07
0x00bc8a16
0x00bc8a1b
0x00bc8a1e
0x00bc8a24
0x00bc8a2d
0x00bc8a32
0x00bc8a32
0x00bc8a35
0x00bc8a3b
0x00bc8a44
0x00bc8a49
0x00bc8a49
0x00bc8a53
0x00bc8a58
0x00bc8a5b
0x00bc8a5d
0x00bc8a5d
0x00bc8a63
0x00bc8a65
0x00bc8a65
0x00bc8a6c
0x00bc8a79
0x00bc8a81
0x00bc8a86
0x00bc8a8d
0x00bc8a8d
0x00bc8a92
0x00bc8a98
0x00bc8a98
0x00bc8a9b
0x00bc8aa1
0x00bc8aa6
0x00bc8aa8
0x00bc8aaa
0x00bc8ab1
0x00bc8ab4
0x00bc8ab7
0x00bc8aba
0x00bc8abf
0x00bc8ac4
0x00bc8ac4
0x00bc8aa8
0x00bc8acc
0x00bc8acd
0x00bc8ad3
0x00bc8ad7
0x00bc8ada
0x00bc8adc
0x00bc8ae0
0x00bc8ae7
0x00bc8aeb
0x00bc8aef
0x00bc8af4
0x00bc8b00
0x00bc8b05
0x00bc8b0b
0x00bc8b0b
0x00bc8b0f
0x00bc8b11
0x00bc8b17
0x00000000
0x00bc8ada
0x00bc89de
0x00bc89e0
0x00000000
0x00000000
0x00000000
0x00bc880c
0x00bc880c
0x00bc8815
0x00bc8832
0x00bc8834
0x00bc8839
0x00bc8852
0x00bc892b
0x00bc8943
0x00bc8943
0x00bc87fd
0x00bc85fe
0x00bc8602
0x00bc8607
0x00bc860a
0x00bc860f
0x00bc8625
0x00bc862a
0x00bc862e
0x00bc8631
0x00bc8634
0x00bc8636
0x00bc8636
0x00bc863c
0x00000000
0x00000000
0x00bc8641
0x00bc8658
0x00bc8658
0x00bc8660
0x00bc8662
0x00bc866c
0x00bc867b
0x00bc867d
0x00bc8689
0x00bc8698
0x00bc869a
0x00bc86a6
0x00bc86b0
0x00bc86b0
0x00bc86b5
0x00bc86b7
0x00bc86bc
0x00bc86bd
0x00bc86c2
0x00bc86c6
0x00bc86c6
0x00bc86cc
0x00000000
0x00bc86cc
0x00bc8643
0x00bc864b
0x00000000
0x00000000
0x00bc864d
0x00bc8650
0x00bc8656
0x00000000
0x00000000
0x00000000
0x00bc8656
0x00bc865c
0x00bc865e
0x00bc865e
0x00000000
0x00bc865e
0x00bc85c7
0x00bc85cf
0x00000000
0x00000000
0x00bc85d1
0x00bc85d4
0x00bc85da
0x00000000
0x00000000
0x00000000
0x00bc85da
0x00bc85e3
0x00bc85e7
0x00bc85e8
0x00bc85e8
0x00000000
0x00bc85e8
0x00bc8505
0x00bc8508
0x00bc850b
0x00bc8510
0x00bc8515
0x00bc851b
0x00000000
0x00000000
0x00bc8524
0x00bc852f
0x00bc8534
0x00000000
0x00000000
0x00000000
0x00bc8534
0x00bc852b
0x00000000
0x00000000
0x00000000
0x00bc852d
0x00bc8475
0x00bc8478
0x00bc847b
0x00bc8480
0x00bc8485
0x00bc848b
0x00bc848d
0x00bc848d
0x00bc8491
0x00bc8499
0x00bc84aa
0x00bc84b2
0x00bc84b4
0x00bc84b4
0x00bc84ba
0x00000000
0x00000000
0x00bc84bf
0x00bc84d6
0x00bc84d8
0x00bc84da
0x00bc84e4
0x00bc84e8
0x00bc84eb
0x00bc84f9
0x00bc84fc
0x00000000
0x00bc84fc
0x00bc84c1
0x00bc84c9
0x00000000
0x00000000
0x00bc84cb
0x00bc84ce
0x00bc84d4
0x00000000
0x00000000
0x00000000
0x00bc84d4
0x00bc84dd
0x00bc84e1
0x00bc84e2
0x00bc84e2
0x00000000

APIs

Part of subcall function 00BBFF8C: RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00BBFFC8
Part of subcall function 00BBFF8C: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00001000,00001000,?,?,qfmuK,_argtc,Jma_j,gb;+1,gb;+0,gb;+/,bcd_sjr), ref: 00BBFFE8
Part of subcall function 00BBFF8C: RegCloseKey.KERNEL32(?,?,?,qfmuK,_argtc,Jma_j,gb;+1,gb;+0,gb;+/,bcd_sjr,af_llcj,npmbsar,?NNB?R?,NA?nnQrmpc,Tcpqgml), ref: 00BC001A

CreateDirectoryW.KERNEL32(00000000,?,?,00CC895C,00000000), ref: 00BC8420
CreateDirectoryW.KERNEL32(00000000,\Data,00000005), ref: 00BC8437

Part of subcall function 00BBFC4F: __EH_prolog3_GS.LIBCMT ref: 00BBFC59

Part of subcall function 00BC814F: GetModuleHandleA.KERNEL32(ntdll,RtlGetVersion,74B5F790), ref: 00BC8175
Part of subcall function 00BC814F: GetProcAddress.KERNEL32(00000000), ref: 00BC817C

GetCommandLineW.KERNEL32(?), ref: 00BC8457
CommandLineToArgvW.SHELL32(00000000), ref: 00BC845E

Part of subcall function 00BBEAC6: __EH_prolog3_GS.LIBCMT ref: 00BBEAD0

LocalFree.KERNEL32(00000000), ref: 00BC8735

Part of subcall function 00BC7C63: __EH_prolog3_align.LIBCMT ref: 00BC7C6C
Part of subcall function 00BC7C63: __Mtx_unlock.LIBCPMT ref: 00BC7D5D

Part of subcall function 00BAE641: VariantClear.OLEAUT32 ref: 00BAE6A4

OpenEventW.KERNEL32(001F0003,00000001,?,00CC895C), ref: 00BC87E0

Part of subcall function 00BC6160: __EH_prolog3_GS.LIBCMT ref: 00BC6167
Part of subcall function 00BC6160: RegOpenKeyExW.ADVAPI32(80000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00CC9470), ref: 00BC61E8
Part of subcall function 00BC6160: RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC6237
Part of subcall function 00BC6160: RegCloseKey.ADVAPI32(?), ref: 00BC6259

MessageBoxW.USER32(00000000,00000000,00000000,00000040), ref: 00BC885E
CreateEventW.KERNEL32(00000000,00000000,00000000,?,00CC9470), ref: 00BC894F
GetCurrentProcess.KERNEL32 ref: 00BC89A6
Sleep.KERNEL32(001B7740), ref: 00BC8ACD

Strings

\Data, xrefs: 00BC8424
?NNB?R?, xrefs: 00BC823B
_argtc, xrefs: 00BC82AB
gb;+/, xrefs: 00BC8273
npmbsar, xrefs: 00BC8249
%ws: %ws, xrefs: 00BC834D
gb;+0, xrefs: 00BC8281
qfmuK, xrefs: 00BC82B9
20D83542-CB48-FFC7-AA5E-D037A04953D7, xrefs: 00BC860A
bcd_sjr, xrefs: 00BC8265
Jma_j, xrefs: 00BC829D
NA?nnQrmpc, xrefs: 00BC822D
gb;+1, xrefs: 00BC828F
af_llcj, xrefs: 00BC8257
Tcpqgml, xrefs: 00BC821E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Create$H_prolog3_$CloseCommandDirectoryEventLineOpenQueryValue$AddressArgvClearCurrentFreeH_prolog3_alignHandleLocalMessageModuleMtx_unlockProcProcessSleepVariant
String ID: %ws: %ws$20D83542-CB48-FFC7-AA5E-D037A04953D7$?NNB?R?$Jma_j$NA?nnQrmpc$Tcpqgml$\Data$_argtc$af_llcj$bcd_sjr$gb;+/$gb;+0$gb;+1$npmbsar$qfmuK
API String ID: 990199409-480408659
Opcode ID: 0d10b6bcdc52b9ba3f4faa5d7e75300d6e5084215d7a437e2d87fa2ef0244801
Instruction ID: 7b23796c16d3c7c5aaf764c94477fc86aaaf3f2c9ddc13421a6a47734b590eab
Opcode Fuzzy Hash: 0d10b6bcdc52b9ba3f4faa5d7e75300d6e5084215d7a437e2d87fa2ef0244801
Instruction Fuzzy Hash: BE42CE725182419FC708EB24D892EAEB7E5FFA5314B54089CF496872A2EF71DD08CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE692, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 198
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00BBE692(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _t56;
				signed int _t57;
				signed int* _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				signed int* _t64;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				void* _t68;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t88;
				signed int _t90;
				signed int _t92;
				signed int _t95;
				signed int _t104;
				signed short* _t109;
				void* _t115;
				signed int _t116;
				signed int _t117;
				signed int* _t128;
				signed int _t129;
				signed int _t130;
				void* _t132;

				_t125 = __esi;
				_t123 = __edi;
				_t115 = __edx;
				_t56 = L00C89968(0xc8df5c, __ebx, __edi, __esi, 0x2c);
				_t95 = 0;
				__imp__CoInitializeEx(0, 0); // executed
				if(_t56 >= 0 || _t56 == 0x80010106) {
					__imp__CoInitializeSecurity(_t95, 0xffffffff, _t95, _t95, _t95, 3, _t95, _t95, _t95); // executed
					__eflags = _t56;
					if(_t56 >= 0) {
						L5:
						_t57 = _t132 - 0x14;
						 *(_t132 - 0x14) = _t95;
						__imp__CoCreateInstance(0xcb6bc4, _t95, 1, 0xcb6bd4, _t57); // executed
						__eflags = _t57;
						if(__eflags >= 0) {
							_push(L"ROOT\\CIMV2");
							 *(_t132 - 0x10) = _t95;
							_t58 = L00BBFB76(_t95, _t132 - 0x24, _t115, _t123, _t125, __eflags);
							 *(_t132 - 4) = _t95;
							_t59 =  *_t58;
							__eflags = _t59;
							if(_t59 == 0) {
								_t116 = _t95;
							} else {
								_t116 =  *_t59;
							}
							_t60 =  *(_t132 - 0x14);
							_t61 =  *((intOrPtr*)( *_t60 + 0xc))(_t60, _t116, _t95, _t95, _t95, _t95, _t95, _t95, _t132 - 0x10);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t127 = _t61;
							_t62 = L00BBFB48(_t61);
							__eflags = _t61;
							if(_t61 >= 0) {
								__imp__CoSetProxyBlanket( *(_t132 - 0x10), 0xa, _t95, _t95, 3, 3, _t95, _t95); // executed
								__eflags = _t62;
								if(__eflags >= 0) {
									_push("SELECT * FROM Win32_ComputerSystemProduct");
									 *(_t132 - 0x18) = _t95;
									_t128 = L00BBFAC5(_t95, _t132 - 0x28, _t123, _t127, __eflags);
									_push("WQL");
									 *(_t132 - 4) = 1;
									_t64 = L00BBFAC5(_t95, _t132 - 0x24, _t123, _t128, __eflags);
									 *(_t132 - 4) = 2;
									_t129 =  *_t128;
									__eflags = _t129;
									if(_t129 == 0) {
										_t130 = _t95;
									} else {
										_t130 =  *_t129;
									}
									_t65 =  *_t64;
									__eflags = _t65;
									if(_t65 == 0) {
										_t117 = _t95;
									} else {
										_t117 =  *_t65;
									}
									_t66 =  *(_t132 - 0x10);
									_t67 =  *((intOrPtr*)( *_t66 + 0x50))(_t66, _t117, _t130, 0x30, _t95, _t132 - 0x18);
									_t68 = L00BBFB48(_t67);
									 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
									L00BBFB48(_t68);
									__eflags = _t67;
									if(_t67 >= 0) {
										 *(_t132 - 0x1c) = _t95;
										 *(_t132 - 0x20) = _t95;
										while(1) {
											_t104 =  *(_t132 - 0x18);
											__eflags = _t104;
											if(_t104 == 0) {
												break;
											}
											 *((intOrPtr*)( *_t104 + 0x10))(_t104, 0xffffffff, 1, _t132 - 0x1c, _t132 - 0x20);
											__eflags =  *(_t132 - 0x20);
											if( *(_t132 - 0x20) != 0) {
												_t80 =  *(_t132 - 0x1c);
												 *((intOrPtr*)( *_t80 + 0x10))(_t80, L"UUID", _t95, _t132 - 0x38, _t95, _t95);
												_t109 =  *(_t132 - 0x30);
												__eflags = 0xce13f0;
												do {
													_t82 =  *_t109 & 0x0000ffff;
													_t109[0x6709f8] = _t82;
													_t109 =  &(_t109[1]);
													__eflags = _t82;
												} while (_t82 != 0);
												__imp__#9(_t132 - 0x38);
												_t84 =  *(_t132 - 0x1c);
												 *((intOrPtr*)( *_t84 + 8))(_t84);
												continue;
											}
											break;
										}
										_t72 =  *(_t132 - 0x10);
										 *((intOrPtr*)( *_t72 + 8))(_t72);
										_t74 =  *(_t132 - 0x14);
										 *((intOrPtr*)( *_t74 + 8))(_t74);
										_t76 =  *(_t132 - 0x18);
										 *((intOrPtr*)( *_t76 + 8))(_t76);
										_t95 = 1; // executed
									} else {
										_t86 =  *(_t132 - 0x10);
										 *((intOrPtr*)( *_t86 + 8))(_t86);
										_t88 =  *(_t132 - 0x14);
										 *((intOrPtr*)( *_t88 + 8))(_t88);
									}
									__imp__CoUninitialize(); // executed
									_t78 = _t95;
								} else {
									_t90 =  *(_t132 - 0x10);
									 *((intOrPtr*)( *_t90 + 8))(_t90);
									goto L11;
								}
							} else {
								L11:
								_t92 =  *(_t132 - 0x14);
								 *((intOrPtr*)( *_t92 + 8))(_t92);
								goto L6;
							}
						} else {
							goto L6;
						}
					} else {
						__eflags = _t56 - 0x80010119;
						if(_t56 != 0x80010119) {
							L6:
							__imp__CoUninitialize();
							goto L2;
						} else {
							goto L5;
						}
					}
				} else {
					L2:
					_t78 = 0;
				}
				return L00C89931(_t78);
			}

0x00bbe692
0x00bbe692
0x00bbe692
0x00bbe699
0x00bbe69e
0x00bbe6a2
0x00bbe6aa
0x00bbe6c5
0x00bbe6cb
0x00bbe6cd
0x00bbe6d6
0x00bbe6d6
0x00bbe6d9
0x00bbe6ea
0x00bbe6f0
0x00bbe6f2
0x00bbe6fc
0x00bbe704
0x00bbe707
0x00bbe70c
0x00bbe70f
0x00bbe711
0x00bbe713
0x00bbe719
0x00bbe715
0x00bbe715
0x00bbe715
0x00bbe71b
0x00bbe72c
0x00bbe72f
0x00bbe736
0x00bbe738
0x00bbe73d
0x00bbe73f
0x00bbe759
0x00bbe75f
0x00bbe761
0x00bbe76e
0x00bbe776
0x00bbe77e
0x00bbe780
0x00bbe788
0x00bbe78f
0x00bbe794
0x00bbe798
0x00bbe79a
0x00bbe79c
0x00bbe7a2
0x00bbe79e
0x00bbe79e
0x00bbe79e
0x00bbe7a4
0x00bbe7a6
0x00bbe7a8
0x00bbe7ae
0x00bbe7aa
0x00bbe7aa
0x00bbe7aa
0x00bbe7b0
0x00bbe7bf
0x00bbe7c7
0x00bbe7cc
0x00bbe7d3
0x00bbe7d8
0x00bbe7da
0x00bbe7f3
0x00bbe7f6
0x00bbe854
0x00bbe854
0x00bbe857
0x00bbe859
0x00000000
0x00000000
0x00bbe80a
0x00bbe80d
0x00bbe811
0x00bbe813
0x00bbe825
0x00bbe828
0x00bbe830
0x00bbe832
0x00bbe832
0x00bbe835
0x00bbe839
0x00bbe83c
0x00bbe83c
0x00bbe845
0x00bbe84b
0x00bbe851
0x00000000
0x00bbe851
0x00000000
0x00bbe811
0x00bbe85b
0x00bbe861
0x00bbe864
0x00bbe86a
0x00bbe86d
0x00bbe873
0x00bbe876
0x00bbe7dc
0x00bbe7dc
0x00bbe7e2
0x00bbe7e5
0x00bbe7eb
0x00bbe7eb
0x00bbe878
0x00bbe87e
0x00bbe763
0x00bbe763
0x00bbe769
0x00000000
0x00bbe769
0x00bbe741
0x00bbe741
0x00bbe741
0x00bbe747
0x00000000
0x00bbe747
0x00000000
0x00000000
0x00000000
0x00bbe6cf
0x00bbe6cf
0x00bbe6d4
0x00bbe6f4
0x00bbe6f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00bbe6d4
0x00bbe6b3
0x00bbe6b3
0x00bbe6b3
0x00bbe6b3
0x00bbe885

APIs

CoInitializeEx.OLE32(00000000,00000000,0000002C,00BBFC6D), ref: 00BBE6A2
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00BBE6C5
CoCreateInstance.OLE32(00CB6BC4,00000000,00000001,00CB6BD4,?), ref: 00BBE6EA
CoUninitialize.OLE32 ref: 00BBE6F4
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00BBE759
VariantClear.OLEAUT32(?), ref: 00BBE845
CoUninitialize.OLE32 ref: 00BBE878

Strings

SELECT * FROM Win32_ComputerSystemProduct, xrefs: 00BBE76E
20D83542-CB48-FFC7-AA5E-D037A04953D7, xrefs: 00BBE82B
UUID, xrefs: 00BBE81F
ROOT\CIMV2, xrefs: 00BBE6FC
WQL, xrefs: 00BBE780

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: InitializeUninitialize$BlanketClearCreateInstanceProxySecurityVariant
String ID: 20D83542-CB48-FFC7-AA5E-D037A04953D7$ROOT\CIMV2$SELECT * FROM Win32_ComputerSystemProduct$UUID$WQL
API String ID: 759232068-3666760557
Opcode ID: 41aa79d18cb6933d78fbb4cde4bc8dfaf2c746ae0bf89a716939bb3e914b01a6
Instruction ID: 21534a921da101907849d90c4fe989b0ca4eeffe807f4b372c6a6bad8ffa2509
Opcode Fuzzy Hash: 41aa79d18cb6933d78fbb4cde4bc8dfaf2c746ae0bf89a716939bb3e914b01a6
Instruction Fuzzy Hash: CD610B70A00219AFDB14DFA5CC95EFEB7B8FF44754B144598F426AB2A0DBB19D02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BBEC2D, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 302
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00BBEC2D(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr* _t141;
				void* _t142;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t149;
				void* _t150;
				intOrPtr* _t154;
				void* _t156;
				intOrPtr* _t161;
				void* _t163;
				void* _t169;
				void* _t170;
				void* _t176;
				intOrPtr* _t197;
				intOrPtr _t200;
				intOrPtr _t207;
				signed char _t215;
				void* _t235;
				void* _t240;
				void* _t249;
				void* _t258;
				char* _t265;
				void* _t273;
				void* _t276;
				void* _t293;
				intOrPtr* _t296;
				intOrPtr _t298;
				intOrPtr _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t314;
				char* _t315;
				void* _t316;
				void* _t320;

				_t320 = __eflags;
				_t299 = __esi;
				_t297 = __edi;
				_t293 = __edx;
				L00C8999C(0xc8e18b, __ebx, __edi, __esi, 0x1a4);
				_t303 = _t302 - 0x18;
				E00BAC01A(_t303, L"verify");
				_t141 = L00BBE8EA(__ebx, _t301 - 0xec, __edi, __esi);
				_t219 = 0;
				 *((intOrPtr*)(_t301 - 4)) = 0;
				_t142 = E00BAC01A(_t301 - 0xe8,  *_t141);
				 *((char*)(_t301 - 4)) = 2;
				E00BAE6AB(_t142,  *((intOrPtr*)(_t301 - 0xec)) - 0x10);
				_t305 = _t303 + 0x18 - 0x18;
				E00BAC01A(_t305, L"https://pcapp.store/verify.php?nocache=");
				_t145 = L00BBE8EA(0, _t301 - 0xf4, __edi, __esi);
				 *((char*)(_t301 - 4)) = 3;
				_t146 = E00BAC01A(_t301 - 0xd0,  *_t145);
				 *((char*)(_t301 - 4)) = 5;
				E00BAE6AB(_t146,  *((intOrPtr*)(_t301 - 0xf4)) - 0x10);
				_t307 = _t305 + 0x18 - 0x18;
				E00BAC01A(_t307, L"TEMP");
				_t149 = L00BBE8EA(0, _t301 - 0xec, __edi, __esi);
				 *((char*)(_t301 - 4)) = 6;
				_t150 = E00BAC01A(_t301 - 0xb8,  *_t149);
				 *((char*)(_t301 - 4)) = 8;
				E00BAE6AB(_t150,  *((intOrPtr*)(_t301 - 0xec)) - 0x10);
				_t309 = _t307 + 0x18 - 0x18;
				_t235 = _t309;
				 *((intOrPtr*)(_t235 + 0x10)) = 0;
				 *((intOrPtr*)(_t235 + 0x14)) = 0;
				E00BAC48D(_t301 - 0xb8, _t235, _t301 - 0xb8);
				_t154 = L00BBEA0A(0, _t301 - 0xf4, _t297, _t299);
				 *((char*)(_t301 - 4)) = 9;
				_t156 = E00BAC01A(_t301 - 0x28, L00C5983E(_t301 - 0xf4, _t293, _t320,  *_t154));
				 *((char*)(_t301 - 4)) = 0xb;
				E00BAE6AB(_t156,  *((intOrPtr*)(_t301 - 0xf4)) - 0x10);
				_t311 = _t309 + 0x1c - 0x18;
				_t240 = _t311;
				 *((intOrPtr*)(_t240 + 0x10)) = 0;
				 *((intOrPtr*)(_t240 + 0x14)) = 0;
				E00BAC48D(_t301 - 0xe8, _t240, _t301 - 0xe8);
				 *((char*)(_t301 - 4)) = 0xc;
				_t161 = E00BBF175(0, _t301 - 0xec, _t297, _t299);
				 *((char*)(_t301 - 4)) = 0xd;
				_t163 = E00BAE6AB(E00BBF272( *_t161),  *((intOrPtr*)(_t301 - 0xec)) - 0x10);
				 *((char*)(_t301 - 4)) = 0xb;
				E00BAE6AB(_t163,  *((intOrPtr*)(_t301 - 0xf0)) - 0x10);
				_t300 = L00BBFA71(_t301 - 0x88, GetTickCount(), _t297, _t299);
				_t313 = _t311 + 0x1c - 0x18;
				 *((char*)(_t301 - 4)) = 0xe;
				_t249 = _t313;
				 *((intOrPtr*)(_t249 + 0x10)) = 0;
				 *((intOrPtr*)(_t249 + 0x14)) = 0;
				E00BAC48D(_t301 - 0xd0, _t249, _t301 - 0xd0);
				_t169 = L00BBEA0A(0, _t301 - 0xf0, _t297, _t300);
				_t314 = _t313 + 0x18;
				_t295 = _t169;
				 *((char*)(_t301 - 4)) = 0xf;
				_t170 = L00BAE74E(0, _t301 - 0x58, _t169, _t297, _t300);
				 *((char*)(_t301 - 4)) = 0x10;
				E00BBF4F9(0, _t301 - 0x70, _t297, _t300);
				E00BAE6AB(E00BAE71B(_t301 - 0x58),  *((intOrPtr*)(_t301 - 0xf0)) - 0x10);
				 *((char*)(_t301 - 4)) = 0x14;
				E00BAE71B(_t301 - 0x88);
				_t258 =  >=  ?  *((void*)(_t301 - 0x28)) : _t301 - 0x28;
				_t176 =  >=  ?  *((void*)(_t301 - 0x70)) : _t301 - 0x70;
				__imp__URLDownloadToFileW(0, _t176, _t258, 0, 0,  *((intOrPtr*)(_t301 - 0xf0)), _t170, _t300, L00BBEA0A(0, _t301 - 0xf0, _t297, _t299)); // executed
				if(_t176 == 0) {
					_push(_t258);
					_push(_t258);
					_t219 = 1;
					E00BBF136(_t301 - 0x1b0, _t301 - 0x28, 1); // executed
					_t315 = _t314 - 0x18;
					 *((char*)(_t301 - 4)) = 0x15;
					_t265 = _t315;
					 *(_t265 + 0x10) =  *(_t265 + 0x10) & 0x00000000;
					_t298 = 0xf;
					 *((intOrPtr*)(_t265 + 0x14)) = _t298;
					 *_t265 = 0;
					L00BADB78(_t265, "verified", 8);
					L00BBE886(1, _t301 - 0xa0, _t298, _t300);
					_t316 = _t315 + 0x18;
					 *(_t301 - 0x48) =  *(_t301 - 0x48) & 0x00000000;
					_t300 = _t298;
					 *((intOrPtr*)(_t301 - 0x44)) = _t300;
					 *((char*)(_t301 - 0x58)) = 0;
					 *((char*)(_t301 - 4)) = 0x17;
					if( *((intOrPtr*)(_t301 - 0x154)) != 0) {
						_push(0xa);
						_t215 = L00BB4D0A(1, _t301 - 0x1b0 +  *((intOrPtr*)( *((intOrPtr*)(_t301 - 0x1b0)) + 4)), _t298, _t300);
						_t295 = _t301 - 0x58;
						_push(_t215 & 0x000000ff);
						E00BBF664(1, _t301 - 0x1b0, _t301 - 0x58, _t298, _t300); // executed
						_t300 =  *((intOrPtr*)(_t301 - 0x44));
					}
					L00BAFF20(_t301 - 0x1b0);
					_t269 =  >=  ?  *((void*)(_t301 - 0x28)) : _t301 - 0x28;
					_push( *((intOrPtr*)(_t301 - 0xf0)));
					 *((intOrPtr*)(_t301 - 0x2c)) = _t298;
					 *((char*)(_t301 - 0x40)) = 0;
					_t271 =  >=  ?  *((void*)(_t301 - 0x28)) : _t301 - 0x28;
					 *(_t301 - 0x30) =  *(_t301 - 0x30) & 0x00000000;
					_push(( >=  ?  *((void*)(_t301 - 0x28)) : _t301 - 0x28) +  *(_t301 - 0x18) * 2);
					_push( >=  ?  *((void*)(_t301 - 0x28)) : _t301 - 0x28);
					E00BBF783(_t219, _t301 - 0x40, _t298, _t300);
					 *((char*)(_t301 - 4)) = 0x18;
					_t193 =  >=  ?  *((void*)(_t301 - 0x40)) : _t301 - 0x40;
					E00C599E5(_t295,  >=  ?  *((void*)(_t301 - 0x40)) : _t301 - 0x40); // executed
					_t273 = _t316 - 0x14;
					_push(_t301 - 0xa0);
					 *(_t273 + 0x10) =  *(_t273 + 0x10) & 0x00000000;
					 *(_t273 + 0x14) =  *(_t273 + 0x14) & 0x00000000;
					L00BAD91B(_t301 - 0xa0, _t273);
					_t197 = L00BBE9A6(_t219, _t301 - 0x88, _t298, _t300);
					_t297 =  *((intOrPtr*)(_t301 - 0x58));
					_t296 = _t197;
					_t276 =  >=  ? _t297 : _t301 - 0x58;
					if( *((intOrPtr*)(_t197 + 0x14)) >= 0x10) {
						_t296 =  *_t197;
					}
					_t198 =  *((intOrPtr*)(_t197 + 0x10));
					if( *((intOrPtr*)(_t197 + 0x10)) !=  *(_t301 - 0x48) || L00C4CAA5(_t296, _t276, _t198) != 0) {
						_t219 = 0;
					}
					L00BADC00(_t301 - 0x88);
					_t200 =  *((intOrPtr*)(_t301 - 0x2c));
					if(_t200 >= 0x10) {
						_t284 =  *((intOrPtr*)(_t301 - 0x40));
						_t207 = _t200 + 1;
						 *((intOrPtr*)(_t301 - 0xf4)) = _t207;
						 *((intOrPtr*)(_t301 - 0xec)) =  *((intOrPtr*)(_t301 - 0x40));
						if(_t207 >= 0x1000) {
							E00BAE6CD(_t219, _t297, _t301, _t301 - 0xec, _t301 - 0xf4);
							_t207 =  *((intOrPtr*)(_t301 - 0xf4));
							_t284 =  *((intOrPtr*)(_t301 - 0xec));
						}
						_push(_t207);
						L00C32F7D(_t284);
					}
					 *(_t301 - 0x30) =  *(_t301 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t301 - 0x2c)) = 0xf;
					 *((char*)(_t301 - 0x40)) = 0;
					if(_t300 >= 0x10) {
						_t300 = _t300 + 1;
						 *((intOrPtr*)(_t301 - 0xf4)) = _t297;
						 *((intOrPtr*)(_t301 - 0xec)) = _t300;
						if(_t300 >= 0x1000) {
							E00BAE6CD(_t219, _t297, _t301, _t301 - 0xf4, _t301 - 0xec);
							_t300 =  *((intOrPtr*)(_t301 - 0xec));
							_t297 =  *((intOrPtr*)(_t301 - 0xf4));
						}
						_push(_t300);
						L00C32F7D(_t297);
					}
					L00BADC00(_t301 - 0xa0);
					L00BAFAD2(_t301 - 0x1b0);
				}
				E00BAE71B(_t301 - 0x70);
				E00BAE71B(_t301 - 0x28);
				E00BAE71B(_t301 - 0xb8);
				E00BAE71B(_t301 - 0xd0);
				E00BAE71B(_t301 - 0xe8);
				return L00C89946(_t219, _t219, _t297, _t300);
			}

0x00bbec2d
0x00bbec2d
0x00bbec2d
0x00bbec2d
0x00bbec37
0x00bbec3c
0x00bbec46
0x00bbec51
0x00bbec59
0x00bbec61
0x00bbec66
0x00bbec6b
0x00bbec78
0x00bbec7d
0x00bbec87
0x00bbec92
0x00bbec9a
0x00bbeca6
0x00bbecab
0x00bbecb8
0x00bbecbd
0x00bbecc7
0x00bbecd2
0x00bbecda
0x00bbece6
0x00bbeceb
0x00bbecf8
0x00bbecfd
0x00bbed06
0x00bbed09
0x00bbed0c
0x00bbed0f
0x00bbed1a
0x00bbed1f
0x00bbed31
0x00bbed36
0x00bbed43
0x00bbed48
0x00bbed4b
0x00bbed4d
0x00bbed56
0x00bbed5a
0x00bbed71
0x00bbed75
0x00bbed7d
0x00bbed94
0x00bbed99
0x00bbeda6
0x00bbedbe
0x00bbedc0
0x00bbedc3
0x00bbedc7
0x00bbedd0
0x00bbedd3
0x00bbedd6
0x00bbede1
0x00bbede6
0x00bbede9
0x00bbedeb
0x00bbedf2
0x00bbedf9
0x00bbee06
0x00bbee1c
0x00bbee27
0x00bbee2b
0x00bbee38
0x00bbee44
0x00bbee4b
0x00bbee53
0x00bbee59
0x00bbee5a
0x00bbee5b
0x00bbee67
0x00bbee6c
0x00bbee6f
0x00bbee73
0x00bbee77
0x00bbee7b
0x00bbee83
0x00bbee86
0x00bbee89
0x00bbee94
0x00bbee99
0x00bbee9c
0x00bbeea0
0x00bbeea2
0x00bbeea5
0x00bbeea9
0x00bbeeb4
0x00bbeec2
0x00bbeec9
0x00bbeed1
0x00bbeed4
0x00bbeedb
0x00bbeee0
0x00bbeee3
0x00bbeeea
0x00bbeef9
0x00bbeefd
0x00bbef03
0x00bbef06
0x00bbef10
0x00bbef14
0x00bbef18
0x00bbef19
0x00bbef1d
0x00bbef22
0x00bbef2d
0x00bbef32
0x00bbef40
0x00bbef42
0x00bbef43
0x00bbef47
0x00bbef4b
0x00bbef56
0x00bbef5b
0x00bbef64
0x00bbef69
0x00bbef70
0x00bbef72
0x00bbef72
0x00bbef74
0x00bbef7a
0x00bbef8b
0x00bbef8b
0x00bbef93
0x00bbef98
0x00bbef9e
0x00bbefa0
0x00bbefa3
0x00bbefa4
0x00bbefaa
0x00bbefb5
0x00bbefc5
0x00bbefca
0x00bbefd2
0x00bbefd2
0x00bbefd8
0x00bbefda
0x00bbefe0
0x00bbefe1
0x00bbefe5
0x00bbefec
0x00bbeff3
0x00bbeff5
0x00bbeff6
0x00bbeffc
0x00bbf008
0x00bbf018
0x00bbf01d
0x00bbf023
0x00bbf02a
0x00bbf02b
0x00bbf02d
0x00bbf033
0x00bbf03a
0x00bbf045
0x00bbf045
0x00bbf04d
0x00bbf055
0x00bbf060
0x00bbf06b
0x00bbf076
0x00bbf082

APIs

__EH_prolog3_GS.LIBCMT ref: 00BBEC37
GetTickCount.KERNEL32 ref: 00BBEDAB

Part of subcall function 00BAE71B: _Deallocate.LIBCONCRT ref: 00BAE730

URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00BBEE4B

Part of subcall function 00BBF664: __EH_prolog3_catch.LIBCMT ref: 00BBF66B

Part of subcall function 00BADC00: _Deallocate.LIBCONCRT ref: 00BADC0F

Part of subcall function 00BAFAD2: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00BAFB0A

Strings

TEMP, xrefs: 00BBECC2
https://pcapp.store/verify.php?nocache=, xrefs: 00BBEC82
verify, xrefs: 00BBEC41
verified, xrefs: 00BBEE7E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Deallocate$CountDownloadFileH_prolog3_H_prolog3_catchIos_base_dtorTickstd::ios_base::_
String ID: TEMP$https://pcapp.store/verify.php?nocache=$verified$verify
API String ID: 218650546-2318351902
Opcode ID: 1de8a1f35c3f1e1734a9047d595735cc3de44fde7cf26596c3d6c39302f08216
Instruction ID: 07f2f0ce9d25183d2a3f32d6576758f2b7d120a749f4f7fca3b29319b326cdf9
Opcode Fuzzy Hash: 1de8a1f35c3f1e1734a9047d595735cc3de44fde7cf26596c3d6c39302f08216
Instruction Fuzzy Hash: C1D18A31800259DFDF18EBA8CC95BEDBBB4AF15304F5044E9E00A67192EB719E89DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BBFC4F, Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 228
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00BBFC4F(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _t70;
				signed int _t71;
				short** _t79;
				long _t80;
				short** _t87;
				long _t88;
				signed int _t94;
				signed int _t96;
				intOrPtr _t98;
				intOrPtr _t102;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr* _t115;
				void* _t118;
				void* _t122;
				intOrPtr* _t137;
				intOrPtr* _t138;
				intOrPtr* _t139;
				WCHAR* _t140;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				intOrPtr _t152;
				signed int _t157;
				void* _t158;
				void* _t159;
				void* _t160;

				L00C8999C(0xc8e2f2, __ebx, __edi, __esi, 0x24c);
				 *(_t158 - 0x254) = 0x200;
				E00BBE692(__ebx, __edx, __edi, __esi); // executed
				_t115 = L"03000200-0400-0500-0006-000700080009";
				_t70 = 0xce13f0;
				0x1000 = 4;
				while(1) {
					_t144 =  *_t70;
					if(_t144 !=  *_t115) {
						break;
					}
					if(_t144 == 0) {
						L5:
						_t71 = 0;
						L7:
						if(_t71 == 0) {
							L35:
							_t157 = 7;
							 *((intOrPtr*)(_t158 - 0x234)) = 0;
							 *(_t158 - 0x230) = _t157;
							 *((short*)(_t158 - 0x244)) = 0;
							E00BAC468(L"QMDRU?PCZZKgapmqmdrZZApwnrmep_nfw");
							 *((intOrPtr*)(_t158 - 4)) = 0;
							 *((intOrPtr*)(_t158 - 0x21c)) = 0;
							 *(_t158 - 0x218) = _t157;
							 *((short*)(_t158 - 0x22c)) = 0;
							E00BAC468(L"K_afglcEsgb");
							 *((char*)(_t158 - 4)) = 1;
							_t160 = _t159 - 0x18;
							_t118 = _t160;
							 *((intOrPtr*)(_t118 + 0x10)) = 0;
							 *((intOrPtr*)(_t118 + 0x14)) = 0;
							E00BAC48D(_t158 - 0x244, _t118, _t158 - 0x244);
							_t79 = L00BBEA0A(0xce13f0, _t158 - 0x248, 0, _t157);
							 *((char*)(_t158 - 4)) = 2;
							_t80 = RegOpenKeyExW(0x80000002,  *_t79, 0, 0x101, _t158 - 0x250);
							 *((char*)(_t158 - 4)) = 1;
							E00BAE6AB(_t80,  *((intOrPtr*)(_t158 - 0x248)) - 0x10);
							_t122 = _t160 + 0x18 - 0x18;
							 *((intOrPtr*)(_t122 + 0x10)) = 0;
							 *((intOrPtr*)(_t122 + 0x14)) = 0;
							E00BAC48D(_t158 - 0x22c, _t122, _t158 - 0x22c);
							_t87 = L00BBEA0A(0xce13f0, _t158 - 0x248, 0, _t157);
							 *((char*)(_t158 - 4)) = 3;
							_t88 = RegQueryValueExW( *(_t158 - 0x250),  *_t87, 0, _t158 - 0x258, _t158 - 0x214, _t158 - 0x254);
							 *((char*)(_t158 - 4)) = 1;
							E00BAE6AB(_t88,  *((intOrPtr*)(_t158 - 0x248)) - 0x10);
							RegCloseKey( *(_t158 - 0x250));
							wsprintfW(0xce13f0, L"%wsX", L00C59F43(_t158 - 0x214));
							_t94 =  *(_t158 - 0x218);
							if(_t94 >= 8) {
								_t132 =  *((intOrPtr*)(_t158 - 0x22c));
								_t102 = 2 + _t94 * 2;
								 *((intOrPtr*)(_t158 - 0x24c)) = _t102;
								 *((intOrPtr*)(_t158 - 0x248)) =  *((intOrPtr*)(_t158 - 0x22c));
								if(_t102 >= 0x1000) {
									E00BAE6CD(0xce13f0, 0, _t158, _t158 - 0x248, _t158 - 0x24c);
									_t102 =  *((intOrPtr*)(_t158 - 0x24c));
									_t132 =  *((intOrPtr*)(_t158 - 0x248));
								}
								_push(_t102);
								L00C32F7D(_t132);
							}
							 *((intOrPtr*)(_t158 - 0x21c)) = 0;
							 *((short*)(_t158 - 0x22c)) = 0;
							_t96 =  *(_t158 - 0x230);
							 *(_t158 - 0x218) = 7;
							if(_t96 >= 8) {
								_t127 =  *((intOrPtr*)(_t158 - 0x244));
								_t98 = 2 + _t96 * 2;
								 *((intOrPtr*)(_t158 - 0x248)) = _t98;
								 *((intOrPtr*)(_t158 - 0x24c)) =  *((intOrPtr*)(_t158 - 0x244));
								if(_t98 >= 0x1000) {
									E00BAE6CD(0xce13f0, 0, _t158, _t158 - 0x24c, _t158 - 0x248);
									_t98 =  *((intOrPtr*)(_t158 - 0x248));
									_t127 =  *((intOrPtr*)(_t158 - 0x24c));
								}
								_push(_t98);
								_t96 = L00C32F7D(_t127);
							}
							L43:
							return L00C89946(_t96, 0xce13f0, 0, 0x1000);
						}
						_t137 = L"12345678-1234-5678-90AB-CDDEEFAABBCC";
						_t107 = 0xce13f0;
						while(1) {
							_t145 =  *_t107;
							if(_t145 !=  *_t137) {
								break;
							}
							if(_t145 == 0) {
								L13:
								_t108 = 0;
								L15:
								if(_t108 == 0) {
									goto L35;
								}
								_t138 = L"00000000-0000-0000-0000-000000000000";
								_t109 = 0xce13f0;
								while(1) {
									_t146 =  *_t109;
									if(_t146 !=  *_t138) {
										break;
									}
									if(_t146 == 0) {
										L21:
										_t110 = 0;
										L23:
										if(_t110 == 0) {
											goto L35;
										}
										_t139 = L"FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF";
										_t111 = 0xce13f0;
										while(1) {
											_t147 =  *_t111;
											if(_t147 !=  *_t139) {
												break;
											}
											if(_t147 == 0) {
												L29:
												_t112 = 0;
												L31:
												if(_t112 == 0) {
													goto L35;
												}
												_t140 = 0xce13f0;
												do {
													_t96 =  *_t140;
													_t140 =  &(_t140[1]);
												} while (_t96 != 0);
												if(_t140 - 0xce13f2 >> 1 == 0x24) {
													goto L43;
												}
												goto L35;
											}
											_t149 =  *((intOrPtr*)(_t111 + 2));
											if(_t149 !=  *((intOrPtr*)(_t139 + 2))) {
												break;
											}
											_t111 = _t111 + 0x1000;
											_t139 = _t139 + 0x1000;
											if(_t149 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t112 = _t111 | 0x00000001;
										goto L31;
									}
									_t150 =  *((intOrPtr*)(_t109 + 2));
									if(_t150 !=  *((intOrPtr*)(_t138 + 2))) {
										break;
									}
									_t109 = _t109 + 0x1000;
									_t138 = _t138 + 0x1000;
									if(_t150 != 0) {
										continue;
									}
									goto L21;
								}
								asm("sbb eax, eax");
								_t110 = _t109 | 0x00000001;
								goto L23;
							}
							_t151 =  *((intOrPtr*)(_t107 + 2));
							if(_t151 !=  *((intOrPtr*)(_t137 + 2))) {
								break;
							}
							_t107 = _t107 + 0x1000;
							_t137 = _t137 + 0x1000;
							if(_t151 != 0) {
								continue;
							}
							goto L13;
						}
						asm("sbb eax, eax");
						_t108 = _t107 | 0x00000001;
						goto L15;
					}
					_t152 =  *((intOrPtr*)(_t70 + 2));
					if(_t152 !=  *((intOrPtr*)(_t115 + 2))) {
						break;
					}
					_t70 = _t70 + 0x1000;
					_t115 = _t115 + 0x1000;
					if(_t152 != 0) {
						continue;
					}
					goto L5;
				}
				asm("sbb eax, eax");
				_t71 = _t70 | 0x00000001;
				goto L7;
			}

0x00bbfc59
0x00bbfc5e
0x00bbfc68
0x00bbfc72
0x00bbfc79
0x00bbfc7b
0x00bbfc7c
0x00bbfc7c
0x00bbfc84
0x00000000
0x00000000
0x00bbfc89
0x00bbfc9e
0x00bbfc9e
0x00bbfca7
0x00bbfca9
0x00bbfd6c
0x00bbfd6e
0x00bbfd71
0x00bbfd82
0x00bbfd88
0x00bbfd8f
0x00bbfd94
0x00bbfd9f
0x00bbfdaa
0x00bbfdb0
0x00bbfdb7
0x00bbfdc2
0x00bbfdcd
0x00bbfdd6
0x00bbfdd9
0x00bbfddc
0x00bbfddf
0x00bbfdea
0x00bbfdf2
0x00bbfdfd
0x00bbfe03
0x00bbfe10
0x00bbfe34
0x00bbfe37
0x00bbfe3a
0x00bbfe3d
0x00bbfe48
0x00bbfe50
0x00bbfe5c
0x00bbfe62
0x00bbfe6f
0x00bbfe7a
0x00bbfe94
0x00bbfea2
0x00bbfeab
0x00bbfead
0x00bbfeb3
0x00bbfeba
0x00bbfec0
0x00bbfec8
0x00bbfed8
0x00bbfedd
0x00bbfee5
0x00bbfee5
0x00bbfeeb
0x00bbfeed
0x00bbfef3
0x00bbfef6
0x00bbfefc
0x00bbff03
0x00bbff09
0x00bbff16
0x00bbff18
0x00bbff1e
0x00bbff25
0x00bbff2b
0x00bbff33
0x00bbff43
0x00bbff48
0x00bbff50
0x00bbff50
0x00bbff56
0x00bbff58
0x00bbff5e
0x00bbff5f
0x00bbff64
0x00bbff64
0x00bbfcaf
0x00bbfcb4
0x00bbfcb6
0x00bbfcb6
0x00bbfcbc
0x00000000
0x00000000
0x00bbfcc1
0x00bbfcd6
0x00bbfcd6
0x00bbfcdf
0x00bbfce1
0x00000000
0x00000000
0x00bbfce7
0x00bbfcec
0x00bbfcee
0x00bbfcee
0x00bbfcf4
0x00000000
0x00000000
0x00bbfcf9
0x00bbfd0e
0x00bbfd0e
0x00bbfd17
0x00bbfd19
0x00000000
0x00000000
0x00bbfd1b
0x00bbfd20
0x00bbfd22
0x00bbfd22
0x00bbfd28
0x00000000
0x00000000
0x00bbfd2d
0x00bbfd42
0x00bbfd42
0x00bbfd4b
0x00bbfd4d
0x00000000
0x00000000
0x00bbfd4f
0x00bbfd54
0x00bbfd54
0x00bbfd57
0x00bbfd5a
0x00bbfd66
0x00000000
0x00000000
0x00000000
0x00bbfd66
0x00bbfd2f
0x00bbfd37
0x00000000
0x00000000
0x00bbfd39
0x00bbfd3b
0x00bbfd40
0x00000000
0x00000000
0x00000000
0x00bbfd40
0x00bbfd46
0x00bbfd48
0x00000000
0x00bbfd48
0x00bbfcfb
0x00bbfd03
0x00000000
0x00000000
0x00bbfd05
0x00bbfd07
0x00bbfd0c
0x00000000
0x00000000
0x00000000
0x00bbfd0c
0x00bbfd12
0x00bbfd14
0x00000000
0x00bbfd14
0x00bbfcc3
0x00bbfccb
0x00000000
0x00000000
0x00bbfccd
0x00bbfccf
0x00bbfcd4
0x00000000
0x00000000
0x00000000
0x00bbfcd4
0x00bbfcda
0x00bbfcdc
0x00000000
0x00bbfcdc
0x00bbfc8b
0x00bbfc93
0x00000000
0x00000000
0x00bbfc95
0x00bbfc97
0x00bbfc9c
0x00000000
0x00000000
0x00000000
0x00bbfc9c
0x00bbfca2
0x00bbfca4
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00BBFC59

Part of subcall function 00BBE692: CoInitializeEx.OLE32(00000000,00000000,0000002C,00BBFC6D), ref: 00BBE6A2

RegOpenKeyExW.ADVAPI32(80000002,00000000,?,?,?,?,?,?,?,?,?,?,?,00BC843E), ref: 00BBFDFD
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BBFE5C
RegCloseKey.ADVAPI32(?), ref: 00BBFE7A
wsprintfW.USER32 ref: 00BBFE94

Strings

20D83542-CB48-FFC7-AA5E-D037A04953D7, xrefs: 00BBFC6D, 00BBFE93
K_afglcEsgb, xrefs: 00BBFDA5
QMDRU?PCZZKgapmqmdrZZApwnrmep_nfw, xrefs: 00BBFD77
%wsX, xrefs: 00BBFE8E
12345678-1234-5678-90AB-CDDEEFAABBCC, xrefs: 00BBFCAF
00000000-0000-0000-0000-000000000000, xrefs: 00BBFCE7
03000200-0400-0500-0006-000700080009, xrefs: 00BBFC72
FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF, xrefs: 00BBFD1B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CloseH_prolog3_InitializeOpenQueryValuewsprintf
String ID: %wsX$00000000-0000-0000-0000-000000000000$03000200-0400-0500-0006-000700080009$12345678-1234-5678-90AB-CDDEEFAABBCC$20D83542-CB48-FFC7-AA5E-D037A04953D7$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$K_afglcEsgb$QMDRU?PCZZKgapmqmdrZZApwnrmep_nfw
API String ID: 2297622293-1973463525
Opcode ID: 97c45a52da156b24c4f6f79a9f90fbe98765a10768615633497e6f6e0e4ad2a3
Instruction ID: 2cc273c944cb262dba8733ab27597f0b80e6ec69ebb838f44cbbba4f980d7483
Opcode Fuzzy Hash: 97c45a52da156b24c4f6f79a9f90fbe98765a10768615633497e6f6e0e4ad2a3
Instruction Fuzzy Hash: 0C819D70A0011A9BCF24EB68CC99BFDB7F5EF64704F6005E9E4099B251EB729E81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C676C9, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00C676C9(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E00C5448B(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00C5449E( *_t137))) = 9;
						L60:
						_t139 = E00C543C4();
						goto L61;
					}
					__eflags = _t198 -  *0xce1168; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0xce0f68 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E00C5448B(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E00C5449E(__eflags))) = 0x16;
								E00C543C4();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00C64CDB(_t212, _t154);
								L00C63981(0);
								L00C63981(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = L00C66C33(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0xce0f68 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0xce0f68 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0xce0f68 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xce0f68 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0xce0f68 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xce0f68 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0xce0f68 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = L00C71A21(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00C54468(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00C5449E(__eflags))) = 9;
											 *(E00C5448B(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0xce0f68 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00C67212();
												} else {
													_t170 = E00C6753A();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00C673E3(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0xce0f68 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t111 =  &_v16; // 0xa
									_t178 = ReadConsoleW(_v28, _v24,  *_t111 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00C5449E(__eflags))) = 0xc;
									 *(E00C5448B(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									L00C63981(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0xce0f68 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00C5448B(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00C5449E(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E00C5448B(_t246)) =  *_t197 & 0x00000000;
					_t139 = E00C5449E(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00c676d2
0x00c676d6
0x00c676d9
0x00c676f3
0x00c676f5
0x00c67a5a
0x00c67a5a
0x00c67a5f
0x00c67a5f
0x00c67a67
0x00c67a6d
0x00c67a6d
0x00000000
0x00c67a6d
0x00c676fb
0x00c67701
0x00000000
0x00000000
0x00c6770b
0x00c67711
0x00c67714
0x00c67717
0x00c67721
0x00c67724
0x00c67727
0x00c6772b
0x00c6772d
0x00000000
0x00000000
0x00c67733
0x00c67736
0x00c6773c
0x00c67756
0x00c67758
0x00c67a56
0x00000000
0x00c67a56
0x00c6775e
0x00c67761
0x00000000
0x00000000
0x00c67767
0x00c6776b
0x00000000
0x00000000
0x00c67771
0x00c67774
0x00c67778
0x00c6777f
0x00c67781
0x00c67781
0x00c67784
0x00c677d9
0x00c677db
0x00c677a1
0x00c677a6
0x00c677ad
0x00c677b3
0x00000000
0x00c677dd
0x00c677df
0x00c677e0
0x00c677e2
0x00c677e5
0x00c677e7
0x00c677e9
0x00c677eb
0x00c677eb
0x00c677f6
0x00c677f8
0x00c677ff
0x00c67804
0x00c67807
0x00c6780a
0x00c6780c
0x00c67830
0x00c67838
0x00c6783b
0x00c67842
0x00c67849
0x00c6784d
0x00c6784f
0x00c67852
0x00c67859
0x00c67859
0x00c6785c
0x00c6785e
0x00c67861
0x00c67866
0x00c67869
0x00c67872
0x00c67876
0x00c67879
0x00c6787b
0x00c67881
0x00c67883
0x00c6788c
0x00c6788d
0x00c6788f
0x00c67893
0x00c67894
0x00c67898
0x00c6789b
0x00c678a5
0x00c678aa
0x00c678ad
0x00c678bc
0x00c678c0
0x00c678c3
0x00c678c5
0x00c678c7
0x00c678c9
0x00c678ce
0x00c678d0
0x00c678d4
0x00c678d5
0x00c678db
0x00c678e5
0x00c678e6
0x00c678e9
0x00c678ee
0x00c678f1
0x00c67900
0x00c67904
0x00c67907
0x00c67909
0x00c6790b
0x00c6790d
0x00c6790f
0x00c67915
0x00c67915
0x00c67916
0x00c67925
0x00c67928
0x00c67929
0x00c67929
0x00c6790d
0x00c67909
0x00c678f1
0x00c678c9
0x00c678c5
0x00c678ad
0x00c67883
0x00c6787b
0x00c6792f
0x00c67935
0x00c67937
0x00c679aa
0x00c679aa
0x00c679ae
0x00c679be
0x00c679c4
0x00c679c6
0x00c67a22
0x00c67a22
0x00c67a2a
0x00c67a2b
0x00c67a2d
0x00c67a46
0x00c67a49
0x00c67986
0x00c67987
0x00000000
0x00c6798c
0x00c67a4f
0x00000000
0x00c67a4f
0x00c67a34
0x00c67a3f
0x00000000
0x00c67a3f
0x00c679c8
0x00c679cb
0x00c679ce
0x00000000
0x00000000
0x00c679d0
0x00c679d0
0x00c679d3
0x00c679d6
0x00c679d9
0x00c679e0
0x00c679e5
0x00c679e7
0x00c679eb
0x00c67a06
0x00c67a0a
0x00c67a0b
0x00c67a0e
0x00c67a0f
0x00c67a1b
0x00c67a11
0x00c67a11
0x00c67a11
0x00c679ed
0x00c679ed
0x00c679ed
0x00c679f8
0x00c679fd
0x00c67a00
0x00c67a00
0x00000000
0x00c679e5
0x00c6793c
0x00c6793f
0x00c67946
0x00c6794b
0x00000000
0x00000000
0x00c67954
0x00c6795a
0x00c6795c
0x00000000
0x00000000
0x00c6795e
0x00c67962
0x00000000
0x00000000
0x00c6796a
0x00c67976
0x00c6797c
0x00c6797e
0x00c679a2
0x00c679a5
0x00000000
0x00c679a5
0x00c67980
0x00000000
0x00c6780e
0x00c67813
0x00c6781e
0x00c6798d
0x00c6798d
0x00c6798d
0x00c67990
0x00c67991
0x00000000
0x00c67999
0x00c6780c
0x00c677db
0x00c67786
0x00c67789
0x00c6779d
0x00c6779f
0x00c677c0
0x00c677c3
0x00c677c6
0x00c677c9
0x00000000
0x00c677c9
0x00000000
0x00c6778b
0x00c6778b
0x00c6778e
0x00c67791
0x00000000
0x00c67791
0x00c67789
0x00c6773e
0x00c67743
0x00c6774b
0x00000000
0x00c676db
0x00c676e0
0x00c676e3
0x00c676e8
0x00c67a72
0x00000000
0x00c67a72

Strings

, xrefs: 00C6796A, 00C6796F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: f6ecf2768d08dc2c07964fd451d817f7c207647166cdb03ff2dfd28a2062b209
Instruction ID: 73552ed79662d02064e2b5dc4bfaea7c00ddd44cac1b25767b101ff04e49e141
Opcode Fuzzy Hash: f6ecf2768d08dc2c07964fd451d817f7c207647166cdb03ff2dfd28a2062b209
Instruction Fuzzy Hash: 89C128749082459FDF35DF98D8C4BAD7BB0AF49318F144A59E8209B392C3709A82DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C728F9, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E00C728F9(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed char _t242;
				signed int _t243;
				intOrPtr _t247;
				void* _t254;
				void* _t264;
				signed int _t265;
				signed int _t268;
				signed int _t269;
				signed int _t272;
				void* _t274;
				void* _t276;
				void* _t277;
				void* _t279;
				void* _t280;
				void* _t282;
				void* _t286;
				signed int _t290;

				_t239 = __edx;
				_t264 = E00C72647(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t264, _t191 << 2);
				_t276 = _t274 + 0x1c;
				_t265 = _t264 | 0xffffffff;
				_t289 = _v36 - _t265;
				if(_v36 != _t265) {
					_t114 = E00C6A3B7(_t188, 0, _t239, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t265;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t277 = _t276 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t277,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E00C725B2(); // executed
						_t254 = _t122;
						_t279 = _t277 + 0x2c;
						_v12 = _t254;
						__eflags = _t254 - 0xffffffff;
						if(_t254 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t254); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00C6A302(_t196, _t254,  *_t189, _t254);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t242;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xce0f68 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t280 = _t279 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t280,  &_v48, _t205 << 2);
									_t134 = E00C7235F(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t243 =  *_t189;
									_t268 = _t134;
									_t282 = _t280 + 0x30;
									__eflags = _t268;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xce0f68 + (_t243 >> 6) * 4)) + 0x29 + (_t243 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0xce0f68 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t269 = _v44;
										__eflags = (_t269 & 0xc0000000) - 0xc0000000;
										if((_t269 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t269 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t282 - 0x18,  &_v48, _t214 << 2);
											_t247 = E00C725B2();
											__eflags = _t247 - 0xffffffff;
											if(_t247 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0xce0f68 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t247;
												goto L32;
											}
											E00C54468(GetLastError());
											 *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00C6A4CA( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t243);
									goto L21;
								} else {
									_t268 = E00C727C1(_t204,  *_t189);
									__eflags = _t268;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00C687C5(__eflags);
									return _t268;
								}
							}
							_t272 = GetLastError();
							E00C54468(_t272);
							 *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xce0f68 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t254);
							__eflags = _t272;
							if(__eflags == 0) {
								 *((intOrPtr*)(E00C5449E(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0xce0f68 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00C54468(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t286 = _t279 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t286,  &_v48, _t238 << 2);
						_t196 = 0;
						_t254 = E00C725B2();
						_t279 = _t286 + 0x2c;
						_v12 = _t254;
						__eflags = _t254 - 0xffffffff;
						if(_t254 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00C5448B(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t265;
						 *((intOrPtr*)(E00C5449E(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E00C5448B(_t289);
					 *_t186 =  *_t186 & 0x00000000;
					_t290 =  *_t186;
					 *_a8 = _t265;
					L2:
					return  *((intOrPtr*)(E00C5449E(_t290)));
				}
			}

0x00c728f9
0x00c7291c
0x00c72920
0x00c72921
0x00c72921
0x00c72923
0x00c72926
0x00c72929
0x00c72944
0x00c72949
0x00c7294c
0x00c7294e
0x00c72950
0x00c7296f
0x00c72976
0x00c7297d
0x00c72980
0x00c7298c
0x00c7298f
0x00c72997
0x00c72998
0x00c7299b
0x00c7299b
0x00c7299d
0x00c729a2
0x00c729a4
0x00c729a7
0x00c729af
0x00c729b2
0x00c72a1f
0x00c72a20
0x00c72a26
0x00c72a28
0x00c72a71
0x00c72a74
0x00c72a7d
0x00c72a80
0x00c72a83
0x00c72a85
0x00c72a85
0x00c72a85
0x00c72a76
0x00c72a79
0x00c72a79
0x00c72a8a
0x00c72a8d
0x00c72a99
0x00c72a9e
0x00c72aaa
0x00c72ab4
0x00c72ab8
0x00c72ac2
0x00c72ac5
0x00c72ad0
0x00c72ad5
0x00c72af4
0x00c72af7
0x00c72afb
0x00c72afc
0x00c72b02
0x00c72b07
0x00c72b0a
0x00c72b0c
0x00c72b0e
0x00c72b13
0x00c72b15
0x00c72b17
0x00c72b1a
0x00c72b1c
0x00c72b36
0x00c72b5a
0x00c72b5e
0x00c72b62
0x00c72b64
0x00c72b68
0x00c72b6a
0x00c72b74
0x00c72b77
0x00c72b7e
0x00c72b7e
0x00c72b7e
0x00c72b7e
0x00c72b68
0x00c72b83
0x00c72b8f
0x00c72b91
0x00c72c1c
0x00c72c1c
0x00000000
0x00c72b97
0x00c72b97
0x00c72b9b
0x00000000
0x00000000
0x00c72ba0
0x00c72bb2
0x00c72bba
0x00c72bbd
0x00c72bbe
0x00c72bc1
0x00c72bc8
0x00c72bcd
0x00c72bd0
0x00c72c04
0x00c72c0e
0x00c72c0e
0x00c72c18
0x00000000
0x00c72c18
0x00c72bd9
0x00c72bf2
0x00c72bf9
0x00c72a19
0x00000000
0x00c72a19
0x00c72b91
0x00c72b1e
0x00000000
0x00c72ad7
0x00c72ade
0x00c72ae1
0x00c72ae3
0x00000000
0x00000000
0x00c72ae5
0x00c72ae7
0x00c72ae7
0x00000000
0x00c72aed
0x00c72ad5
0x00c72a30
0x00c72a33
0x00c72a4e
0x00c72a53
0x00c72a59
0x00c72a5b
0x00c72a66
0x00c72a66
0x00000000
0x00c72a5b
0x00c729b4
0x00c729bb
0x00c729bd
0x00c729f4
0x00c729f4
0x00c729fe
0x00c72a01
0x00c72a08
0x00c72a08
0x00c72a08
0x00c72a14
0x00000000
0x00c72a14
0x00c729bf
0x00c729c3
0x00000000
0x00000000
0x00c729c5
0x00c729d4
0x00c729d9
0x00c729dc
0x00c729dd
0x00c729e0
0x00c729e0
0x00c729e7
0x00c729e9
0x00c729ec
0x00c729ef
0x00c729f2
0x00000000
0x00000000
0x00000000
0x00c72952
0x00c72957
0x00c7295a
0x00c72961
0x00000000
0x00c72961
0x00c7292b
0x00c7292b
0x00c72930
0x00c72930
0x00c72936
0x00c72938
0x00000000
0x00c7293d

APIs

Part of subcall function 00C725B2: CreateFileW.KERNEL32(00000000,00000000,?,00C729A2,?,?,00000000,?,00C729A2,00000000,0000000C), ref: 00C725CF

GetLastError.KERNEL32 ref: 00C72A0D
__dosmaperr.LIBCMT ref: 00C72A14
GetFileType.KERNEL32(00000000), ref: 00C72A20
GetLastError.KERNEL32 ref: 00C72A2A
__dosmaperr.LIBCMT ref: 00C72A33
CloseHandle.KERNEL32(00000000), ref: 00C72A53
CloseHandle.KERNEL32(00C68F0C), ref: 00C72BA0
GetLastError.KERNEL32 ref: 00C72BD2
__dosmaperr.LIBCMT ref: 00C72BD9

Strings

H, xrefs: 00C72B5E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 801223d83ddf783d66408f588a21a7e08ca9938ec7fbabe5554424965c3df6ea
Instruction ID: 270149dc524465b010c77903923e8aa4d0b6aa7992578885aaf4a136e2fe2bce
Opcode Fuzzy Hash: 801223d83ddf783d66408f588a21a7e08ca9938ec7fbabe5554424965c3df6ea
Instruction Fuzzy Hash: EBA12532A041458FCF29DF68DC92BAD3BA1AB06324F28425DF815EF3D1CB358956DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C5A5A9, Relevance: 6.1, APIs: 4, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 00C5A5F8
GetLastError.KERNEL32(?,?,?,00BC844F,00BC7DBA), ref: 00C5A604
__dosmaperr.LIBCMT ref: 00C5A60B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 3701fa25a17b8a6b1754615b84df9f193036ab445585cf19d9015a718bb5b241
Instruction ID: 9e261587a116baff1667ee7032d32bd1c28c2c325e89ef68e5b012cc0eb92ad0
Opcode Fuzzy Hash: 3701fa25a17b8a6b1754615b84df9f193036ab445585cf19d9015a718bb5b241
Instruction Fuzzy Hash: 3501DB7A400504BBCB149BA6DC0DF9E7F68EF90377F154319F924920D0DB708AC9D665

Uniqueness

Uniqueness Score: -1.00%

Function 00C687C5, Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,00C686F3,?,00CD61C0,0000000C,00C687A5,?,?,?), ref: 00C6881B
GetLastError.KERNEL32(?,00C686F3,?,00CD61C0,0000000C,00C687A5,?,?,?), ref: 00C68825
__dosmaperr.LIBCMT ref: 00C68850

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 214db5d67dd403dcf496d8b06dbfd9ebf80d362b89a08d2a8bcd8c738d23d4f0
Instruction ID: 6aad3153992b64b97a61742b4f6c0153e7d86fe3d24736a67bf0caeec20d069a
Opcode Fuzzy Hash: 214db5d67dd403dcf496d8b06dbfd9ebf80d362b89a08d2a8bcd8c738d23d4f0
Instruction Fuzzy Hash: 7901493360012056C63472B8BCC9B7E27894F86B34F36071DF9299B1C3DF609E8A9292

Uniqueness

Uniqueness Score: -1.00%

Function 00BBFF8C, Relevance: 4.6, APIs: 3, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 00BBFFC8
RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00001000,00001000,?,?,qfmuK,_argtc,Jma_j,gb;+1,gb;+0,gb;+/,bcd_sjr), ref: 00BBFFE8
RegCloseKey.KERNEL32(?,?,?,qfmuK,_argtc,Jma_j,gb;+1,gb;+0,gb;+/,bcd_sjr,af_llcj,npmbsar,?NNB?R?,NA?nnQrmpc,Tcpqgml), ref: 00BC001A

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID:
API String ID: 4083198587-0
Opcode ID: 9c621cda6ebe13e01a966b0d908a1bc22d214e8afddf7283ee2a055f882aad54
Instruction ID: d1fd382352f8f448e017f895706f625b2d34e6373114f582d968cefeff562fc4
Opcode Fuzzy Hash: 9c621cda6ebe13e01a966b0d908a1bc22d214e8afddf7283ee2a055f882aad54
Instruction Fuzzy Hash: 6321597090011ADFDF14AF94C849EAEBBB9FF04308F104059F915A72A1DB719A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B64C, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C6B650
_free.LIBCMT ref: 00C6B689
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C6B690

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: cc091b807f1a5cd1f186fd7f9cfa6c2dca8fdc27aa2abb81c2689ed45cbf1116
Instruction ID: e923f6d45d5955e0c887ed89fee8f6eebf58ff5a8756046b5e15d52e2fefd968
Opcode Fuzzy Hash: cc091b807f1a5cd1f186fd7f9cfa6c2dca8fdc27aa2abb81c2689ed45cbf1116
Instruction Fuzzy Hash: AEE02B27204A253692393235BCC9FBF1A5DCFC67717260226F465C2181BF50CC4310B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C5A423, Relevance: 4.5, APIs: 3, Instructions: 17
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00C59A38,?,00C59A38,00000000,?,?,?,?,00BBEF37,00000000,?), ref: 00C5A42B
GetLastError.KERNEL32(?,00C59A38,00000000,?,?,?,?,00BBEF37,00000000,?), ref: 00C5A435
__dosmaperr.LIBCMT ref: 00C5A43C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 107cb846e4e48835033b79856cbb03c3b90aeaf0f9ba77e97ca1cb98ef7c2305
Instruction ID: 315ad8ff55211d2d221c39e25458debdc7d12aa4fff2a8c7c05d1802a9f98169
Opcode Fuzzy Hash: 107cb846e4e48835033b79856cbb03c3b90aeaf0f9ba77e97ca1cb98ef7c2305
Instruction Fuzzy Hash: 67D0123218910C6B8B042BF6BC0DF1B3B5CABC077A3145716F92DC51E0DF31C8929565

Uniqueness

Uniqueness Score: -1.00%

Function 00C34DBF, Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xfsopen.LIBCPMT ref: 00C34D6C
std::_Xfsopen.LIBCPMT ref: 00C34D8C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Xfsopenstd::_
String ID:
API String ID: 2914972069-0
Opcode ID: eaa0b279c8e9012e0286532e10032c8f88164ff8e11d33d61c97e19cee0ee838
Instruction ID: 8ff0eb7e0be729a6c9875f5850933cd12b450dd065c98724ce213e50644848f9
Opcode Fuzzy Hash: eaa0b279c8e9012e0286532e10032c8f88164ff8e11d33d61c97e19cee0ee838
Instruction Fuzzy Hash: CD11253262021163DB3D0A96DC12BBA3B8A9F407D1F184024FD659A2A4EB71FE81D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C5A44B, Relevance: 3.0, APIs: 2, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00CD5DE0,0000000C), ref: 00C5A45E
ExitThread.KERNEL32 ref: 00C5A465

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 367ed00375a95c4a5c5625d2316d3f8c67e76234cba58cc7059e9aafea0a7818
Instruction ID: ecc57398e86e8f5493f38e117aecdd2616ca30019d6bfa537013608c335500c1
Opcode Fuzzy Hash: 367ed00375a95c4a5c5625d2316d3f8c67e76234cba58cc7059e9aafea0a7818
Instruction Fuzzy Hash: 27F0C875A40204AFDB18FBB0D84AF2D3771FF41702F10025AF501572A1CB705A46EB96

Uniqueness

Uniqueness Score: -1.00%

Function 00C3914C, Relevance: 3.0, APIs: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(?,?,00C3465F,00C346A5,?,00C344BC,00000000,00000000,00000000,00000004,00BAD53B,00000001,00000000,00000000,00000004,00BB4683), ref: 00C3915F
IsProcessorFeaturePresent.KERNEL32(00000017,00C64AEB,?,?,00C5A470,00CD5DE0,0000000C), ref: 00C618A5

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: 9ebe7f0add77868044052b4277157703478989adc0cea3b6420c2b4853006418
Instruction ID: 0d5f5f8bbbe73c8ef3622cb86b5b398acdc30fddc36a4fb0391585b9fd930ab6
Opcode Fuzzy Hash: 9ebe7f0add77868044052b4277157703478989adc0cea3b6420c2b4853006418
Instruction Fuzzy Hash: 1FF0E9B4144305EAEB382B54BC5FB1937949B44706F0E402AFD19561F2DF704981DA55

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE5EA, Relevance: 2.5, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,00000000,00000000,?,?,00BAC0F1), ref: 00BAE602
MultiByteToWideChar.KERNEL32(00000003,00000000,-00000001,000000FF,00000000,-00000001,-00000001,?,?,00BAC0F1), ref: 00BAE623

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 91e480bc05c338990f6a12da31c5d86463db55ccbb534d3bb4d7eb34047ce9d3
Instruction ID: babf9d86c7a6fabdd88ac6b2f724ebc21ab41be013b6459a3a58f03cb3e29b45
Opcode Fuzzy Hash: 91e480bc05c338990f6a12da31c5d86463db55ccbb534d3bb4d7eb34047ce9d3
Instruction Fuzzy Hash: AFF0823124C1127AE51526185C19F7FB5EDCFF2B20F100A4EB530D61F0CAA0894386A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C68F50, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C68F8A

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f7b39e777056fb6bd41ae44bd750fde79893162aefe0de151905eaef5ff81981
Instruction ID: bbf4accd06ea1e5de5845c65265e61b53a5f90e6bfc16340be3fd19bffcb2d42
Opcode Fuzzy Hash: f7b39e777056fb6bd41ae44bd750fde79893162aefe0de151905eaef5ff81981
Instruction Fuzzy Hash: 6C114871A0420AAFCB06DF58E98198F7BF5EF48304F004069F809AB251DA70EA15CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A191, Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C63924: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C64BD1,00000001,00000364,00000006,000000FF,?,?,00C544A3,00C639A7,?,?,00C6084E), ref: 00C63965

_free.LIBCMT ref: 00C6A200

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 10bce1dae319d390fa82f8d501f8702e19191267eadb30d059f0de1fe111a87e
Instruction ID: d464782f2c564c9066c6bae5c42ddb4e93051cb66090af853e63c8efd364b594
Opcode Fuzzy Hash: 10bce1dae319d390fa82f8d501f8702e19191267eadb30d059f0de1fe111a87e
Instruction Fuzzy Hash: 05012672604396ABC730CF68D8C199DFB98EB063B0F110629E555B76C0E7B06D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C55DC6, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96fc32e9a84db52cb05b95b2e6d5d4f21627a067a3e0b428b89fe088bbac0ca
Instruction ID: 4a8a177242e24e8ef5be310b116814d66c128b160953116b1098ce08712cc799
Opcode Fuzzy Hash: c96fc32e9a84db52cb05b95b2e6d5d4f21627a067a3e0b428b89fe088bbac0ca
Instruction Fuzzy Hash: 11F07D3A501E2057CA3136698C0675B33988F91336F110715FC35832D1CBB8FACEA69D

Uniqueness

Uniqueness Score: -1.00%

Function 00C599E5, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C59A44

Part of subcall function 00C5A423: DeleteFileW.KERNEL32(00C59A38,?,00C59A38,00000000,?,?,?,?,00BBEF37,00000000,?), ref: 00C5A42B
Part of subcall function 00C5A423: GetLastError.KERNEL32(?,00C59A38,00000000,?,?,?,?,00BBEF37,00000000,?), ref: 00C5A435
Part of subcall function 00C5A423: __dosmaperr.LIBCMT ref: 00C5A43C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr_free
String ID:
API String ID: 3353641461-0
Opcode ID: 9000f085ffc1f9924abfb64c8d0a3c91542a5557f84a45e634fc2a2196eaf746
Instruction ID: 580d56fd973757c8fb2261b9d0753de6bd8e07570b68f44cc582d8dd783796f0
Opcode Fuzzy Hash: 9000f085ffc1f9924abfb64c8d0a3c91542a5557f84a45e634fc2a2196eaf746
Instruction Fuzzy Hash: E1018675C04119EECF11ABB89C017ADBFF4EF04311F1041AAEC29E2181E7708B88E795

Uniqueness

Uniqueness Score: -1.00%

Function 00C63924, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00C64BD1,00000001,00000364,00000006,000000FF,?,?,00C544A3,00C639A7,?,?,00C6084E), ref: 00C63965

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f52185604f07264b2b998fa1568117f757d555434896878d5a864edd0c0981be
Instruction ID: 0321fdd44a5094e6111d3fc0bb7b010474a7722009cf24dbb1d0de58c644fd19
Opcode Fuzzy Hash: f52185604f07264b2b998fa1568117f757d555434896878d5a864edd0c0981be
Instruction Fuzzy Hash: FCF0E9319042A577DF315A729CD9B5B3758AF42770B248111EC14EB1C0CAB0DB419EE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C64CDB, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00C5CDF2,00CD5E00,00000018,00000003,?,?,?,00CD5E20,00000028,00C61899,00000016,00C64AEB), ref: 00C64D0D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24a296368124856a3843631ff8acb30fd613480f7327ede66750eee2e4622524
Instruction ID: aee8b889d792853a7a0dee14dffcb2115a08aaea8916d2d299562632512ecaf4
Opcode Fuzzy Hash: 24a296368124856a3843631ff8acb30fd613480f7327ede66750eee2e4622524
Instruction Fuzzy Hash: AEE09239D01226E7E7392B66DC85B9F3648AF42BB6F350161EC25A72D1DB20CD40E1E4

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD4EA, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00BAD536

Part of subcall function 00C3448A: std::_Lockit::_Lockit.LIBCPMT ref: 00C3449C
Part of subcall function 00C3448A: std::locale::_Setgloballocale.LIBCPMT ref: 00C344B7
Part of subcall function 00C3448A: std::_Lockit::~_Lockit.LIBCPMT ref: 00C3450D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$InitLockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 161240809-0
Opcode ID: 9667ddc4455ef9a9f0411d6081a075d4d79db8f2ccadb10660d5c02834b12c41
Instruction ID: 8b599c61d298295cdf44ec3d9f6ff3c52d013a8dd166eefb06eccec475078382
Opcode Fuzzy Hash: 9667ddc4455ef9a9f0411d6081a075d4d79db8f2ccadb10660d5c02834b12c41
Instruction Fuzzy Hash: 70F0B7B1904B02ABE704AF6AC5C1644FAB4FF08704F94822EE54C97E81DBB5A5619BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00C725B2, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00C729A2,?,?,00000000,?,00C729A2,00000000,0000000C), ref: 00C725CF

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 838eda03357be7e787c13edbdb1ed4b3ae59682a8817fd25d25d735982ea4254
Instruction ID: 6ab40acff710a24812d11d8993558fc29c47378d7e4527a0ef911affb879274c
Opcode Fuzzy Hash: 838eda03357be7e787c13edbdb1ed4b3ae59682a8817fd25d25d735982ea4254
Instruction Fuzzy Hash: 2DD06C3200010DBBDF128F84DD0AEDE3BAAFB48714F014000FA1856120C736E862AB94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C227B0, Relevance: 121.3, APIs: 40, Strings: 29, Instructions: 572
libraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E00C227B0(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v96;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				char _v116;
				char _v144;
				struct _MEMORYSTATUS _v176;
				char _v472;
				char _v1020;
				long _v1024;
				char _v1028;
				struct HINSTANCE__* _v1032;
				_Unknown_base(*)()* _v1036;
				_Unknown_base(*)()* _v1040;
				char _v1044;
				_Unknown_base(*)()* _v1048;
				_Unknown_base(*)()* _v1052;
				_Unknown_base(*)()* _v1056;
				void* _v1060;
				_Unknown_base(*)()* _v1064;
				_Unknown_base(*)()* _v1068;
				char _v1072;
				_Unknown_base(*)()* _v1076;
				_Unknown_base(*)()* _v1080;
				_Unknown_base(*)()* _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr* _v1100;
				intOrPtr _v1104;
				char _v1136;
				signed int _t179;
				signed int _t180;
				struct HINSTANCE__* _t184;
				struct HINSTANCE__* _t185;
				struct HINSTANCE__* _t186;
				intOrPtr* _t187;
				struct HINSTANCE__* _t188;
				struct HINSTANCE__* _t190;
				intOrPtr* _t214;
				intOrPtr* _t225;
				long _t268;
				struct HINSTANCE__* _t269;
				intOrPtr* _t273;
				intOrPtr* _t274;
				_Unknown_base(*)()* _t323;
				_Unknown_base(*)()* _t324;
				_Unknown_base(*)()* _t329;
				_Unknown_base(*)()* _t333;
				_Unknown_base(*)()* _t335;
				void* _t339;
				intOrPtr _t343;
				long _t345;
				intOrPtr _t346;
				intOrPtr* _t347;
				signed int _t348;
				void* _t349;
				intOrPtr _t350;

				_push(0xfffffffe);
				_push(0xcd47b8);
				_push(E00C4C5F0);
				_push( *[fs:0x0]);
				_t350 = _t349 - 8;
				E00C33550();
				_t179 =  *0xcdaf54; // 0x8a028f78
				_v12 = _v12 ^ _t179;
				_t180 = _t179 ^ _t348;
				_v32 = _t180;
				_push(__esi);
				_push(__edi);
				_push(_t180);
				 *[fs:0x0] =  &_v20;
				_v28 = _t350;
				_v1044 = 0;
				_t335 = 0;
				_v1040 = LoadLibraryA("ADVAPI32.DLL");
				_v1032 = LoadLibraryA("KERNEL32.DLL");
				_t184 = LoadLibraryA("NETAPI32.DLL");
				_v1064 = _t184;
				_t323 = 0;
				_v1056 = 0;
				_v1024 = 0;
				_v1036 = 0;
				_v1048 = 0;
				_t333 = 0;
				_v1052 = 0;
				_t339 = GetProcAddress;
				if(_t184 != 0) {
					_v1048 = GetProcAddress(_t184, "NetStatisticsGet");
					_t333 = GetProcAddress(_v1064, "NetApiBufferFree");
					_v1052 = _t333;
					_t323 = _v1048;
				}
				if(_t323 != 0 && _t333 != 0) {
					_push( &_v1028);
					_push(0);
					_push(0);
					_push(L"LanmanServer");
					_push(0);
					if( *_v1048() == 0) {
						E00C33550();
						asm("movsd xmm0, [0xcb4a28]");
						asm("movsd [esp], xmm0");
						E00C03150(_t335, _v1028, 0x44);
						_t350 = _t350 + 0x10;
						_v1052(_v1028);
					}
				}
				_t185 = _v1064;
				if(_t185 != 0) {
					FreeLibrary(_t185);
				}
				_t186 = _v1040;
				if(_t186 == 0) {
					_t324 = 0;
				} else {
					_v1056 = GetProcAddress(_t186, "CryptAcquireContextW");
					_v1024 = GetProcAddress(_v1040, "CryptGenRandom");
					_t324 = GetProcAddress(_v1040, "CryptReleaseContext");
					_v1036 = _t324;
				}
				_t187 = _v1056;
				if(_t187 != 0 && _v1024 != _t335 && _t324 != 0) {
					_push(0xf0000000);
					_push(1);
					_push(0);
					_push(0);
					_push( &_v1044);
					if( *_t187() != 0) {
						_push( &_v96);
						_push(0x40);
						_push(_v1044);
						if(_v1024() != 0) {
							E00C33550();
							asm("xorps xmm0, xmm0");
							asm("movsd [esp], xmm0");
							E00C03150(_t335,  &_v96, 0x40);
							_t350 = _t350 + 0x10;
							_t335 = 1;
						}
						_v1036(_v1044, 0);
					}
					_push(0);
					_push(0x16);
					_push(L"Intel Hardware Cryptographic Service Provider");
					_push(0);
					_push( &_v1044);
					if( *_v1056() != 0) {
						_push( &_v96);
						_push(0x40);
						_push(_v1044);
						if(_v1024() != 0) {
							E00C33550();
							asm("movsd xmm0, [0xcb4a38]");
							asm("movsd [esp], xmm0");
							E00C03150(_t335,  &_v96, 0x40);
							_t350 = _t350 + 0x10;
							_t335 = 1;
						}
						_v1036(_v1044, 0);
					}
				}
				_v1092 = _t335;
				_t188 = _v1040;
				if(_t188 != 0) {
					FreeLibrary(_t188);
				}
				if(L00BDB950(_t335, _t339) == 0) {
					_t269 = LoadLibraryA("USER32.DLL");
					_v1036 = _t269;
					if(_t269 != 0) {
						_v1060 = GetProcAddress(_t269, "GetForegroundWindow");
						_v1068 = GetProcAddress(_v1036, "GetCursorInfo");
						_t347 = GetProcAddress(_v1036, "GetQueueStatus");
						_t273 = _v1060;
						if(_t273 != 0) {
							_v1060 =  *_t273();
							E00C33550();
							asm("xorps xmm0, xmm0");
							asm("movsd [esp], xmm0");
							E00C03150(_t335,  &_v1060, 4);
							_t350 = _t350 + 0x10;
						}
						_t274 = _v1068;
						if(_t274 != 0) {
							_v116 = 0x14;
							_push( &_v116);
							if( *_t274() != 0) {
								E00C33550();
								asm("movsd xmm0, [0xcb4a00]");
								asm("movsd [esp], xmm0");
								E00C03150(_t335,  &_v116, _v116);
								_t350 = _t350 + 0x10;
							}
						}
						if(_t347 != 0) {
							_v1072 =  *_t347(0xbf);
							E00C33550();
							asm("movsd xmm0, [0xc94e38]");
							asm("movsd [esp], xmm0");
							E00C03150(_t335,  &_v1072, 4);
							_t350 = _t350 + 0x10;
						}
						FreeLibrary(_v1036);
					}
				}
				_t190 = _v1032;
				if(_t190 == 0) {
					L87:
					E00C23110();
					GlobalMemoryStatus( &_v176);
					E00C33550();
					asm("movsd xmm0, [0xc94e38]");
					asm("movsd [esp], xmm0");
					E00C03150(_t335,  &_v176, 0x20);
					_v1072 = GetCurrentProcessId();
					E00C33550();
					asm("movsd xmm0, [0xc94e38]");
					asm("movsd [esp], xmm0");
					E00C03150(_t335,  &_v1072, 4);
					 *[fs:0x0] = _v20;
					return L00C32D6C(_v32 ^ _t348);
				} else {
					_v1024 = 0;
					_v1048 = 0;
					_v1036 = GetProcAddress(_t190, "CreateToolhelp32Snapshot");
					_v1100 = GetProcAddress(_v1032, "CloseToolhelp32Snapshot");
					_v1056 = GetProcAddress(_v1032, "Heap32First");
					_v1052 = GetProcAddress(_v1032, "Heap32Next");
					_v1064 = GetProcAddress(_v1032, "Heap32ListFirst");
					_v1040 = GetProcAddress(_v1032, "Heap32ListNext");
					_v1076 = GetProcAddress(_v1032, "Process32First");
					_v1080 = GetProcAddress(_v1032, "Process32Next");
					_v1084 = GetProcAddress(_v1032, "Thread32First");
					_v1068 = GetProcAddress(_v1032, "Thread32Next");
					_v1060 = GetProcAddress(_v1032, "Module32First");
					_t329 = GetProcAddress(_v1032, "Module32Next");
					_v1096 = _t329;
					_t214 = _v1036;
					if(_t214 == 0 || _v1056 == 0 || _v1052 == 0 || _v1064 == 0 || _v1040 == 0 || _v1076 == 0 || _v1080 == 0 || _v1084 == 0 || _v1068 == 0 || _v1060 == 0 || _t329 == 0) {
						L86:
						FreeLibrary(_v1032);
						goto L87;
					} else {
						_t343 =  *_t214(0xf, 0);
						_v1028 = _t343;
						if(_t343 == 0xffffffff) {
							goto L86;
						}
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x6c], xmm0");
						_v112 = 0x10;
						if(_t335 != 0) {
							_t268 = GetTickCount();
							_v1024 = _t268;
							_v1048 = _t268;
						}
						_push( &_v112);
						_push(_t343);
						if(_v1064() == 0) {
							L64:
							_v472 = 0x128;
							if(_t335 != 0) {
								_v1024 = GetTickCount();
							}
							_push( &_v472);
							_push(_v1028);
							if(_v1076() == 0) {
								L70:
								_v144 = 0x1c;
								if(_t335 != 0) {
									_v1024 = GetTickCount();
								}
								_push( &_v144);
								_push(_v1028);
								if(_v1084() == 0) {
									L76:
									_v1020 = 0x224;
									if(_t335 != 0) {
										_v1024 = GetTickCount();
									}
									_push( &_v1020);
									_push(_v1028);
									if(_v1060() == 0) {
										L83:
										_t225 = _v1100;
										_push(_v1028);
										if(_t225 == 0) {
											CloseHandle();
										} else {
											 *_t225();
										}
										goto L86;
									} else {
										do {
											E00C33550();
											asm("movsd xmm0, [0xcb4a20]");
											asm("movsd [esp], xmm0");
											E00C03150(_t335,  &_v1020, _v1020);
											_t350 = _t350 + 0x10;
											_push( &_v1020);
											_push(_v1028);
										} while (_v1096() != 0 && (_t335 == 0 || GetTickCount() - _v1024 < 0x3e8));
										goto L83;
									}
								} else {
									do {
										E00C33550();
										asm("movsd xmm0, [0xcb4a18]");
										asm("movsd [esp], xmm0");
										E00C03150(_t335,  &_v144, _v144);
										_t350 = _t350 + 0x10;
										_push( &_v144);
										_push(_v1028);
									} while (_v1068() != 0 && (_t335 == 0 || GetTickCount() - _v1024 < 0x3e8));
									goto L76;
								}
							} else {
								do {
									E00C33550();
									asm("movsd xmm0, [0xcb4a20]");
									asm("movsd [esp], xmm0");
									E00C03150(_t335,  &_v472, _v472);
									_t350 = _t350 + 0x10;
									_push( &_v472);
									_push(_v1028);
								} while (_v1080() != 0 && (_t335 == 0 || GetTickCount() - _v1024 < 0x3e8));
								goto L70;
							}
						} else {
							_v1036 = 0x2a;
							do {
								E00C33550();
								asm("movsd xmm0, [0xcb4a08]");
								asm("movsd [esp], xmm0");
								E00C03150(_t335,  &_v112, _v112);
								_t350 = _t350 + 0x10;
								asm("wait");
								_v8 = 0;
								asm("xorps xmm0, xmm0");
								asm("movups [ebp-0x46c], xmm0");
								asm("movups [ebp-0x45c], xmm0");
								_v1104 = 0;
								_v1136 = 0x24;
								_push(_v104);
								_push(_v108);
								_push( &_v1136);
								if(_v1056() == 0) {
									goto L59;
								}
								_t346 = 0x50;
								_v1088 = 0x50;
								while(1) {
									E00C33550();
									asm("movsd xmm0, [0xcb4a10]");
									asm("movsd [esp], xmm0");
									E00C03150(_t335,  &_v1136, _v1136);
									_t350 = _t350 + 0x10;
									_push( &_v1136);
									if(_v1052() == 0 || _t335 != 0 && GetTickCount() - _v1024 >= 0x3e8) {
										goto L59;
									}
									_t346 = _t346 - 1;
									_v1088 = _t346;
									if(_t346 > 0) {
										continue;
									}
									goto L59;
								}
								L59:
								asm("wait");
								_v8 = 0xfffffffe;
								_t345 = _v1024;
								_push( &_v112);
								_push(_v1028);
							} while (_v1040() != 0 && (_t335 == 0 || GetTickCount() - _t345 < 0x3e8) && _v1036 > 0);
							goto L64;
						}
					}
				}
			}

0x00c227b3
0x00c227b5
0x00c227ba
0x00c227c5
0x00c227c6
0x00c227ce
0x00c227d3
0x00c227d8
0x00c227db
0x00c227dd
0x00c227e1
0x00c227e2
0x00c227e3
0x00c227e7
0x00c227ed
0x00c227f0
0x00c227fa
0x00c22809
0x00c22816
0x00c22821
0x00c22823
0x00c22829
0x00c2282b
0x00c22831
0x00c22837
0x00c2283d
0x00c22843
0x00c22845
0x00c2284b
0x00c22853
0x00c2285d
0x00c22870
0x00c22872
0x00c22878
0x00c22878
0x00c22880
0x00c228e2
0x00c228e3
0x00c228e5
0x00c228e7
0x00c228ec
0x00c228f8
0x00c228ff
0x00c22904
0x00c2290c
0x00c22919
0x00c2291e
0x00c22927
0x00c22927
0x00c228f8
0x00c2292d
0x00c22935
0x00c22938
0x00c22938
0x00c2293e
0x00c22946
0x00c22980
0x00c22948
0x00c22950
0x00c22963
0x00c22976
0x00c22978
0x00c22978
0x00c22982
0x00c2298a
0x00c229a4
0x00c229a9
0x00c229ab
0x00c229ad
0x00c229b5
0x00c229ba
0x00c229bf
0x00c229c0
0x00c229c2
0x00c229d0
0x00c229d7
0x00c229dc
0x00c229df
0x00c229ea
0x00c229ef
0x00c229f2
0x00c229f2
0x00c229ff
0x00c229ff
0x00c22a05
0x00c22a07
0x00c22a09
0x00c22a0e
0x00c22a16
0x00c22a21
0x00c22a26
0x00c22a27
0x00c22a29
0x00c22a37
0x00c22a3e
0x00c22a43
0x00c22a4b
0x00c22a56
0x00c22a5b
0x00c22a5e
0x00c22a5e
0x00c22a6b
0x00c22a6b
0x00c22a21
0x00c22a71
0x00c22a77
0x00c22a7f
0x00c22a82
0x00c22a82
0x00c22a8f
0x00c22a9a
0x00c22aa0
0x00c22aa8
0x00c22ab6
0x00c22ac9
0x00c22adc
0x00c22ade
0x00c22ae6
0x00c22aea
0x00c22af5
0x00c22afa
0x00c22afd
0x00c22b0b
0x00c22b10
0x00c22b10
0x00c22b13
0x00c22b1b
0x00c22b1d
0x00c22b27
0x00c22b2c
0x00c22b33
0x00c22b38
0x00c22b40
0x00c22b4c
0x00c22b51
0x00c22b51
0x00c22b2c
0x00c22b56
0x00c22b5f
0x00c22b6a
0x00c22b6f
0x00c22b77
0x00c22b85
0x00c22b8a
0x00c22b8a
0x00c22b93
0x00c22b93
0x00c22aa8
0x00c22b99
0x00c22ba1
0x00c2307c
0x00c2307c
0x00c23088
0x00c23093
0x00c23098
0x00c230a0
0x00c230ae
0x00c230bc
0x00c230c7
0x00c230cc
0x00c230d4
0x00c230e2
0x00c230f2
0x00c2310a
0x00c22ba7
0x00c22ba9
0x00c22baf
0x00c22bc3
0x00c22bd6
0x00c22be9
0x00c22bfc
0x00c22c0f
0x00c22c22
0x00c22c35
0x00c22c48
0x00c22c5b
0x00c22c6e
0x00c22c81
0x00c22c94
0x00c22c96
0x00c22c9c
0x00c22ca4
0x00c23070
0x00c23076
0x00000000
0x00c22d27
0x00c22d2d
0x00c22d2f
0x00c22d38
0x00000000
0x00000000
0x00c22d3e
0x00c22d41
0x00c22d45
0x00c22d4e
0x00c22d50
0x00c22d56
0x00c22d5c
0x00c22d5c
0x00c22d65
0x00c22d66
0x00c22d6f
0x00c22ec0
0x00c22ec0
0x00c22ed2
0x00c22ed6
0x00c22ed6
0x00c22ee2
0x00c22ee3
0x00c22ef1
0x00c22f49
0x00c22f49
0x00c22f55
0x00c22f59
0x00c22f59
0x00c22f65
0x00c22f66
0x00c22f74
0x00c22fcc
0x00c22fcc
0x00c22fd8
0x00c22fdc
0x00c22fdc
0x00c22fe8
0x00c22fe9
0x00c22ff7
0x00c23056
0x00c23056
0x00c2305c
0x00c23064
0x00c2306a
0x00c23066
0x00c23066
0x00c23066
0x00000000
0x00c23000
0x00c23000
0x00c23005
0x00c2300a
0x00c23012
0x00c23024
0x00c23029
0x00c23032
0x00c23033
0x00c2303f
0x00000000
0x00c23000
0x00c22f76
0x00c22f76
0x00c22f7b
0x00c22f80
0x00c22f88
0x00c22f9a
0x00c22f9f
0x00c22fa8
0x00c22fa9
0x00c22fb5
0x00000000
0x00c22f76
0x00c22ef3
0x00c22ef3
0x00c22ef8
0x00c22efd
0x00c22f05
0x00c22f17
0x00c22f1c
0x00c22f25
0x00c22f26
0x00c22f32
0x00000000
0x00c22ef3
0x00c22d75
0x00c22d75
0x00c22d80
0x00c22d85
0x00c22d8a
0x00c22d92
0x00c22d9e
0x00c22da3
0x00c22da6
0x00c22da7
0x00c22dae
0x00c22db1
0x00c22db8
0x00c22dbf
0x00c22dc9
0x00c22dd3
0x00c22dd6
0x00c22ddf
0x00c22de8
0x00000000
0x00000000
0x00c22dea
0x00c22def
0x00c22df5
0x00c22dfa
0x00c22dff
0x00c22e07
0x00c22e19
0x00c22e1e
0x00c22e27
0x00c22e30
0x00000000
0x00000000
0x00c22e49
0x00c22e4a
0x00c22e52
0x00000000
0x00000000
0x00000000
0x00c22e52
0x00c22e54
0x00c22e54
0x00c22e55
0x00c22e5c
0x00c22e8f
0x00c22e90
0x00c22e9c
0x00000000
0x00c22d80
0x00c22d6f
0x00c22ca4

APIs

LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00C22807
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 00C22814
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 00C22821
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00C2285B
GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 00C2286E
FreeLibrary.KERNEL32(?), ref: 00C22938
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00C2294E
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00C22961
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00C22974
FreeLibrary.KERNEL32(?), ref: 00C22A82
LoadLibraryA.KERNEL32(USER32.DLL), ref: 00C22A9A
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00C22AB4
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00C22AC7
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00C22ADA
FreeLibrary.KERNEL32(?), ref: 00C22B93
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00C22BC1
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00C22BD4
GetProcAddress.KERNEL32(?,Heap32First), ref: 00C22BE7
GetProcAddress.KERNEL32(?,Heap32Next), ref: 00C22BFA
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00C22C0D
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00C22C20
GetProcAddress.KERNEL32(?,Process32First), ref: 00C22C33
GetProcAddress.KERNEL32(?,Process32Next), ref: 00C22C46
GetProcAddress.KERNEL32(?,Thread32First), ref: 00C22C59
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00C22C6C
GetProcAddress.KERNEL32(?,Module32First), ref: 00C22C7F
GetProcAddress.KERNEL32(?,Module32Next), ref: 00C22C92
GetTickCount.KERNEL32 ref: 00C22D50
GetTickCount.KERNEL32 ref: 00C22E36
GetTickCount.KERNEL32 ref: 00C22EA4
GetTickCount.KERNEL32 ref: 00C22ED4
GetTickCount.KERNEL32 ref: 00C22F3A
GetTickCount.KERNEL32 ref: 00C22F57
GetTickCount.KERNEL32 ref: 00C22FBD
GetTickCount.KERNEL32 ref: 00C22FDA

Strings

CryptGenRandom, xrefs: 00C22956
Thread32Next, xrefs: 00C22C61
Heap32ListNext, xrefs: 00C22C15
LanmanWorkstation, xrefs: 00C22899
Module32Next, xrefs: 00C22C87
NetStatisticsGet, xrefs: 00C22855
Module32First, xrefs: 00C22C74
CryptAcquireContextW, xrefs: 00C22948
GetForegroundWindow, xrefs: 00C22AAE
GetCursorInfo, xrefs: 00C22ABC
LanmanServer, xrefs: 00C228E7
KERNEL32.DLL, xrefs: 00C2280F
Heap32First, xrefs: 00C22BDC
*, xrefs: 00C22D75
NetApiBufferFree, xrefs: 00C22863
GetQueueStatus, xrefs: 00C22ACF
Process32Next, xrefs: 00C22C3B
Intel Hardware Cryptographic Service Provider, xrefs: 00C22A09
NETAPI32.DLL, xrefs: 00C2281C
USER32.DLL, xrefs: 00C22A95
$, xrefs: 00C22DC9
CloseToolhelp32Snapshot, xrefs: 00C22BC9
Thread32First, xrefs: 00C22C4E
CreateToolhelp32Snapshot, xrefs: 00C22BB5
ADVAPI32.DLL, xrefs: 00C227FC
Process32First, xrefs: 00C22C28
CryptReleaseContext, xrefs: 00C22969
Heap32Next, xrefs: 00C22BEF
Heap32ListFirst, xrefs: 00C22C02

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AddressProc$CountTick$Library$Load$Free
String ID: $$*$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 644204001-688639677
Opcode ID: a033f0e6566ffee99c8385a5a8f5e7c6e62612b95776c261cf7ab78d19c82e52
Instruction ID: 2eebc6fe62243409297224a271db48a9db1bb80487d70c2db4fb0a461f1033b3
Opcode Fuzzy Hash: a033f0e6566ffee99c8385a5a8f5e7c6e62612b95776c261cf7ab78d19c82e52
Instruction Fuzzy Hash: 45324AB0E502299BDB259F64DC45BADB7B8EF04700F0041EAA618B6591EB748F81DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4135, Relevance: 37.9, APIs: 11, Strings: 10, Instructions: 1164
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00BC4135(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				short** _t544;
				long _t545;
				signed int _t547;
				signed int _t549;
				signed int _t551;
				signed int _t553;
				signed int _t555;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				signed int _t563;
				signed int _t565;
				intOrPtr _t568;
				intOrPtr _t573;
				intOrPtr _t578;
				intOrPtr _t583;
				intOrPtr _t588;
				intOrPtr _t593;
				intOrPtr _t598;
				intOrPtr _t603;
				intOrPtr _t608;
				intOrPtr _t613;
				short** _t622;
				long _t623;
				intOrPtr* _t627;
				void* _t628;
				char* _t631;
				short** _t640;
				long _t641;
				intOrPtr* _t645;
				void* _t646;
				char* _t649;
				short** _t655;
				long _t656;
				intOrPtr* _t660;
				void* _t661;
				char* _t664;
				short** _t670;
				long _t671;
				intOrPtr* _t675;
				void* _t676;
				char* _t679;
				short** _t685;
				long _t686;
				intOrPtr* _t690;
				void* _t691;
				char* _t694;
				short** _t700;
				long _t701;
				intOrPtr* _t705;
				void* _t706;
				char* _t709;
				short** _t715;
				long _t716;
				intOrPtr* _t720;
				void* _t721;
				char* _t724;
				short** _t730;
				long _t731;
				intOrPtr* _t735;
				void* _t736;
				intOrPtr* _t752;
				intOrPtr* _t755;
				void* _t757;
				intOrPtr* _t763;
				intOrPtr* _t766;
				void* _t768;
				intOrPtr* _t774;
				intOrPtr* _t777;
				void* _t779;
				intOrPtr* _t785;
				intOrPtr* _t788;
				void* _t790;
				intOrPtr* _t796;
				intOrPtr* _t799;
				void* _t801;
				intOrPtr* _t807;
				intOrPtr* _t810;
				void* _t812;
				intOrPtr* _t818;
				intOrPtr* _t821;
				void* _t823;
				intOrPtr* _t829;
				intOrPtr* _t832;
				void* _t834;
				signed int _t843;
				void* _t854;
				void* _t908;
				void* _t912;
				void* _t921;
				void* _t925;
				void* _t932;
				void* _t936;
				void* _t943;
				void* _t947;
				void* _t954;
				void* _t958;
				void* _t965;
				void* _t969;
				void* _t976;
				void* _t980;
				void* _t987;
				void* _t991;
				void* _t1006;
				void* _t1008;
				void* _t1017;
				void* _t1019;
				void* _t1028;
				void* _t1030;
				void* _t1039;
				void* _t1041;
				void* _t1050;
				void* _t1052;
				void* _t1061;
				void* _t1063;
				void* _t1072;
				void* _t1074;
				void* _t1083;
				void* _t1085;
				signed int _t1098;
				long _t1101;
				int* _t1102;
				long _t1103;
				int* _t1104;
				long _t1105;
				int* _t1106;
				long _t1107;
				int* _t1108;
				long _t1109;
				int* _t1110;
				long _t1111;
				int* _t1112;
				long _t1113;
				int* _t1114;
				long _t1115;
				void* _t1116;
				void* _t1117;
				void* _t1118;
				void* _t1119;
				void* _t1120;
				void* _t1122;
				void* _t1123;
				void* _t1124;
				void* _t1126;
				void* _t1127;
				void* _t1128;
				void* _t1130;
				void* _t1131;
				void* _t1132;
				void* _t1134;
				void* _t1135;
				void* _t1136;
				void* _t1138;
				void* _t1139;
				void* _t1140;
				void* _t1142;
				void* _t1143;
				void* _t1144;
				void* _t1146;
				void* _t1147;
				void* _t1148;
				void* _t1150;
				void* _t1151;
				void* _t1152;
				void* _t1156;
				void* _t1158;
				void* _t1159;
				void* _t1161;
				void* _t1162;
				void* _t1164;
				void* _t1165;
				void* _t1167;
				void* _t1168;
				void* _t1170;
				void* _t1171;
				void* _t1173;
				void* _t1174;
				void* _t1176;

				_t843 = __ecx;
				L00C8999C(0xc8f1e4, __ebx, __edi, __esi, 0x1d4);
				_t1095 = _t843;
				 *(_t1116 - 0xf0) = 7;
				_t839 = 0;
				 *((short*)(_t1116 - 0x104)) = 0;
				 *((intOrPtr*)(_t1116 - 0xf4)) = 0;
				E00BAC468(L"Qmdru_pcZZNA?nnQrmpc");
				_t1098 = 7;
				 *((intOrPtr*)(_t1116 - 4)) = 0;
				 *((intOrPtr*)(_t1116 - 0x1c)) = 0;
				 *(_t1116 - 0x18) = _t1098;
				 *((short*)(_t1116 - 0x2c)) = 0;
				E00BAC468(0xcc8f20);
				 *((char*)(_t1116 - 4)) = 1;
				 *((intOrPtr*)(_t1116 - 0xdc)) = 0;
				 *(_t1116 - 0xd8) = _t1098;
				 *((short*)(_t1116 - 0xec)) = 0;
				E00BAC468(L"_srm]qr_pr]ml");
				 *((char*)(_t1116 - 4)) = 2;
				 *((intOrPtr*)(_t1116 - 0xc4)) = 0;
				 *(_t1116 - 0xc0) = _t1098;
				 *((short*)(_t1116 - 0xd4)) = 0;
				E00BAC468(L"amlrcvrs_j]mddcpq");
				 *((char*)(_t1116 - 4)) = 3;
				 *((intOrPtr*)(_t1116 - 0xac)) = 0;
				 *(_t1116 - 0xa8) = _t1098;
				 *((short*)(_t1116 - 0xbc)) = 0;
				E00BAC468(L"f_pbu_pc]amjjcargle");
				 *((char*)(_t1116 - 4)) = 4;
				 *((intOrPtr*)(_t1116 - 0x94)) = 0;
				 *(_t1116 - 0x90) = _t1098;
				 *((short*)(_t1116 - 0xa4)) = 0;
				E00BAC468(L"qmdru_pc]amjjcargle");
				 *((char*)(_t1116 - 4)) = 5;
				 *((intOrPtr*)(_t1116 - 0x7c)) = 0;
				 *(_t1116 - 0x78) = _t1098;
				 *((short*)(_t1116 - 0x8c)) = 0;
				E00BAC468(L"`pmuqcp]qc_paf");
				 *((char*)(_t1116 - 4)) = 6;
				 *((intOrPtr*)(_t1116 - 0x64)) = 0;
				 *(_t1116 - 0x60) = _t1098;
				 *((short*)(_t1116 - 0x74)) = 0;
				E00BAC468(L"ncpgmbga_j]mddcpq");
				 *((char*)(_t1116 - 4)) = 7;
				 *((intOrPtr*)(_t1116 - 0x4c)) = 0;
				 *(_t1116 - 0x48) = _t1098;
				 *((short*)(_t1116 - 0x5c)) = 0;
				E00BAC468(L"ncpqmlgjgxcb]lmrgdga_rgmlq");
				 *((char*)(_t1116 - 4)) = 8;
				 *((intOrPtr*)(_t1116 - 0x34)) = 0;
				 *(_t1116 - 0x30) = _t1098;
				 *((short*)(_t1116 - 0x44)) = 0;
				E00BAC468(L"qc_paf]kcls");
				 *((char*)(_t1116 - 4)) = 9;
				_t1118 = _t1117 - 0x18;
				_t854 = _t1118;
				 *((intOrPtr*)(_t854 + 0x10)) = 0;
				 *((intOrPtr*)(_t854 + 0x14)) = 0;
				E00BAC48D(_t1116 - 0x104, _t854, _t1116 - 0x104);
				_t544 = L00BBEA0A(0, _t1116 - 0x1c8, _t843, _t1098);
				_t1119 = _t1118 + 0x18;
				 *((char*)(_t1116 - 4)) = 0xa;
				_t545 = RegOpenKeyExW(0x80000001,  *_t544, 0, 0x20019, _t1116 - 0x1dc);
				 *((char*)(_t1116 - 4)) = 9;
				_t1099 = _t545;
				E00BAE6AB(_t545,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
				 *(_t1116 - 0x1d8) = 0;
				 *(_t1116 - 0x1e0) = 4;
				if(_t545 == 0) {
					_t1120 = _t1119 - 0x18;
					_t908 = _t1120;
					 *((intOrPtr*)(_t908 + 0x10)) = 0;
					 *((intOrPtr*)(_t908 + 0x14)) = 0;
					E00BAC48D(_t1116 - 0xec, _t908, _t1116 - 0xec);
					_t622 = L00BBEA0A(0, _t1116 - 0x1c8, _t1095, _t1099);
					 *((char*)(_t1116 - 4)) = 0xb;
					_t840 = RegQueryValueExW;
					_t623 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t622, 0, 0, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 9;
					_t1101 = _t623;
					E00BAE6AB(_t623,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1122 = _t1120 + 0x18 - 0x18;
					_t912 = _t1122;
					 *(_t912 + 0x10) =  *(_t912 + 0x10) & 0x00000000;
					 *(_t912 + 0x14) =  *(_t912 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0xec, _t912, _t1116 - 0xec);
					_t627 = L00BBEA0A(RegQueryValueExW, _t1116 - 0x1c8, _t1095, _t1101);
					_t1123 = _t1122 + 0x18;
					 *((char*)(_t1116 - 4)) = 0xc;
					_t628 = E00BAC01A(_t1116 - 0x11c,  *_t627);
					 *((char*)(_t1116 - 4)) = 0xe;
					E00BAE6AB(_t628,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1179 = _t1101;
					if(_t1101 == 0) {
						_t631 = L00BC8B53(RegQueryValueExW, _t1095, _t1095, __eflags, _t1116 - 0x11c);
						_t1102 = 0;
						__eflags = 0;
						 *_t631 =  *(_t1116 - 0x1d8);
					} else {
						_t1174 = _t1123 - 0x18;
						_t1083 = _t1174;
						_t1102 = 0;
						 *((intOrPtr*)(_t1083 + 0x10)) = 0;
						 *((intOrPtr*)(_t1083 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0xec, _t1083, _t1116 - 0xec);
						_t829 = L00BBEA0A(RegQueryValueExW, _t1116 - 0x1d4, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0xf;
						_t1176 = _t1174 + 0x18 - 0x18;
						_t1085 = _t1176;
						 *((intOrPtr*)(_t1085 + 0x10)) = 0;
						 *((intOrPtr*)(_t1085 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1085, _t1116 - 0x2c);
						_t832 = L00BBEA0A(RegQueryValueExW, _t1116 - 0x1cc, _t1095, 0);
						_t1123 = _t1176 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x10;
						_t834 = E00BAE6AB(E00BA9179(_t1179,  *_t832,  *_t829),  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0xe;
						E00BAE6AB(_t834,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(RegQueryValueExW, _t1095, _t1095, _t1179, _t1116 - 0x11c))) = 1;
					}
					L00BC3BE6(_t840, _t1095 & 0xffffff00 |  *((intOrPtr*)(L00BC8B1D(_t840, _t1095, _t1095, _t1179, _t1116 - 0x11c))) != _t1102, _t1095, _t1102,  *((intOrPtr*)(L00BC8B1D(_t840, _t1095, _t1095, _t1179, _t1116 - 0x11c))) - _t1102);
					_t1124 = _t1123 - 0x18;
					_t921 = _t1124;
					 *(_t921 + 0x10) = _t1102;
					 *(_t921 + 0x14) = _t1102;
					E00BAC48D(_t1116 - 0xd4, _t921, _t1116 - 0xd4);
					_t640 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1102);
					 *((char*)(_t1116 - 4)) = 0x11;
					_t641 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t640, _t1102, _t1102, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0xe;
					_t1103 = _t641;
					E00BAE6AB(_t641,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1126 = _t1124 + 0x18 - 0x18;
					_t925 = _t1126;
					 *(_t925 + 0x10) =  *(_t925 + 0x10) & 0x00000000;
					 *(_t925 + 0x14) =  *(_t925 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0xd4, _t925, _t1116 - 0xd4);
					_t645 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1103);
					_t1127 = _t1126 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x12;
					_t646 = E00BAC01A(_t1116 - 0x1c4,  *_t645);
					 *((char*)(_t1116 - 4)) = 0x14;
					E00BAE6AB(_t646,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1181 = _t1103;
					if(_t1103 == 0) {
						_t649 = L00BC8B53(_t840, _t1095, _t1095, __eflags, _t1116 - 0x1c4);
						_t1104 = 0;
						__eflags = 0;
						 *_t649 =  *(_t1116 - 0x1d8);
					} else {
						_t1171 = _t1127 - 0x18;
						_t1072 = _t1171;
						_t1104 = 0;
						 *((intOrPtr*)(_t1072 + 0x10)) = 0;
						 *((intOrPtr*)(_t1072 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0xd4, _t1072, _t1116 - 0xd4);
						_t818 = L00BBEA0A(_t840, _t1116 - 0x1cc, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0x15;
						_t1173 = _t1171 + 0x18 - 0x18;
						_t1074 = _t1173;
						 *((intOrPtr*)(_t1074 + 0x10)) = 0;
						 *((intOrPtr*)(_t1074 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1074, _t1116 - 0x2c);
						_t821 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, 0);
						_t1127 = _t1173 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x16;
						_t823 = E00BAE6AB(E00BA9179(_t1181,  *_t821,  *_t818),  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x14;
						E00BAE6AB(_t823,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(_t840, _t1095, _t1095, _t1181, _t1116 - 0x1c4))) = 1;
					}
					_t1128 = _t1127 - 0x18;
					_t932 = _t1128;
					 *(_t932 + 0x10) = _t1104;
					 *(_t932 + 0x14) = _t1104;
					E00BAC48D(_t1116 - 0xbc, _t932, _t1116 - 0xbc);
					_t655 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, _t1104);
					 *((char*)(_t1116 - 4)) = 0x17;
					_t656 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t655, _t1104, _t1104, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0x14;
					_t1105 = _t656;
					E00BAE6AB(_t656,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1130 = _t1128 + 0x18 - 0x18;
					_t936 = _t1130;
					 *(_t936 + 0x10) =  *(_t936 + 0x10) & 0x00000000;
					 *(_t936 + 0x14) =  *(_t936 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0xbc, _t936, _t1116 - 0xbc);
					_t660 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, _t1105);
					_t1131 = _t1130 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x18;
					_t661 = E00BAC01A(_t1116 - 0x1ac,  *_t660);
					 *((char*)(_t1116 - 4)) = 0x1a;
					E00BAE6AB(_t661,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1182 = _t1105;
					if(_t1105 == 0) {
						_t664 = L00BC8B53(_t840, _t1095, _t1095, __eflags, _t1116 - 0x1ac);
						_t1106 = 0;
						__eflags = 0;
						 *_t664 =  *(_t1116 - 0x1d8);
					} else {
						_t1168 = _t1131 - 0x18;
						_t1061 = _t1168;
						_t1106 = 0;
						 *((intOrPtr*)(_t1061 + 0x10)) = 0;
						 *((intOrPtr*)(_t1061 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0xbc, _t1061, _t1116 - 0xbc);
						_t807 = L00BBEA0A(_t840, _t1116 - 0x1cc, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0x1b;
						_t1170 = _t1168 + 0x18 - 0x18;
						_t1063 = _t1170;
						 *((intOrPtr*)(_t1063 + 0x10)) = 0;
						 *((intOrPtr*)(_t1063 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1063, _t1116 - 0x2c);
						_t810 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, 0);
						_t1131 = _t1170 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x1c;
						_t812 = E00BAE6AB(E00BA9179(_t1182,  *_t810,  *_t807),  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x1a;
						E00BAE6AB(_t812,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(_t840, _t1095, _t1095, _t1182, _t1116 - 0x1ac))) = 1;
					}
					_t1132 = _t1131 - 0x18;
					_t943 = _t1132;
					 *(_t943 + 0x10) = _t1106;
					 *(_t943 + 0x14) = _t1106;
					E00BAC48D(_t1116 - 0xa4, _t943, _t1116 - 0xa4);
					_t670 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1106);
					 *((char*)(_t1116 - 4)) = 0x1d;
					_t671 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t670, _t1106, _t1106, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0x1a;
					_t1107 = _t671;
					E00BAE6AB(_t671,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1134 = _t1132 + 0x18 - 0x18;
					_t947 = _t1134;
					 *(_t947 + 0x10) =  *(_t947 + 0x10) & 0x00000000;
					 *(_t947 + 0x14) =  *(_t947 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0xa4, _t947, _t1116 - 0xa4);
					_t675 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1107);
					_t1135 = _t1134 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x1e;
					_t676 = E00BAC01A(_t1116 - 0x194,  *_t675);
					 *((char*)(_t1116 - 4)) = 0x20;
					E00BAE6AB(_t676,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1183 = _t1107;
					if(_t1107 == 0) {
						_t679 = L00BC8B53(_t840, _t1095, _t1095, __eflags, _t1116 - 0x194);
						_t1108 = 0;
						__eflags = 0;
						 *_t679 =  *(_t1116 - 0x1d8);
					} else {
						_t1165 = _t1135 - 0x18;
						_t1050 = _t1165;
						_t1108 = 0;
						 *((intOrPtr*)(_t1050 + 0x10)) = 0;
						 *((intOrPtr*)(_t1050 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0xa4, _t1050, _t1116 - 0xa4);
						_t796 = L00BBEA0A(_t840, _t1116 - 0x1cc, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0x21;
						_t1167 = _t1165 + 0x18 - 0x18;
						_t1052 = _t1167;
						 *((intOrPtr*)(_t1052 + 0x10)) = 0;
						 *((intOrPtr*)(_t1052 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1052, _t1116 - 0x2c);
						_t799 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, 0);
						_t1135 = _t1167 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x22;
						_t801 = E00BAE6AB(E00BA9179(_t1183,  *_t799,  *_t796),  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x20;
						E00BAE6AB(_t801,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(_t840, _t1095, _t1095, _t1183, _t1116 - 0x194))) = 1;
					}
					_t1136 = _t1135 - 0x18;
					_t954 = _t1136;
					 *(_t954 + 0x10) = _t1108;
					 *(_t954 + 0x14) = _t1108;
					E00BAC48D(_t1116 - 0x8c, _t954, _t1116 - 0x8c);
					_t685 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, _t1108);
					 *((char*)(_t1116 - 4)) = 0x23;
					_t686 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t685, _t1108, _t1108, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0x20;
					_t1109 = _t686;
					E00BAE6AB(_t686,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1138 = _t1136 + 0x18 - 0x18;
					_t958 = _t1138;
					 *(_t958 + 0x10) =  *(_t958 + 0x10) & 0x00000000;
					 *(_t958 + 0x14) =  *(_t958 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0x8c, _t958, _t1116 - 0x8c);
					_t690 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, _t1109);
					_t1139 = _t1138 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x24;
					_t691 = E00BAC01A(_t1116 - 0x17c,  *_t690);
					 *((char*)(_t1116 - 4)) = 0x26;
					E00BAE6AB(_t691,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1184 = _t1109;
					if(_t1109 == 0) {
						_t694 = L00BC8B53(_t840, _t1095, _t1095, __eflags, _t1116 - 0x17c);
						_t1110 = 0;
						__eflags = 0;
						 *_t694 =  *(_t1116 - 0x1d8);
					} else {
						_t1162 = _t1139 - 0x18;
						_t1039 = _t1162;
						_t1110 = 0;
						 *((intOrPtr*)(_t1039 + 0x10)) = 0;
						 *((intOrPtr*)(_t1039 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x8c, _t1039, _t1116 - 0x8c);
						_t785 = L00BBEA0A(_t840, _t1116 - 0x1cc, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0x27;
						_t1164 = _t1162 + 0x18 - 0x18;
						_t1041 = _t1164;
						 *((intOrPtr*)(_t1041 + 0x10)) = 0;
						 *((intOrPtr*)(_t1041 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1041, _t1116 - 0x2c);
						_t788 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, 0);
						_t1139 = _t1164 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x28;
						_t790 = E00BAE6AB(E00BA9179(_t1184,  *_t788,  *_t785),  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x26;
						E00BAE6AB(_t790,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(_t840, _t1095, _t1095, _t1184, _t1116 - 0x17c))) = 1;
					}
					_t1140 = _t1139 - 0x18;
					_t965 = _t1140;
					 *(_t965 + 0x10) = _t1110;
					 *(_t965 + 0x14) = _t1110;
					E00BAC48D(_t1116 - 0x74, _t965, _t1116 - 0x74);
					_t700 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1110);
					 *((char*)(_t1116 - 4)) = 0x29;
					_t701 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t700, _t1110, _t1110, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0x26;
					_t1111 = _t701;
					E00BAE6AB(_t701,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1142 = _t1140 + 0x18 - 0x18;
					_t969 = _t1142;
					 *(_t969 + 0x10) =  *(_t969 + 0x10) & 0x00000000;
					 *(_t969 + 0x14) =  *(_t969 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0x74, _t969, _t1116 - 0x74);
					_t705 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1111);
					_t1143 = _t1142 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x2a;
					_t706 = E00BAC01A(_t1116 - 0x164,  *_t705);
					 *((char*)(_t1116 - 4)) = 0x2c;
					E00BAE6AB(_t706,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1185 = _t1111;
					if(_t1111 == 0) {
						_t709 = L00BC8B53(_t840, _t1095, _t1095, __eflags, _t1116 - 0x164);
						_t1112 = 0;
						__eflags = 0;
						 *_t709 =  *(_t1116 - 0x1d8);
					} else {
						_t1159 = _t1143 - 0x18;
						_t1028 = _t1159;
						_t1112 = 0;
						 *((intOrPtr*)(_t1028 + 0x10)) = 0;
						 *((intOrPtr*)(_t1028 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x74, _t1028, _t1116 - 0x74);
						_t774 = L00BBEA0A(_t840, _t1116 - 0x1cc, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0x2d;
						_t1161 = _t1159 + 0x18 - 0x18;
						_t1030 = _t1161;
						 *((intOrPtr*)(_t1030 + 0x10)) = 0;
						 *((intOrPtr*)(_t1030 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1030, _t1116 - 0x2c);
						_t777 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, 0);
						_t1143 = _t1161 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x2e;
						_t779 = E00BAE6AB(E00BA9179(_t1185,  *_t777,  *_t774),  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x2c;
						E00BAE6AB(_t779,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(_t840, _t1095, _t1095, _t1185, _t1116 - 0x164))) = 0;
					}
					_t1144 = _t1143 - 0x18;
					_t976 = _t1144;
					 *(_t976 + 0x10) = _t1112;
					 *(_t976 + 0x14) = _t1112;
					E00BAC48D(_t1116 - 0x5c, _t976, _t1116 - 0x5c);
					_t715 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, _t1112);
					 *((char*)(_t1116 - 4)) = 0x2f;
					_t716 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t715, _t1112, _t1112, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0x2c;
					_t1113 = _t716;
					E00BAE6AB(_t716,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1146 = _t1144 + 0x18 - 0x18;
					_t980 = _t1146;
					 *(_t980 + 0x10) =  *(_t980 + 0x10) & 0x00000000;
					 *(_t980 + 0x14) =  *(_t980 + 0x14) & 0x00000000;
					E00BAC48D(_t1116 - 0x5c, _t980, _t1116 - 0x5c);
					_t720 = L00BBEA0A(_t840, _t1116 - 0x1c8, _t1095, _t1113);
					_t1147 = _t1146 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x30;
					_t721 = E00BAC01A(_t1116 - 0x14c,  *_t720);
					 *((char*)(_t1116 - 4)) = 0x32;
					E00BAE6AB(_t721,  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
					_t1186 = _t1113;
					if(_t1113 == 0) {
						_t724 = L00BC8B53(_t840, _t1095, _t1095, __eflags, _t1116 - 0x14c);
						_t1114 = 0;
						__eflags = 0;
						 *_t724 =  *(_t1116 - 0x1d8);
					} else {
						_t1156 = _t1147 - 0x18;
						_t1017 = _t1156;
						_t1114 = 0;
						 *((intOrPtr*)(_t1017 + 0x10)) = 0;
						 *((intOrPtr*)(_t1017 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x5c, _t1017, _t1116 - 0x5c);
						_t763 = L00BBEA0A(_t840, _t1116 - 0x1cc, _t1095, 0);
						 *((char*)(_t1116 - 4)) = 0x33;
						_t1158 = _t1156 + 0x18 - 0x18;
						_t1019 = _t1158;
						 *((intOrPtr*)(_t1019 + 0x10)) = 0;
						 *((intOrPtr*)(_t1019 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1019, _t1116 - 0x2c);
						_t766 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, 0);
						_t1147 = _t1158 + 0x18;
						 *((char*)(_t1116 - 4)) = 0x34;
						_t768 = E00BAE6AB(E00BA9179(_t1186,  *_t766,  *_t763),  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x32;
						E00BAE6AB(_t768,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(_t840, _t1095, _t1095, _t1186, _t1116 - 0x14c))) = 0;
					}
					_t1148 = _t1147 - 0x18;
					_t987 = _t1148;
					 *(_t987 + 0x10) = _t1114;
					 *(_t987 + 0x14) = _t1114;
					E00BAC48D(_t1116 - 0x44, _t987, _t1116 - 0x44);
					_t730 = L00BBEA0A(_t840, _t1116 - 0x1d4, _t1095, _t1114);
					 *((char*)(_t1116 - 4)) = 0x35;
					_t731 = RegQueryValueExW( *(_t1116 - 0x1dc),  *_t730, _t1114, _t1114, _t1116 - 0x1d8, _t1116 - 0x1e0);
					 *((char*)(_t1116 - 4)) = 0x32;
					_t1115 = _t731;
					E00BAE6AB(_t731,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1150 = _t1148 + 0x18 - 0x18;
					_t991 = _t1150;
					 *((intOrPtr*)(_t991 + 0x10)) = 0;
					 *((intOrPtr*)(_t991 + 0x14)) = 0;
					E00BAC48D(_t1116 - 0x44, _t991, _t1116 - 0x44);
					_t735 = L00BBEA0A(0, _t1116 - 0x1d4, _t1095, _t1115);
					_t1151 = _t1150 + 0x18;
					 *((char*)(_t1116 - 4)) = 0x36;
					_t736 = E00BAC01A(_t1116 - 0x134,  *_t735);
					 *((char*)(_t1116 - 4)) = 0x38;
					E00BAE6AB(_t736,  *((intOrPtr*)(_t1116 - 0x1d4)) - 0x10);
					_t1187 = _t1115;
					if(_t1115 == 0) {
						 *(L00BC8B53(0, _t1095, _t1095, __eflags, _t1116 - 0x134)) =  *(_t1116 - 0x1d8);
					} else {
						_t1152 = _t1151 - 0x18;
						_t1006 = _t1152;
						 *((intOrPtr*)(_t1006 + 0x10)) = 0;
						 *((intOrPtr*)(_t1006 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x44, _t1006, _t1116 - 0x44);
						_t752 = L00BBEA0A(0, _t1116 - 0x1cc, _t1095, _t1115);
						 *((char*)(_t1116 - 4)) = 0x39;
						_t1008 = _t1152 + 0x18 - 0x18;
						 *((intOrPtr*)(_t1008 + 0x10)) = 0;
						 *((intOrPtr*)(_t1008 + 0x14)) = 0;
						E00BAC48D(_t1116 - 0x2c, _t1008, _t1116 - 0x2c);
						_t755 = L00BBEA0A(0, _t1116 - 0x1c8, _t1095, _t1115);
						 *((char*)(_t1116 - 4)) = 0x3a;
						_t757 = E00BAE6AB(E00BA9179(_t1187,  *_t755,  *_t752),  *((intOrPtr*)(_t1116 - 0x1c8)) - 0x10);
						 *((char*)(_t1116 - 4)) = 0x38;
						E00BAE6AB(_t757,  *((intOrPtr*)(_t1116 - 0x1cc)) - 0x10);
						 *((intOrPtr*)(L00BC8B53(0, _t1095, _t1095, _t1187, _t1116 - 0x134))) = 0;
					}
					RegCloseKey( *(_t1116 - 0x1dc));
					E00BAE71B(_t1116 - 0x134);
					E00BAE71B(_t1116 - 0x14c);
					E00BAE71B(_t1116 - 0x164);
					E00BAE71B(_t1116 - 0x17c);
					E00BAE71B(_t1116 - 0x194);
					E00BAE71B(_t1116 - 0x1ac);
					E00BAE71B(_t1116 - 0x1c4);
					E00BAE71B(_t1116 - 0x11c);
					_t839 = 1;
				}
				_t547 =  *(_t1116 - 0x30);
				if(_t547 >= 8) {
					_t903 =  *((intOrPtr*)(_t1116 - 0x44));
					_t613 = 2 + _t547 * 2;
					 *((intOrPtr*)(_t1116 - 0x1cc)) = _t613;
					 *((intOrPtr*)(_t1116 - 0x1c8)) =  *((intOrPtr*)(_t1116 - 0x44));
					if(_t613 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1c8, _t1116 - 0x1cc);
						_t613 =  *((intOrPtr*)(_t1116 - 0x1cc));
						_t903 =  *((intOrPtr*)(_t1116 - 0x1c8));
					}
					_push(_t613);
					L00C32F7D(_t903);
				}
				 *(_t1116 - 0x30) = 7;
				 *((short*)(_t1116 - 0x44)) = 0;
				_t549 =  *(_t1116 - 0x48);
				 *((intOrPtr*)(_t1116 - 0x34)) = 0;
				if(_t549 >= 8) {
					_t898 =  *((intOrPtr*)(_t1116 - 0x5c));
					_t608 = 2 + _t549 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t608;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0x5c));
					if(_t608 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t608 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t898 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t608);
					L00C32F7D(_t898);
				}
				 *((intOrPtr*)(_t1116 - 0x4c)) = 0;
				 *((short*)(_t1116 - 0x5c)) = 0;
				_t551 =  *(_t1116 - 0x60);
				 *(_t1116 - 0x48) = 7;
				if(_t551 >= 8) {
					_t893 =  *((intOrPtr*)(_t1116 - 0x74));
					_t603 = 2 + _t551 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t603;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0x74));
					if(_t603 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t603 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t893 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t603);
					L00C32F7D(_t893);
				}
				 *((intOrPtr*)(_t1116 - 0x64)) = 0;
				 *((short*)(_t1116 - 0x74)) = 0;
				_t553 =  *(_t1116 - 0x78);
				 *(_t1116 - 0x60) = 7;
				if(_t553 >= 8) {
					_t888 =  *((intOrPtr*)(_t1116 - 0x8c));
					_t598 = 2 + _t553 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t598;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0x8c));
					if(_t598 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t598 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t888 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t598);
					L00C32F7D(_t888);
				}
				 *((intOrPtr*)(_t1116 - 0x7c)) = 0;
				 *((short*)(_t1116 - 0x8c)) = 0;
				_t555 =  *(_t1116 - 0x90);
				 *(_t1116 - 0x78) = 7;
				if(_t555 >= 8) {
					_t883 =  *((intOrPtr*)(_t1116 - 0xa4));
					_t593 = 2 + _t555 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t593;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0xa4));
					if(_t593 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t593 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t883 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t593);
					L00C32F7D(_t883);
				}
				 *((intOrPtr*)(_t1116 - 0x94)) = 0;
				 *((short*)(_t1116 - 0xa4)) = 0;
				_t557 =  *(_t1116 - 0xa8);
				 *(_t1116 - 0x90) = 7;
				if(_t557 >= 8) {
					_t878 =  *((intOrPtr*)(_t1116 - 0xbc));
					_t588 = 2 + _t557 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t588;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0xbc));
					if(_t588 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t588 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t878 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t588);
					L00C32F7D(_t878);
				}
				 *((intOrPtr*)(_t1116 - 0xac)) = 0;
				 *((short*)(_t1116 - 0xbc)) = 0;
				_t559 =  *(_t1116 - 0xc0);
				 *(_t1116 - 0xa8) = 7;
				if(_t559 >= 8) {
					_t873 =  *((intOrPtr*)(_t1116 - 0xd4));
					_t583 = 2 + _t559 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t583;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0xd4));
					if(_t583 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t583 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t873 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t583);
					L00C32F7D(_t873);
				}
				 *((intOrPtr*)(_t1116 - 0xc4)) = 0;
				 *((short*)(_t1116 - 0xd4)) = 0;
				_t561 =  *(_t1116 - 0xd8);
				 *(_t1116 - 0xc0) = 7;
				if(_t561 >= 8) {
					_t868 =  *((intOrPtr*)(_t1116 - 0xec));
					_t578 = 2 + _t561 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t578;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0xec));
					if(_t578 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t578 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t868 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t578);
					L00C32F7D(_t868);
				}
				 *((intOrPtr*)(_t1116 - 0xdc)) = 0;
				 *((short*)(_t1116 - 0xec)) = 0;
				_t563 =  *(_t1116 - 0x18);
				 *(_t1116 - 0xd8) = 7;
				if(_t563 >= 8) {
					_t863 =  *((intOrPtr*)(_t1116 - 0x2c));
					_t573 = 2 + _t563 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t573;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0x2c));
					if(_t573 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t573 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t863 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t573);
					L00C32F7D(_t863);
				}
				 *((intOrPtr*)(_t1116 - 0x1c)) = 0;
				 *((short*)(_t1116 - 0x2c)) = 0;
				_t565 =  *(_t1116 - 0xf0);
				 *(_t1116 - 0x18) = 7;
				if(_t565 >= 8) {
					_t858 =  *((intOrPtr*)(_t1116 - 0x104));
					_t568 = 2 + _t565 * 2;
					 *((intOrPtr*)(_t1116 - 0x1c8)) = _t568;
					 *((intOrPtr*)(_t1116 - 0x1cc)) =  *((intOrPtr*)(_t1116 - 0x104));
					if(_t568 >= 0x1000) {
						E00BAE6CD(_t839, 0x1000, _t1116, _t1116 - 0x1cc, _t1116 - 0x1c8);
						_t568 =  *((intOrPtr*)(_t1116 - 0x1c8));
						_t858 =  *((intOrPtr*)(_t1116 - 0x1cc));
					}
					_push(_t568);
					L00C32F7D(_t858);
				}
				return L00C89946(_t839, _t839, 0x1000, 0);
			}

0x00bc4135
0x00bc413f
0x00bc4144
0x00bc4148
0x00bc4152
0x00bc4154
0x00bc4166
0x00bc416c
0x00bc4173
0x00bc4174
0x00bc417c
0x00bc4184
0x00bc4187
0x00bc418b
0x00bc4190
0x00bc419c
0x00bc41a7
0x00bc41ad
0x00bc41b4
0x00bc41b9
0x00bc41c5
0x00bc41d0
0x00bc41d6
0x00bc41dd
0x00bc41e2
0x00bc41ee
0x00bc41f9
0x00bc41ff
0x00bc4206
0x00bc420b
0x00bc4217
0x00bc4222
0x00bc4228
0x00bc422f
0x00bc4234
0x00bc4240
0x00bc4248
0x00bc424b
0x00bc4252
0x00bc4257
0x00bc4260
0x00bc4268
0x00bc426b
0x00bc426f
0x00bc4274
0x00bc427d
0x00bc4280
0x00bc4283
0x00bc428c
0x00bc4291
0x00bc429a
0x00bc42a2
0x00bc42a5
0x00bc42a9
0x00bc42b4
0x00bc42bf
0x00bc42c8
0x00bc42cb
0x00bc42ce
0x00bc42d1
0x00bc42dc
0x00bc42e1
0x00bc42e4
0x00bc42ef
0x00bc42f5
0x00bc42f9
0x00bc4304
0x00bc4309
0x00bc430f
0x00bc431b
0x00bc4331
0x00bc433a
0x00bc433d
0x00bc4340
0x00bc4343
0x00bc434e
0x00bc4356
0x00bc435c
0x00bc4368
0x00bc436a
0x00bc436e
0x00bc4379
0x00bc437e
0x00bc4387
0x00bc438a
0x00bc438e
0x00bc4392
0x00bc439d
0x00bc43a2
0x00bc43a5
0x00bc43b1
0x00bc43b6
0x00bc43c3
0x00bc43c8
0x00bc43ca
0x00bc446b
0x00bc4472
0x00bc4472
0x00bc447a
0x00bc43d0
0x00bc43d0
0x00bc43d9
0x00bc43db
0x00bc43de
0x00bc43e1
0x00bc43e4
0x00bc43ef
0x00bc43f7
0x00bc4400
0x00bc4403
0x00bc4406
0x00bc4409
0x00bc440c
0x00bc4417
0x00bc441c
0x00bc441f
0x00bc4435
0x00bc443a
0x00bc4447
0x00bc445a
0x00bc445a
0x00bc448f
0x00bc44a4
0x00bc44ad
0x00bc44b0
0x00bc44b3
0x00bc44b6
0x00bc44c1
0x00bc44c9
0x00bc44d5
0x00bc44d7
0x00bc44db
0x00bc44e6
0x00bc44eb
0x00bc44f4
0x00bc44f7
0x00bc44fb
0x00bc44ff
0x00bc450a
0x00bc450f
0x00bc4512
0x00bc451e
0x00bc4523
0x00bc4530
0x00bc4535
0x00bc4537
0x00bc45d8
0x00bc45df
0x00bc45df
0x00bc45e7
0x00bc453d
0x00bc453d
0x00bc4546
0x00bc4548
0x00bc454b
0x00bc454e
0x00bc4551
0x00bc455c
0x00bc4564
0x00bc456d
0x00bc4570
0x00bc4573
0x00bc4576
0x00bc4579
0x00bc4584
0x00bc4589
0x00bc458c
0x00bc45a2
0x00bc45a7
0x00bc45b4
0x00bc45c7
0x00bc45c7
0x00bc45f9
0x00bc4602
0x00bc4605
0x00bc4608
0x00bc460b
0x00bc4616
0x00bc461e
0x00bc462a
0x00bc462c
0x00bc4630
0x00bc463b
0x00bc4640
0x00bc4649
0x00bc464c
0x00bc4650
0x00bc4654
0x00bc465f
0x00bc4664
0x00bc4667
0x00bc4673
0x00bc4678
0x00bc4685
0x00bc468a
0x00bc468c
0x00bc472d
0x00bc4734
0x00bc4734
0x00bc473c
0x00bc4692
0x00bc4692
0x00bc469b
0x00bc469d
0x00bc46a0
0x00bc46a3
0x00bc46a6
0x00bc46b1
0x00bc46b9
0x00bc46c2
0x00bc46c5
0x00bc46c8
0x00bc46cb
0x00bc46ce
0x00bc46d9
0x00bc46de
0x00bc46e1
0x00bc46f7
0x00bc46fc
0x00bc4709
0x00bc471c
0x00bc471c
0x00bc474e
0x00bc4757
0x00bc475a
0x00bc475d
0x00bc4760
0x00bc476b
0x00bc4773
0x00bc477f
0x00bc4781
0x00bc4785
0x00bc4790
0x00bc4795
0x00bc479e
0x00bc47a1
0x00bc47a5
0x00bc47a9
0x00bc47b4
0x00bc47b9
0x00bc47bc
0x00bc47c8
0x00bc47cd
0x00bc47da
0x00bc47df
0x00bc47e1
0x00bc4882
0x00bc4889
0x00bc4889
0x00bc4891
0x00bc47e7
0x00bc47e7
0x00bc47f0
0x00bc47f2
0x00bc47f5
0x00bc47f8
0x00bc47fb
0x00bc4806
0x00bc480e
0x00bc4817
0x00bc481a
0x00bc481d
0x00bc4820
0x00bc4823
0x00bc482e
0x00bc4833
0x00bc4836
0x00bc484c
0x00bc4851
0x00bc485e
0x00bc4871
0x00bc4871
0x00bc48a3
0x00bc48ac
0x00bc48af
0x00bc48b2
0x00bc48b5
0x00bc48c0
0x00bc48c8
0x00bc48d4
0x00bc48d6
0x00bc48da
0x00bc48e5
0x00bc48ea
0x00bc48f3
0x00bc48f6
0x00bc48fa
0x00bc48fe
0x00bc4909
0x00bc490e
0x00bc4911
0x00bc491d
0x00bc4922
0x00bc492f
0x00bc4934
0x00bc4936
0x00bc49d7
0x00bc49de
0x00bc49de
0x00bc49e6
0x00bc493c
0x00bc493c
0x00bc4945
0x00bc4947
0x00bc494a
0x00bc494d
0x00bc4950
0x00bc495b
0x00bc4963
0x00bc496c
0x00bc496f
0x00bc4972
0x00bc4975
0x00bc4978
0x00bc4983
0x00bc4988
0x00bc498b
0x00bc49a1
0x00bc49a6
0x00bc49b3
0x00bc49c6
0x00bc49c6
0x00bc49f8
0x00bc49fe
0x00bc4a01
0x00bc4a04
0x00bc4a07
0x00bc4a12
0x00bc4a1a
0x00bc4a26
0x00bc4a28
0x00bc4a2c
0x00bc4a37
0x00bc4a3c
0x00bc4a42
0x00bc4a45
0x00bc4a49
0x00bc4a4d
0x00bc4a58
0x00bc4a5d
0x00bc4a60
0x00bc4a6c
0x00bc4a71
0x00bc4a7e
0x00bc4a83
0x00bc4a85
0x00bc4b1f
0x00bc4b26
0x00bc4b26
0x00bc4b2e
0x00bc4a8b
0x00bc4a8b
0x00bc4a91
0x00bc4a93
0x00bc4a96
0x00bc4a99
0x00bc4a9c
0x00bc4aa7
0x00bc4aaf
0x00bc4ab8
0x00bc4abb
0x00bc4abe
0x00bc4ac1
0x00bc4ac4
0x00bc4acf
0x00bc4ad4
0x00bc4ad7
0x00bc4aed
0x00bc4af2
0x00bc4aff
0x00bc4b12
0x00bc4b12
0x00bc4b40
0x00bc4b46
0x00bc4b49
0x00bc4b4c
0x00bc4b4f
0x00bc4b5a
0x00bc4b62
0x00bc4b6e
0x00bc4b70
0x00bc4b74
0x00bc4b7f
0x00bc4b84
0x00bc4b8a
0x00bc4b8d
0x00bc4b91
0x00bc4b95
0x00bc4ba0
0x00bc4ba5
0x00bc4ba8
0x00bc4bb4
0x00bc4bb9
0x00bc4bc6
0x00bc4bcb
0x00bc4bcd
0x00bc4c67
0x00bc4c6e
0x00bc4c6e
0x00bc4c76
0x00bc4bd3
0x00bc4bd3
0x00bc4bd9
0x00bc4bdb
0x00bc4bde
0x00bc4be1
0x00bc4be4
0x00bc4bef
0x00bc4bf7
0x00bc4c00
0x00bc4c03
0x00bc4c06
0x00bc4c09
0x00bc4c0c
0x00bc4c17
0x00bc4c1c
0x00bc4c1f
0x00bc4c35
0x00bc4c3a
0x00bc4c47
0x00bc4c5a
0x00bc4c5a
0x00bc4c88
0x00bc4c8e
0x00bc4c91
0x00bc4c94
0x00bc4c97
0x00bc4ca2
0x00bc4caa
0x00bc4cb6
0x00bc4cb8
0x00bc4cbc
0x00bc4cc7
0x00bc4ccc
0x00bc4cd2
0x00bc4cd7
0x00bc4cda
0x00bc4cdd
0x00bc4ce8
0x00bc4ced
0x00bc4cf0
0x00bc4cfc
0x00bc4d01
0x00bc4d0e
0x00bc4d13
0x00bc4d15
0x00bc4dba
0x00bc4d1b
0x00bc4d1b
0x00bc4d21
0x00bc4d24
0x00bc4d27
0x00bc4d2a
0x00bc4d35
0x00bc4d3d
0x00bc4d49
0x00bc4d4c
0x00bc4d4f
0x00bc4d52
0x00bc4d5d
0x00bc4d65
0x00bc4d7b
0x00bc4d80
0x00bc4d8d
0x00bc4da0
0x00bc4da0
0x00bc4dc2
0x00bc4dce
0x00bc4dd9
0x00bc4de4
0x00bc4def
0x00bc4dfa
0x00bc4e05
0x00bc4e10
0x00bc4e1b
0x00bc4e22
0x00bc4e22
0x00bc4e23
0x00bc4e2e
0x00bc4e30
0x00bc4e33
0x00bc4e3a
0x00bc4e40
0x00bc4e48
0x00bc4e58
0x00bc4e5d
0x00bc4e65
0x00bc4e65
0x00bc4e6b
0x00bc4e6d
0x00bc4e73
0x00bc4e76
0x00bc4e7f
0x00bc4e83
0x00bc4e86
0x00bc4e8c
0x00bc4e8e
0x00bc4e91
0x00bc4e98
0x00bc4e9e
0x00bc4ea6
0x00bc4eb6
0x00bc4ebb
0x00bc4ec3
0x00bc4ec3
0x00bc4ec9
0x00bc4ecb
0x00bc4ed1
0x00bc4ed4
0x00bc4ed7
0x00bc4edb
0x00bc4ede
0x00bc4ee8
0x00bc4eea
0x00bc4eed
0x00bc4ef4
0x00bc4efa
0x00bc4f02
0x00bc4f12
0x00bc4f17
0x00bc4f1f
0x00bc4f1f
0x00bc4f25
0x00bc4f27
0x00bc4f2d
0x00bc4f30
0x00bc4f33
0x00bc4f37
0x00bc4f3a
0x00bc4f44
0x00bc4f46
0x00bc4f4c
0x00bc4f53
0x00bc4f59
0x00bc4f61
0x00bc4f71
0x00bc4f76
0x00bc4f7e
0x00bc4f7e
0x00bc4f84
0x00bc4f86
0x00bc4f8c
0x00bc4f8f
0x00bc4f92
0x00bc4f99
0x00bc4f9f
0x00bc4fa9
0x00bc4fab
0x00bc4fb1
0x00bc4fb8
0x00bc4fbe
0x00bc4fc6
0x00bc4fd6
0x00bc4fdb
0x00bc4fe3
0x00bc4fe3
0x00bc4fe9
0x00bc4feb
0x00bc4ff1
0x00bc4ff4
0x00bc4ffa
0x00bc5001
0x00bc5007
0x00bc5014
0x00bc5016
0x00bc501c
0x00bc5023
0x00bc5029
0x00bc5031
0x00bc5041
0x00bc5046
0x00bc504e
0x00bc504e
0x00bc5054
0x00bc5056
0x00bc505c
0x00bc505f
0x00bc5065
0x00bc506c
0x00bc5072
0x00bc507f
0x00bc5081
0x00bc5087
0x00bc508e
0x00bc5094
0x00bc509c
0x00bc50ac
0x00bc50b1
0x00bc50b9
0x00bc50b9
0x00bc50bf
0x00bc50c1
0x00bc50c7
0x00bc50ca
0x00bc50d0
0x00bc50d7
0x00bc50dd
0x00bc50ea
0x00bc50ec
0x00bc50f2
0x00bc50f9
0x00bc50ff
0x00bc5107
0x00bc5117
0x00bc511c
0x00bc5124
0x00bc5124
0x00bc512a
0x00bc512c
0x00bc5132
0x00bc5135
0x00bc513b
0x00bc5142
0x00bc5145
0x00bc5152
0x00bc5154
0x00bc5157
0x00bc515e
0x00bc5164
0x00bc516c
0x00bc517c
0x00bc5181
0x00bc5189
0x00bc5189
0x00bc518f
0x00bc5191
0x00bc5197
0x00bc519a
0x00bc519d
0x00bc51a1
0x00bc51a7
0x00bc51b1
0x00bc51b3
0x00bc51b9
0x00bc51c0
0x00bc51c6
0x00bc51ce
0x00bc51de
0x00bc51e3
0x00bc51eb
0x00bc51eb
0x00bc51f1
0x00bc51f3
0x00bc51f9
0x00bc5201

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC413F
RegOpenKeyExW.ADVAPI32(80000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00BC89B6), ref: 00BC42EF
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC4368
RegQueryValueExW.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BC44D5
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC462A
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC477F
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC48D4
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC4A26
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC4B6E
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC4CB6
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BC4DC2

Part of subcall function 00BAE71B: _Deallocate.LIBCONCRT ref: 00BAE730

Strings

ncpqmlgjgxcb]lmrgdga_rgmlq, xrefs: 00BC4287
ncpgmbga_j]mddcpq, xrefs: 00BC4263
Qmdru_pcZZNA?nnQrmpc, xrefs: 00BC415B
f_pbu_pc]amjjcargle, xrefs: 00BC41F4
qmdru_pc]amjjcargle, xrefs: 00BC421D
amlrcvrs_j]mddcpq, xrefs: 00BC41CB
qc_paf]kcls, xrefs: 00BC429D
_srm]qr_pr]ml, xrefs: 00BC41A2
`pmuqcp]qc_paf, xrefs: 00BC4243
8, xrefs: 00BC4D80

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: QueryValue$CloseDeallocateH_prolog3_Open
String ID: 8$Qmdru_pcZZNA?nnQrmpc$_srm]qr_pr]ml$`pmuqcp]qc_paf$amlrcvrs_j]mddcpq$f_pbu_pc]amjjcargle$ncpgmbga_j]mddcpq$ncpqmlgjgxcb]lmrgdga_rgmlq$qc_paf]kcls$qmdru_pc]amjjcargle
API String ID: 26428883-1628149005
Opcode ID: 4ba3e6bcab0bcb9654ba1c1aabd3e402c2fcf5735aee44a74b7642b907074c6f
Instruction ID: c7078efaf4ebc023d82622b7bce4de7ef5bf8a87e76d1f53c2bffdde43f74895
Opcode Fuzzy Hash: 4ba3e6bcab0bcb9654ba1c1aabd3e402c2fcf5735aee44a74b7642b907074c6f
Instruction Fuzzy Hash: C5B259708052589FDB14EF68C895BEDBBB4AF0A304F5044DEE409A7292DB729F85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD340E, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 328
windowsleepkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00BD340E(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				void* _t117;
				signed int _t122;
				intOrPtr* _t144;
				signed int _t147;
				intOrPtr _t154;
				intOrPtr _t155;
				signed int _t159;
				signed int _t160;
				void* _t162;
				void* _t166;
				void* _t169;
				void* _t180;
				void* _t192;
				void* _t193;
				intOrPtr* _t212;
				intOrPtr* _t219;
				void* _t237;
				void* _t244;
				signed int _t258;
				intOrPtr* _t259;
				int* _t263;
				intOrPtr* _t266;
				int* _t270;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				void* _t277;
				signed int _t278;
				void* _t279;

				_t279 = __eflags;
				_t269 = __esi;
				_t262 = __edi;
				_t258 = __edx;
				_t193 = __ecx;
				L00C8999C(0xc90ce2, __ebx, __edi, __esi, 0x294);
				_t192 = _t193;
				_push(L"kcls]qrmpc");
				E00BCC079(_t192, _t277 - 0x254, __edx, __edi, __esi);
				 *(_t277 - 4) =  *(_t277 - 4) & 0x00000000;
				_push(L"mncl]jgli");
				E00BCC079(_t192, _t277 - 0x250, __edx, __edi, __esi);
				_push(L"jgli;");
				 *(_t277 - 4) = 1;
				E00BCC079(_t192, _t277 - 0x24c, __edx, __edi, __esi);
				_push(L"R_qiJgqrRfsk`l_gjUlb");
				 *(_t277 - 4) = 2;
				E00BCC079(_t192, _t277 - 0x248, __edx, _t262, _t269);
				 *(_t277 - 4) = 3;
				_t114 = E00BD1710(_t192, _t192, _t262, _t269, _t279);
				_push(0);
				 *((char*)(_t277 - 0x235)) =  *(_t192 + 0x1278) == _t114;
				_push(_t277 - 0x234);
				L00BD0877(_t192, _t192, _t262, _t269,  *(_t192 + 0x1278) - _t114);
				_t117 = L00BD0A47(_t192, _t192);
				_t263 = _t192 + 0x908;
				_push( *((intOrPtr*)(_t192 + 0x910)) -  *_t263);
				_push(_t117);
				if(L00BD29A4(_t192, _t192, _t258, _t263, _t269,  *(_t192 + 0x1278) - _t114) != 0 &&  *((char*)(_t277 - 0x235)) != 0) {
					E00BD27E0(_t192, _t192, _t258, _t263, _t269);
				}
				L3:
				L3:
				if(PeekMessageW(_t277 - 0x2a0, 0, 0, 0, 1) > 0) {
					TranslateMessage(_t277 - 0x2a0);
					DispatchMessageW(_t277 - 0x2a0);
				}
				_t270 = GetAsyncKeyState(1);
				_t122 =  *0xce13e4; // 0x3
				_t284 = _t122 - 3;
				if(_t122 != 3) {
					__eflags = _t122;
					if(__eflags == 0) {
						GetWindowRect( *(_t192 + 0x1278), _t277 - 0x224);
					}
				} else {
					_push(0);
					_push(_t277 - 0x224);
					L00BD0877(_t192, _t192, _t263, _t270, _t284);
				}
				asm("cdq");
				if(( *((intOrPtr*)(_t277 - 0x234)) -  *(_t277 - 0x224) ^ _t258) - _t258 > 1) {
					goto L42;
				}
				asm("cdq");
				if(( *((intOrPtr*)(_t277 - 0x22c)) -  *((intOrPtr*)(_t277 - 0x21c)) ^ _t258) - _t258 <= 1 &&  *((intOrPtr*)(_t277 - 0x220)) ==  *(_t192 + 0x90c) &&  *((intOrPtr*)(_t277 - 0x218)) ==  *((intOrPtr*)(_t192 + 0x914))) {
					if((_t270 & 0x00008000) == 0) {
						L31:
						GetClassNameW(E00BD1710(_t192, _t192, _t263, _t270, _t301), _t277 - 0x214, 0x100);
						_t272 = _t278;
						 *(_t277 - 0x23c) = _t272;
						 *_t272 = L00BADF62( *((intOrPtr*)(_t277 - 0x248)) - 0x10, _t263, _t277 - 0x214) + 0x10;
						_t212 =  *((intOrPtr*)(L00BBEA69(_t192, _t277 - 0x268, _t263, _t272)));
						_t144 = _t277 - 0x214;
						while(1) {
							_t258 =  *_t144;
							if(_t258 !=  *_t212) {
								break;
							}
							if(_t258 == 0) {
								L36:
								_t273 = 0;
								L38:
								E00BAE6AB(_t144,  *((intOrPtr*)(_t277 - 0x268)) - 0x10);
								_t307 = _t273;
								if(_t273 == 0) {
									goto L3;
								}
								_t147 = E00BD1710(_t192, _t192, _t263, _t273, _t307) & 0xffffff00 |  *(_t192 + 0x1278) == _t146;
								if( *((char*)(_t192 + 0x928)) != 0 || _t147 != 0) {
									Sleep(1);
									goto L3;
								} else {
									return L00C89946(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(_t147,  *((intOrPtr*)(_t277 - 0x248)) - 0x10),  *((intOrPtr*)(_t277 - 0x24c)) - 0x10),  *((intOrPtr*)(_t277 - 0x250)) - 0x10),  *((intOrPtr*)(_t277 - 0x254)) - 0x10), _t192, _t263, _t273);
								}
							}
							_t258 =  *((intOrPtr*)(_t144 + 2));
							if(_t258 !=  *((intOrPtr*)(_t212 + 2))) {
								break;
							}
							_t144 = _t144 + 4;
							_t212 = _t212 + 4;
							if(_t258 != 0) {
								continue;
							}
							goto L36;
						}
						asm("sbb esi, esi");
						_t273 = _t272 | 0x00000001;
						__eflags = _t273;
						goto L38;
					}
					__imp__GetPhysicalCursorPos(_t277 - 0x274);
					_t154 =  *((intOrPtr*)(_t277 - 0x274));
					_t270 = _t263;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_t154 <=  *((intOrPtr*)(_t277 - 0x284)) || _t154 >=  *((intOrPtr*)(_t277 - 0x27c))) {
						L30:
						_t263 = _t192 + 0x908;
						goto L31;
					} else {
						_t155 =  *((intOrPtr*)(_t277 - 0x270));
						if(_t155 >=  *((intOrPtr*)(_t277 - 0x278)) || _t155 <=  *((intOrPtr*)(_t277 - 0x280)) ||  *0xce13e2 == 0) {
							goto L30;
						} else {
							L00BD2964(_t192);
							_push(2);
							_push(0x200);
							_t266 = E00C5938E(_t192);
							 *((intOrPtr*)(_t277 - 0x244)) = _t266;
							L00BA9DB3(_t277 - 0x244);
							_t259 = 0xcc5734;
							_t219 = _t266;
							while(1) {
								_t159 =  *_t219;
								if(_t159 !=  *_t259) {
									break;
								}
								if(_t159 == 0) {
									L24:
									_t160 = 0;
									L26:
									_t299 = _t160;
									if(_t160 != 0) {
										_push(_t266);
										_t162 = E00BCC079(_t192, _t277 - 0x264, _t259, _t266, _t270);
										 *(_t277 - 4) = 4;
										_push(L00BAE8E3(_t192, _t277 - 0x260, _t162, _t266, _t270, _t299));
										 *(_t277 - 4) = 5;
										_t274 = _t278;
										 *(_t277 - 0x258) = _t274;
										 *_t274 = L00BADF62( *((intOrPtr*)(_t277 - 0x24c)) - 0x10, _t266, _t277 - 0x260) + 0x10;
										_t166 = L00BBEA69(_t192, _t277 - 0x25c, _t266, _t274);
										 *(_t277 - 4) = 6;
										_t169 = E00BAE6AB(E00BAE6AB(E00BAC03C(_t192, _t277 - 0x240, _t166, _t266, _t274),  *((intOrPtr*)(_t277 - 0x25c)) - 0x10),  *((intOrPtr*)(_t277 - 0x260)) - 0x10);
										 *(_t277 - 4) = 0xa;
										E00BAE6AB(_t169,  *((intOrPtr*)(_t277 - 0x264)) - 0x10);
										L00BBFC07(_t192, _t266, _t166);
										_t275 = _t278;
										 *(_t277 - 0x258) = _t278;
										 *(_t277 - 0x26c) = _t275;
										_t237 =  *((intOrPtr*)(_t277 - 0x240)) + 0xfffffff0;
										 *_t275 = L00BADF62(_t237, _t266, _t266) + 0x10;
										 *(_t277 - 4) = 0xb;
										_t267 = _t278;
										 *(_t277 - 0x26c) = _t278;
										_t276 = _t278;
										 *(_t277 - 0x23c) = _t276;
										 *_t276 = L00BADF62( *((intOrPtr*)(_t277 - 0x250)) - 0x10, _t278, _t237) + 0x10;
										L00BBEA69(_t192, _t267, _t267, _t276);
										 *(_t277 - 4) = 0xc;
										_t268 = _t278;
										_t270 = _t278;
										 *(_t277 - 0x23c) = _t270;
										 *_t270 = L00BADF62( *((intOrPtr*)(_t277 - 0x254)) - 0x10, _t278, _t267) + 0x10;
										L00BBEA69(_t192, _t278, _t278, _t270);
										_t244 = _t237;
										 *(_t277 - 4) = 0xa;
										_t180 = L00BC7C63(_t192, _t244, _t166, _t268, _t270, L00BADF62( *((intOrPtr*)(_t277 - 0x254)) - 0x10, _t278, _t267) + 0x10);
										 *(_t277 - 4) = 3;
										_t278 = _t278 + 0xc;
										E00BAE6AB(_t180,  *((intOrPtr*)(_t277 - 0x240)) - 0x10);
										_t266 =  *((intOrPtr*)(_t277 - 0x244));
									}
									_t301 = _t266;
									if(_t266 != 0) {
										L00C54807(_t266);
									}
									goto L30;
								}
								_t159 =  *((intOrPtr*)(_t219 + 2));
								_t43 = _t259 + 2; // 0x7e0000
								if(_t159 !=  *_t43) {
									break;
								}
								_t219 = _t219 + 4;
								_t259 = _t259 + 4;
								if(_t159 != 0) {
									continue;
								}
								goto L24;
							}
							asm("sbb eax, eax");
							_t160 = _t159 | 0x00000001;
							__eflags = _t160;
							goto L26;
						}
					}
				}
				L42:
				L00BD0A86(_t192, _t192, _t263, _t270);
				SetWindowPos( *(_t192 + 0x904), 0,  *_t263,  *(_t192 + 0x90c),  *((intOrPtr*)(_t192 + 0x910)) -  *_t263,  *((intOrPtr*)(_t192 + 0x914)) -  *(_t192 + 0x90c), 0x40);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t263 = _t192 + 0x908;
				goto L3;
			}

0x00bd340e
0x00bd340e
0x00bd340e
0x00bd340e
0x00bd340e
0x00bd3418
0x00bd341d
0x00bd341f
0x00bd342a
0x00bd342f
0x00bd3439
0x00bd343e
0x00bd3443
0x00bd344e
0x00bd3452
0x00bd3457
0x00bd3462
0x00bd3466
0x00bd346d
0x00bd3471
0x00bd347e
0x00bd3486
0x00bd348d
0x00bd348e
0x00bd3496
0x00bd34a1
0x00bd34a9
0x00bd34aa
0x00bd34b4
0x00bd34c1
0x00bd34c1
0x00000000
0x00bd34c6
0x00bd34dd
0x00bd34e6
0x00bd34f3
0x00bd34f3
0x00bd3501
0x00bd3504
0x00bd3509
0x00bd350c
0x00bd3520
0x00bd3522
0x00bd3531
0x00bd3531
0x00bd350e
0x00bd350e
0x00bd3518
0x00bd3519
0x00bd3519
0x00bd3543
0x00bd354b
0x00000000
0x00000000
0x00bd355d
0x00bd3565
0x00bd3595
0x00bd37a1
0x00bd37b5
0x00bd37c2
0x00bd37c4
0x00bd37db
0x00bd37e3
0x00bd37e5
0x00bd37eb
0x00bd37eb
0x00bd37f1
0x00000000
0x00000000
0x00bd37f6
0x00bd380d
0x00bd380d
0x00bd3816
0x00bd381f
0x00bd3824
0x00bd3826
0x00000000
0x00000000
0x00bd3839
0x00bd3843
0x00bd384b
0x00000000
0x00bd38a3
0x00bd38e0
0x00bd38e0
0x00bd3843
0x00bd37f8
0x00bd3800
0x00000000
0x00000000
0x00bd3802
0x00bd3805
0x00bd380b
0x00000000
0x00000000
0x00000000
0x00bd380b
0x00bd3811
0x00bd3813
0x00bd3813
0x00000000
0x00bd3813
0x00bd35a2
0x00bd35a8
0x00bd35ae
0x00bd35b6
0x00bd35b7
0x00bd35b8
0x00bd35b9
0x00bd35c0
0x00bd379b
0x00bd379b
0x00000000
0x00bd35d2
0x00bd35d2
0x00bd35de
0x00000000
0x00bd35fd
0x00bd35ff
0x00bd3604
0x00bd3606
0x00bd3612
0x00bd361a
0x00bd3620
0x00bd3625
0x00bd362a
0x00bd362c
0x00bd362c
0x00bd3632
0x00000000
0x00000000
0x00bd3637
0x00bd364e
0x00bd364e
0x00bd3657
0x00bd3657
0x00bd3659
0x00bd365f
0x00bd3666
0x00bd366d
0x00bd367c
0x00bd367e
0x00bd3682
0x00bd3684
0x00bd36a1
0x00bd36a3
0x00bd36ab
0x00bd36d2
0x00bd36d7
0x00bd36e4
0x00bd36eb
0x00bd36f1
0x00bd36f3
0x00bd36f9
0x00bd3705
0x00bd3710
0x00bd3713
0x00bd3717
0x00bd3719
0x00bd3726
0x00bd3728
0x00bd373b
0x00bd373d
0x00bd3742
0x00bd3746
0x00bd374f
0x00bd3751
0x00bd3764
0x00bd3766
0x00bd376b
0x00bd376c
0x00bd3770
0x00bd3775
0x00bd3779
0x00bd3785
0x00bd378a
0x00bd378a
0x00bd3790
0x00bd3792
0x00bd3795
0x00bd379a
0x00000000
0x00bd3792
0x00bd3639
0x00bd363d
0x00bd3641
0x00000000
0x00000000
0x00bd3643
0x00bd3646
0x00bd364c
0x00000000
0x00000000
0x00000000
0x00bd364c
0x00bd3652
0x00bd3654
0x00bd3654
0x00000000
0x00bd3654
0x00bd35de
0x00bd35c0
0x00bd3856
0x00bd3858
0x00bd3882
0x00bd3894
0x00bd3895
0x00bd3896
0x00bd3897
0x00bd3898
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD3418

Part of subcall function 00BD1710: __EH_prolog3_GS.LIBCMT ref: 00BD171A
Part of subcall function 00BD1710: SystemParametersInfoW.USER32 ref: 00BD1765
Part of subcall function 00BD1710: GetWindowRect.USER32 ref: 00BD17FC
Part of subcall function 00BD1710: WindowFromPoint.USER32(?,?), ref: 00BD1823
Part of subcall function 00BD1710: GetParent.USER32(00000000), ref: 00BD1839
Part of subcall function 00BD1710: GetClassNameW.USER32 ref: 00BD186C
Part of subcall function 00BD1710: GetWindowTextW.USER32 ref: 00BD1884

Part of subcall function 00BD0877: __EH_prolog3_GS.LIBCMT ref: 00BD087E
Part of subcall function 00BD0877: CoInitialize.OLE32(00000000), ref: 00BD08B2

Part of subcall function 00BD29A4: __EH_prolog3_GS.LIBCMT ref: 00BD29AE

PeekMessageW.USER32 ref: 00BD34D5
TranslateMessage.USER32(?), ref: 00BD34E6
DispatchMessageW.USER32 ref: 00BD34F3
GetAsyncKeyState.USER32(00000001), ref: 00BD34FB
GetWindowRect.USER32 ref: 00BD3531

Part of subcall function 00BD27E0: ShowWindow.USER32(?,00000005,qfmu,kcls]qrmpc,00000014,00BD34C6), ref: 00BD2818
Part of subcall function 00BD27E0: SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 00BD2868
Part of subcall function 00BD27E0: SetLayeredWindowAttributes.USER32(?,00000000,000000FF,00000002), ref: 00BD28CF
Part of subcall function 00BD27E0: UpdateWindow.USER32(?), ref: 00BD28DB

GetPhysicalCursorPos.USER32(?), ref: 00BD35A2
GetClassNameW.USER32 ref: 00BD37B5
Sleep.KERNEL32(00000001), ref: 00BD384B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000040,?,?,?,00000000,R_qiJgqrRfsk`l_gjUlb,jgli;,mncl]jgli,kcls]qrmpc,00000294), ref: 00BD3882

Strings

mncl]jgli, xrefs: 00BD3439
R_qiJgqrRfsk`l_gjUlb, xrefs: 00BD3457
kcls]qrmpc, xrefs: 00BD341F
jgli;, xrefs: 00BD3443

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$H_prolog3_$Message$ClassNameRect$AsyncAttributesCursorDispatchFromInfoInitializeLayeredParametersParentPeekPhysicalPointShowSleepStateSystemTextTranslateUpdate
String ID: R_qiJgqrRfsk`l_gjUlb$jgli;$kcls]qrmpc$mncl]jgli
API String ID: 3466440173-577611833
Opcode ID: b70817502ec9c237a7b6329ae0d3c4c20806cb1f5603dfa4828b3d5cf22b81db
Instruction ID: d6abb5c0308d98de2282e8fddf2364ad3e841b59fa4230fd6834b9341ff4e79d
Opcode Fuzzy Hash: b70817502ec9c237a7b6329ae0d3c4c20806cb1f5603dfa4828b3d5cf22b81db
Instruction Fuzzy Hash: 90D1BE709042158BDF24EB64CC99BEDB7F1EF54704F1405E9E40AAB292EB71AE84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D604, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00C6D604(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				short _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = L00C64A2F(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E00C6D597(0xcbe3e0, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					L00C6CF08(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E00C6D028();
					} else {
						L00C6CF8F(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E00C6D597(0xcbe0d0, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E00C6D028();
							} else {
								L00C6CF8F(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E00C6D454(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x2
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // -1
							_t47 = L00C6A8E5(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00C543F1();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0xcdaf54; // 0x8a028f78
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = L00C64A2F(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(L00C64A2F(_t98, _t115) + 0x34c);
								_t128 = L00C6DD3F(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00C7019B(_t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v272) == 0 && L00C6DE71(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return L00C32D6C(_v32 ^ _t131);
							} else {
								if(L00C63F81(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(L00C63F81(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = L00C8AC22(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(L00C63F81(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = L00C8AC22(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E00C73189(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = L00C6A8E5(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00c6d609
0x00c6d60a
0x00c6d60c
0x00c6d60f
0x00c6d610
0x00c6d611
0x00c6d618
0x00c6d61a
0x00c6d61d
0x00c6d61d
0x00c6d620
0x00c6d620
0x00c6d626
0x00c6d629
0x00c6d62c
0x00c6d62c
0x00c6d62f
0x00c6d632
0x00c6d634
0x00c6d63a
0x00c6d63c
0x00c6d641
0x00c6d64b
0x00c6d650
0x00c6d652
0x00c6d655
0x00c6d655
0x00c6d657
0x00c6d65b
0x00c6d6a4
0x00000000
0x00c6d65d
0x00c6d662
0x00c6d66b
0x00c6d664
0x00c6d664
0x00c6d664
0x00c6d676
0x00c6d680
0x00c6d685
0x00c6d68a
0x00c6d690
0x00c6d694
0x00c6d69d
0x00c6d696
0x00c6d696
0x00c6d696
0x00c6d6a9
0x00c6d6a9
0x00c6d68a
0x00c6d676
0x00c6d6af
0x00c6d7eb
0x00c6d7eb
0x00000000
0x00c6d6b5
0x00c6d6b5
0x00c6d6be
0x00c6d6cf
0x00c6d6c5
0x00c6d6c5
0x00c6d6c5
0x00c6d6d6
0x00c6d6da
0x00000000
0x00c6d6fe
0x00c6d6fe
0x00c6d703
0x00c6d705
0x00c6d705
0x00c6d707
0x00c6d70c
0x00c6d7e6
0x00c6d7e8
0x00c6d7ed
0x00c6d7f1
0x00c6d712
0x00c6d712
0x00c6d715
0x00c6d715
0x00c6d71d
0x00c6d720
0x00c6d720
0x00c6d723
0x00c6d723
0x00c6d726
0x00c6d729
0x00c6d733
0x00c6d73d
0x00c6d742
0x00c6d747
0x00c6d7f2
0x00c6d7f4
0x00c6d7f5
0x00c6d7f6
0x00c6d7f7
0x00c6d7f8
0x00c6d7f9
0x00c6d7fe
0x00c6d802
0x00c6d80a
0x00c6d811
0x00c6d814
0x00c6d815
0x00c6d819
0x00c6d81a
0x00c6d81f
0x00c6d827
0x00c6d836
0x00c6d842
0x00c6d853
0x00c6d85b
0x00c6d875
0x00c6d882
0x00c6d885
0x00c6d888
0x00c6d888
0x00c6d85d
0x00c6d85d
0x00c6d85f
0x00c6d8a3
0x00c6d74d
0x00c6d75d
0x00000000
0x00c6d763
0x00c6d765
0x00c6d765
0x00c6d771
0x00c6d77f
0x00000000
0x00c6d781
0x00c6d781
0x00c6d784
0x00c6d78a
0x00c6d78d
0x00c6d79d
0x00c6d7a2
0x00c6d7b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6d78f
0x00c6d78f
0x00c6d792
0x00c6d798
0x00c6d79b
0x00c6d7b2
0x00c6d7b2
0x00c6d7be
0x00c6d7de
0x00000000
0x00c6d7c0
0x00c6d7c0
0x00c6d7ca
0x00c6d7cf
0x00c6d7d4
0x00000000
0x00c6d7d6
0x00000000
0x00c6d7d6
0x00c6d7d4
0x00000000
0x00000000
0x00000000
0x00c6d79b
0x00c6d78d
0x00c6d77f
0x00c6d75d
0x00c6d747
0x00c6d70c
0x00c6d6da

APIs

Part of subcall function 00C64A2F: GetLastError.KERNEL32(?,?,?,00C5A470,00CD5DE0,0000000C), ref: 00C64A34
Part of subcall function 00C64A2F: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00C5A470,00CD5DE0,0000000C), ref: 00C64AD2

GetACP.KERNEL32(?,?,?,?,?,?,00C5F5EB,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00C6D6C5
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00C5F5EB,?,?,?,00000055,?,-00000050,?,?), ref: 00C6D6F0
_wcschr.LIBVCRUNTIME ref: 00C6D784
_wcschr.LIBVCRUNTIME ref: 00C6D792
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C6D853

Strings

utf8, xrefs: 00C6D7C2

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 86aa8aa0aae8109daa910793167a7bba62634e7ad9506e5411c113b701a3bab0
Instruction ID: 9aaf8404034b1bf6121d575aed8ea4ff3cbf8cbc16c0f57a869e32fbe8bf812d
Opcode Fuzzy Hash: 86aa8aa0aae8109daa910793167a7bba62634e7ad9506e5411c113b701a3bab0
Instruction Fuzzy Hash: 4971E531F00302AAD734AB75CCC6FAA77A8EF48700F14446AF91BDB181EA70EA419761

Uniqueness

Uniqueness Score: -1.00%

Function 00C706D7, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C70852

Strings

1#QNAN, xrefs: 00C719F0
1#IND, xrefs: 00C719E2
1#INF, xrefs: 00C71A0D
1#SNAN, xrefs: 00C719E9

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 785ce81d9fa82be69e21ee4a5752a2ba388f23b1c4770fe17d0fd3691dfb8fae
Instruction ID: 8666837f170e4826d65455e545a95c537953a1edce3f2e59fbfdb82bc2556fe9
Opcode Fuzzy Hash: 785ce81d9fa82be69e21ee4a5752a2ba388f23b1c4770fe17d0fd3691dfb8fae
Instruction Fuzzy Hash: DFC25C71E046288FDB65CE28CD407EAB3B5FB48315F2881EAD85DE7241E774AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 00C697B8, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6983A
_free.LIBCMT ref: 00C6985E
_free.LIBCMT ref: 00C699EB
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CBE040), ref: 00C699FD
_free.LIBCMT ref: 00C69BB7

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: f9a10676c7f2587dfffa6b26c8152cc4d586f95822b2d7c9b352cc9663d6af2e
Instruction ID: cbd5aaaf0a6f6de251a60aa5652b1ffaab163385b75462006063f6f3c520ac7b
Opcode Fuzzy Hash: f9a10676c7f2587dfffa6b26c8152cc4d586f95822b2d7c9b352cc9663d6af2e
Instruction Fuzzy Hash: 80C138719002449BDB349F69DDC1BAE7BFDEF46310F18046DE9A49B292E6308F41E750

Uniqueness

Uniqueness Score: -1.00%

Function 00C54218, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00C54310
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00C5431A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00C54327

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fbc729e8c5b7cc15fadebf9a46b46e64c773b9dc0186c81e1d38247559a7df51
Instruction ID: 2e35797d51b805442d163d16d57497dd5ca0ec500a4de202f00d5c2b5705e844
Opcode Fuzzy Hash: fbc729e8c5b7cc15fadebf9a46b46e64c773b9dc0186c81e1d38247559a7df51
Instruction Fuzzy Hash: 3331C2749112289BCB25DF68DD89BDCBBB8BF18314F5041EAE81CA7260E7709F859F44

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE16F, Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000014,00BAC12B,00000000,00BB7DC0,?,00000004,00BB0A13,?,?,?,?,?,?,?,?), ref: 00BAE1B2
__Init_thread_footer.LIBCMT ref: 00BAE1D9

Part of subcall function 00C330BE: EnterCriticalSection.KERNEL32(00CE061C,00CE1AE0,00000014,?,00BAE1A8,00CE1AE0,?,00000014,00BAC12B,00000000,00BB7DC0,?,00000004,00BB0A13), ref: 00C330C9
Part of subcall function 00C330BE: LeaveCriticalSection.KERNEL32(00CE061C,?,00BAE1A8,00CE1AE0,?,00000014,00BAC12B,00000000,00BB7DC0,?,00000004,00BB0A13,?,?,?,?), ref: 00C33106

__Init_thread_footer.LIBCMT ref: 00BAE23B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CriticalInit_thread_footerSection$EnterHeapLeaveProcess
String ID:
API String ID: 3363689876-0
Opcode ID: b7afb96c9cea259a3dcbed3f401e9c8f501053debdd97cde9a13661ba2b7fb6e
Instruction ID: a085fe8d5e5ad92ddd3e580bf7415d8117ab9b8c7317da6cd5bd0807674d60b7
Opcode Fuzzy Hash: b7afb96c9cea259a3dcbed3f401e9c8f501053debdd97cde9a13661ba2b7fb6e
Instruction Fuzzy Hash: 181104B25062C0CFC710DB54FC89BAD37E0E341322F1C016EE8208E6A0D7B469D1EB15

Uniqueness

Uniqueness Score: -1.00%

Function 00BAE2A7, Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,00000001,00000000,?,00BAE285,?,?,00000000,00000000,00000000,?,?,?,00BAE370,?), ref: 00BAE2B0
LockResource.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,?,00BAE370,?,00BCC0BC,?), ref: 00BAE2BB
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,00BAE370,?,00BCC0BC,?), ref: 00BAE2C9

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 9662fa96d2e7bd55a18022b9bc3ee4a9bde5dc92f4fa4400292e390ab83e33af
Instruction ID: b1b8c7be3b893061324bc1af70a5965691bdd1dbce0e82d33e49980ca8a54c4e
Opcode Fuzzy Hash: 9662fa96d2e7bd55a18022b9bc3ee4a9bde5dc92f4fa4400292e390ab83e33af
Instruction Fuzzy Hash: 34F0BB72908731879B355B69DC88B6FA6DCFB93702300486BF8A2D7114EA70DC55C290

Uniqueness

Uniqueness Score: -1.00%

Function 00C5A271, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00C5A270,?,?,?,?), ref: 00C5A293
TerminateProcess.KERNEL32(00000000,?,00C5A270,?,?,?,?), ref: 00C5A29A
ExitProcess.KERNEL32 ref: 00C5A2AC

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 888992a4208b230175ce6d73e77d068aa645fb4743bca26239dcbf343f546b99
Instruction ID: a3bfbc7c031b4c8ba5f2f982133d09ea9d4c7a8500a943473d65b3773664a1f4
Opcode Fuzzy Hash: 888992a4208b230175ce6d73e77d068aa645fb4743bca26239dcbf343f546b99
Instruction Fuzzy Hash: F3E04631004108AFCB252F95CD4EF0C3B69EB40342F014012FD1986131CB36EE82DA96

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A371, Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,00C4A533,?,00000022,00000000,00000002,?,?,00C4831F,00000000,?,00000004,00C46FB1,?,00000004), ref: 00C4A393
GetLocaleInfoW.KERNEL32(00000000,00000004,?,00C34619,?,?,00C4A533,?,00000022,00000000,00000002,?,?,00C4831F,00000000,?), ref: 00C4A39E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 84bfc182172bc180fe2a937d42cc24b469b9c2356f6a6953819f021c92d5e369
Instruction ID: 14cb8ab79b75d6a5e980f349f7603f3e387e55c71a74644ce4faed6891f76ea6
Opcode Fuzzy Hash: 84bfc182172bc180fe2a937d42cc24b469b9c2356f6a6953819f021c92d5e369
Instruction Fuzzy Hash: B9E08C36440268AB8F162F90EC08FAE7F29FF04B207040005F9040A130DB32D820ABE2

Uniqueness

Uniqueness Score: -1.00%

Function 00BFF2C0, Relevance: 1.8, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

.\crypto\bn\bn_exp.c, xrefs: 00BFF427, 00BFF917

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID: .\crypto\bn\bn_exp.c
API String ID: 0-2073881893
Opcode ID: 54a19065ef79305aaaa7a66ae59b5ae1e486182ee6eacdc5d755eb33c5bda5b8
Instruction ID: 31e81b5e9fd060e4ebe00c441ae8c342492a7885a64065942f23c878db034c02
Opcode Fuzzy Hash: 54a19065ef79305aaaa7a66ae59b5ae1e486182ee6eacdc5d755eb33c5bda5b8
Instruction Fuzzy Hash: 74225C71E0020EABDF10DF98D881ABEB7F5FF58304F154165EA14E7252EB31AA59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C68066, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C68061,?,?,00000008,?,?,00C7356F,00000000), ref: 00C68293

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 148a466c1436d13ab4d47ce178deb714bfb2c3f4a7cca4fe3eb01a57fb7f00f4
Instruction ID: 344ebfc5c76f51d4d4d97f42ebe51d546ee61a5edc6a33b58bfcbb86895e0fa8
Opcode Fuzzy Hash: 148a466c1436d13ab4d47ce178deb714bfb2c3f4a7cca4fe3eb01a57fb7f00f4
Instruction Fuzzy Hash: 02B14E31610609CFDB24CF28C4C6B697BE1FF45364F258658E8A9CF2A1C735EA86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C52561, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00C526DD

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 66fa2b07186db980a1b1e38087cf6fc38c768b6f087d93c78d6822ba58a053af
Instruction ID: 04a8aa4a377c0dbf7df197c95ba0120805c332f4dc5c609c2e0e0109cdaec035
Opcode Fuzzy Hash: 66fa2b07186db980a1b1e38087cf6fc38c768b6f087d93c78d6822ba58a053af
Instruction Fuzzy Hash: 7651497C6006485BDB388A2984A67BE67D5DB43343F54002DFCA2D7282EE119FCD975D

Uniqueness

Uniqueness Score: -1.00%

Function 00C52793, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00C5290F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: da76cfea936bba24a605a917524be7deecc1ba864916a74525a8c3516ab60cf3
Instruction ID: eeea02a1a8584831402d4f2e53a184b0520d314cf89add5bb3a1a3fb6dd59620
Opcode Fuzzy Hash: da76cfea936bba24a605a917524be7deecc1ba864916a74525a8c3516ab60cf3
Instruction Fuzzy Hash: 88518C7E60064897DB388AA888957BE67DA9B1B387F14001EDC62E73C2C5119FCDD35D

Uniqueness

Uniqueness Score: -1.00%

Function 00B92380, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0143fbb01e4cb802368a0b9f9344aaf815a2c6f2a28245d16c8935a4c8e93d81
Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
Opcode Fuzzy Hash: 0143fbb01e4cb802368a0b9f9344aaf815a2c6f2a28245d16c8935a4c8e93d81
Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D0B5, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: d7cf522bdf3a6bba98a69bae685a2f839deaec70321446edbf9d960fc3d0648f
Instruction ID: a9be03d4cfe4685c5593b98e16a8c839eb2e7ca230e214d95b5a32e5271fbc4a
Opcode Fuzzy Hash: d7cf522bdf3a6bba98a69bae685a2f839deaec70321446edbf9d960fc3d0648f
Instruction Fuzzy Hash: 18B11775A007419BDB389F25CCD2BBBB3B8EF44308F14452DE953C6690EA74EA86DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C00110, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc9c29ce088cc12921893793ff6fa94f77fee162caad1ee4fbd6955ad4ffa4c
Instruction ID: a3be76511fecf5a05d47d083725a02240de9fed3b49f7a662eb2db6f7a38baf8
Opcode Fuzzy Hash: 2cc9c29ce088cc12921893793ff6fa94f77fee162caad1ee4fbd6955ad4ffa4c
Instruction Fuzzy Hash: 16619E766186068FD708CF18C8916AEB7E1FBC9304F445A2DF986CB350DB35EA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C3C0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 38fa97fd828d770fa0c3b4ec70335ac147990abe777d90194cc1fff4b1c718bd
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 121108B724308143D6D48A2ED6F86B6A395FAC532072CA27AD1A14B778D522EA45A500

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8510, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be6b7acbf3b7f91017705cc5ee09502d580a583db9efff6fb5c2cc4386c20a5
Instruction ID: 3b26eedb89054652efeb697541a8fe51ee22393a83255317b80b67f062b1329a
Opcode Fuzzy Hash: 2be6b7acbf3b7f91017705cc5ee09502d580a583db9efff6fb5c2cc4386c20a5
Instruction Fuzzy Hash: 5A013133BA5436076B4C806DDC632BF118787C56183CAC33DEA57EBAC9EC2C981152C4

Uniqueness

Uniqueness Score: -1.00%

Function 00C48353, Relevance: 46.8, APIs: 31, Instructions: 287
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00C48353(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _t65;
				signed char _t66;
				void* _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr* _t94;
				void* _t106;
				intOrPtr* _t108;
				intOrPtr _t110;
				void* _t111;
				signed int _t117;
				void* _t118;
				signed int _t151;
				intOrPtr _t153;
				void* _t155;
				void* _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				intOrPtr* _t163;
				intOrPtr* _t164;
				void* _t165;
				intOrPtr _t166;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t196;

				L00C89968(0xc92630, __ebx, __edi, __esi, 8);
				_push(0);
				_push(0);
				_t65 = E00C4708F(__ebx, __edx, __edi, __esi);
				_t117 =  *(_t168 + 0x14);
				_t153 =  *((intOrPtr*)(_t168 + 0x10));
				_t151 = 1 << _t65 >> 1;
				if(( *(_t168 + 0xc) & 1) != 0) {
					_t110 = E00BAD456(0xce09b0);
					_t181 = _t117;
					if(_t117 != 0) {
						_push(_t117);
						_t166 = _t110;
						_t111 = L00C46AE0(_t117, _t151, _t153, _t166, __eflags);
						_push(_t166);
						_push(_t111);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t166);
						_t169 = _t169 + 0x10;
					} else {
						 *((intOrPtr*)(_t168 - 0x10)) = _t110;
						_t167 = E00C333E5(_t181, 0x10);
						 *((intOrPtr*)(_t168 - 0x14)) = _t167;
						_t182 = _t167;
						if(_t167 == 0) {
							_t167 = 0;
							__eflags = 0;
						} else {
							 *(_t167 + 4) =  *(_t167 + 4) & _t117;
							 *_t167 = 0xcb894c;
							 *((intOrPtr*)(_t167 + 8)) = E00C4A462(_t117, _t151, _t182, _t196);
							 *(_t167 + 0xc) = _t151;
						}
						_push( *((intOrPtr*)(_t168 - 0x10)));
						_push(_t167);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t167);
						_t169 = _t169 + 0xc;
					}
				}
				_t66 =  *(_t168 + 0xc);
				if((_t66 & 0x00000020) != 0) {
					_t165 = E00BAD456(0xce09b4);
					_t184 = _t117;
					if(_t117 != 0) {
						_push(_t117);
						_t106 = L00C46B75(_t117, _t153, _t165, __eflags);
						_push(_t165);
						_push(_t106);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t165);
						_t169 = _t169 + 0x10;
					} else {
						_t108 = E00C333E5(_t184, 8);
						 *((intOrPtr*)(_t168 - 0x14)) = _t108;
						if(_t108 == 0) {
							_t108 = 0;
							__eflags = 0;
						} else {
							 *(_t108 + 4) =  *(_t108 + 4) & _t117;
							 *_t108 = 0xcb8968;
						}
						_push(_t165);
						_push(_t108);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t165);
						_t169 = _t169 + 0xc;
					}
					_t66 =  *(_t168 + 0xc);
				}
				if((_t66 & 0x00000004) != 0) {
					_t158 = E00BAD456(0xce09b8);
					_t187 = _t117;
					if(_t117 != 0) {
						_push(_t117);
						_t80 = L00C46C0A(_t117, _t153, _t158, __eflags);
						_push(_t158);
						_push(_t80);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t158);
						_t82 = E00BAD456(0xce09bc);
						_push(_t117);
						_t159 = _t82;
						_t83 = L00C46C9F(_t117, _t153, _t159, __eflags);
						_push(_t159);
						_push(_t83);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t159);
						_t85 = E00BAD456(0xce09c0);
						_push(_t117);
						_t160 = _t85;
						_t86 = L00C46DC9(_t117, _t153, _t160, __eflags);
						_push(_t160);
						_push(_t86);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t160);
						_t88 = E00BAD456(0xce09c4);
						_push(_t117);
						_t161 = _t88;
						_t89 = L00C46D34(_t117, _t153, _t161, __eflags);
						_push(_t161);
						_push(_t89);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t161);
						_t169 = _t169 + 0x40;
					} else {
						_t91 = E00C333E5(_t187, 8);
						 *((intOrPtr*)(_t168 - 0x14)) = _t91;
						_t188 = _t91;
						if(_t91 == 0) {
							_t91 = 0;
							__eflags = 0;
						} else {
							 *(_t91 + 4) =  *(_t91 + 4) & _t117;
							 *_t91 = 0xcb8984;
						}
						_push(_t158);
						_push(_t91);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t158);
						_t177 = _t169 + 0xc;
						_t162 = E00BAD456(0xce09bc);
						_t94 = E00C333E5(_t188, 8);
						 *((intOrPtr*)(_t168 - 0x14)) = _t94;
						_t189 = _t94;
						if(_t94 == 0) {
							_t94 = 0;
							__eflags = 0;
						} else {
							 *(_t94 + 4) =  *(_t94 + 4) & 0x00000000;
							 *_t94 = 0xcb899c;
						}
						_push(_t162);
						_push(_t94);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t162);
						_t178 = _t177 + 0xc;
						 *((intOrPtr*)(_t168 - 0x10)) = E00BAD456(0xce09c0);
						_t163 = E00C333E5(_t189, 0x58);
						 *((intOrPtr*)(_t168 - 0x14)) = _t163;
						 *(_t168 - 4) = 7;
						_t190 = _t163;
						if(_t163 == 0) {
							_t163 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t163 + 4)) = 0;
							_push(0);
							_push( *((intOrPtr*)(_t168 + 8)));
							 *(_t168 - 4) = 8;
							 *_t163 = 0xcb89b4;
							 *((char*)(_t163 + 0x28)) = 0;
							E00C48227(_t117, _t163, _t151, _t153, _t163, _t190);
							 *_t163 = 0xcb89e8;
						}
						_push( *((intOrPtr*)(_t168 - 0x10)));
						 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
						_push(_t163);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t163);
						_t179 = _t178 + 0xc;
						 *((intOrPtr*)(_t168 - 0x10)) = E00BAD456(0xce09c4);
						_t164 = E00C333E5(_t190, 0x58);
						 *((intOrPtr*)(_t168 - 0x14)) = _t164;
						 *(_t168 - 4) = 0xd;
						_t191 = _t164;
						if(_t164 == 0) {
							_t164 = 0;
							__eflags = 0;
						} else {
							 *(_t164 + 4) =  *(_t164 + 4) & 0x00000000;
							_push(0);
							_push( *((intOrPtr*)(_t168 + 8)));
							 *(_t168 - 4) = 0xe;
							 *_t164 = 0xcb89b4;
							 *((char*)(_t164 + 0x28)) = 1;
							E00C48227(_t117, _t164, _t151, _t153, _t164, _t191);
							 *_t164 = 0xcb8a1c;
						}
						_push( *((intOrPtr*)(_t168 - 0x10)));
						 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
						_push(_t164);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t164);
						_t169 = _t179 + 0xc;
					}
					_t66 =  *(_t168 + 0xc);
				}
				if((_t66 & 0x00000010) != 0) {
					_t155 = E00BAD456(0xce09c8);
					_t193 = _t117;
					if(_t117 != 0) {
						_push(_t117);
						_t69 = L00C46E5E(_t117, _t153, _t155, __eflags);
						_push(_t155);
						_push(_t69);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t155);
						_t71 = E00BAD456(0xce09cc);
						_push(_t117);
						_t156 = _t71;
						_t72 = L00C46EF3(_t117, _t153, _t156, __eflags);
						_push(_t156);
						_push(_t72);
						_push(_t153);
						_t66 = L00C36F41(_t117, _t151, _t153, _t156);
					} else {
						_t73 = E00C333E5(_t193, 0x44);
						 *((intOrPtr*)(_t168 - 0x14)) = _t73;
						 *(_t168 - 4) = 0x12;
						_t194 = _t73;
						if(_t73 == 0) {
							_t74 = 0;
							__eflags = 0;
						} else {
							_push(_t117);
							_push( *((intOrPtr*)(_t168 + 8)));
							_t74 = L00C46F88(_t73, _t155);
						}
						 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
						_push(_t155);
						_push(_t74);
						_push(_t153);
						L00C36F41(_t117, _t151, _t153, _t155);
						_t118 = E00BAD456(0xce09cc);
						_t157 = E00C333E5(_t194, 0xc);
						 *((intOrPtr*)(_t168 - 0x14)) = _t157;
						_t195 = _t157;
						if(_t157 == 0) {
							_t157 = 0;
							__eflags = 0;
						} else {
							 *(_t157 + 4) =  *(_t157 + 4) & 0x00000000;
							 *_t157 = 0xcb8a7c;
							 *(_t157 + 8) =  *(_t157 + 8) & 0x00000000;
							E00C4832A(_t118, _t153, _t195,  *((intOrPtr*)(_t168 + 8)));
						}
						_push(_t118);
						_push(_t157);
						_push(_t153);
						_t66 = L00C36F41(_t118, _t151, _t153, _t157);
					}
				}
				return L00C89931(_t66);
			}

0x00c4835a
0x00c4835f
0x00c48361
0x00c48363
0x00c48368
0x00c4836d
0x00c48377
0x00c4837c
0x00c48383
0x00c48388
0x00c4838a
0x00c483c7
0x00c483c8
0x00c483ca
0x00c483cf
0x00c483d0
0x00c483d1
0x00c483d2
0x00c483d7
0x00c4838c
0x00c4838e
0x00c48396
0x00c48398
0x00c4839c
0x00c4839e
0x00c483b6
0x00c483b6
0x00c483a0
0x00c483a0
0x00c483a3
0x00c483ae
0x00c483b1
0x00c483b1
0x00c483b8
0x00c483bb
0x00c483bc
0x00c483bd
0x00c483c2
0x00c483c2
0x00c4838a
0x00c483da
0x00c483df
0x00c483eb
0x00c483ed
0x00c483ef
0x00c4841a
0x00c4841b
0x00c48420
0x00c48421
0x00c48422
0x00c48423
0x00c48428
0x00c483f1
0x00c483f3
0x00c483f8
0x00c483fe
0x00c4840b
0x00c4840b
0x00c48400
0x00c48400
0x00c48403
0x00c48403
0x00c4840d
0x00c4840e
0x00c4840f
0x00c48410
0x00c48415
0x00c48415
0x00c4842b
0x00c4842b
0x00c48430
0x00c48440
0x00c48442
0x00c48444
0x00c48562
0x00c48563
0x00c48568
0x00c48569
0x00c4856a
0x00c4856b
0x00c48578
0x00c4857d
0x00c4857e
0x00c48580
0x00c48585
0x00c48586
0x00c48587
0x00c48588
0x00c48595
0x00c4859a
0x00c4859b
0x00c4859d
0x00c485a2
0x00c485a3
0x00c485a4
0x00c485a5
0x00c485b2
0x00c485b7
0x00c485b8
0x00c485ba
0x00c485bf
0x00c485c0
0x00c485c1
0x00c485c2
0x00c485c7
0x00c4844a
0x00c4844c
0x00c48451
0x00c48455
0x00c48457
0x00c48464
0x00c48464
0x00c48459
0x00c48459
0x00c4845c
0x00c4845c
0x00c48466
0x00c48467
0x00c48468
0x00c48469
0x00c4846e
0x00c4847d
0x00c4847f
0x00c48484
0x00c48488
0x00c4848a
0x00c48498
0x00c48498
0x00c4848c
0x00c4848c
0x00c48490
0x00c48490
0x00c4849a
0x00c4849b
0x00c4849c
0x00c4849d
0x00c484a2
0x00c484b1
0x00c484b9
0x00c484bc
0x00c484bf
0x00c484c6
0x00c484c8
0x00c484ef
0x00c484ef
0x00c484ca
0x00c484cc
0x00c484cf
0x00c484d0
0x00c484d5
0x00c484d9
0x00c484df
0x00c484e2
0x00c484e7
0x00c484e7
0x00c484f1
0x00c484f4
0x00c484f8
0x00c484f9
0x00c484fa
0x00c484ff
0x00c4850e
0x00c48516
0x00c48519
0x00c4851c
0x00c48523
0x00c48525
0x00c4854d
0x00c4854d
0x00c48527
0x00c48527
0x00c4852b
0x00c4852d
0x00c48532
0x00c48536
0x00c4853c
0x00c48540
0x00c48545
0x00c48545
0x00c4854f
0x00c48552
0x00c48556
0x00c48557
0x00c48558
0x00c4855d
0x00c4855d
0x00c485ca
0x00c485ca
0x00c485cf
0x00c485df
0x00c485e1
0x00c485e3
0x00c4865f
0x00c48660
0x00c48665
0x00c48666
0x00c48667
0x00c48668
0x00c48675
0x00c4867a
0x00c4867b
0x00c4867d
0x00c48682
0x00c48683
0x00c48684
0x00c48685
0x00c485e5
0x00c485e7
0x00c485ed
0x00c485f0
0x00c485f7
0x00c485f9
0x00c48608
0x00c48608
0x00c485fb
0x00c485fb
0x00c485fc
0x00c48601
0x00c48601
0x00c4860a
0x00c4860e
0x00c4860f
0x00c48610
0x00c48611
0x00c48625
0x00c4862c
0x00c4862e
0x00c48632
0x00c48634
0x00c48650
0x00c48650
0x00c48636
0x00c48636
0x00c4863f
0x00c48645
0x00c48649
0x00c48649
0x00c48652
0x00c48653
0x00c48654
0x00c48655
0x00c4865a
0x00c485e3
0x00c48692

APIs

collate.LIBCPMT ref: 00C48363

Part of subcall function 00C4708F: __EH_prolog3_GS.LIBCMT ref: 00C47096
Part of subcall function 00C4708F: __Getcoll.LIBCPMT ref: 00C470FA
Part of subcall function 00C4708F: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00C47116

__Getcoll.LIBCPMT ref: 00C483A9
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C483BD
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C483D2
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48423
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48558
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C4856B
int.LIBCPMT ref: 00C48578
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48588
int.LIBCPMT ref: 00C48595
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C485A5
int.LIBCPMT ref: 00C485B2
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C485C2
int.LIBCPMT ref: 00C48383

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

int.LIBCPMT ref: 00C483E6
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48410
int.LIBCPMT ref: 00C4843B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48469
int.LIBCPMT ref: 00C48476
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C4849D
int.LIBCPMT ref: 00C484AA
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C484FA
int.LIBCPMT ref: 00C48507
int.LIBCPMT ref: 00C485DA
numpunct.LIBCPMT ref: 00C48601
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48611
int.LIBCPMT ref: 00C4861E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48655
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48668
int.LIBCPMT ref: 00C48675
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00C48685

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$std::_$GetcollLockit$H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 2624756498-0
Opcode ID: 7e1ecd20119acd6609757c08735f765cec31c8a7fdbc21a201f10d18827f37ad
Instruction ID: e413e1e40053d4bbbf25f921db55964a9fd142dd4b4438de3c764828549dd454
Opcode Fuzzy Hash: 7e1ecd20119acd6609757c08735f765cec31c8a7fdbc21a201f10d18827f37ad
Instruction Fuzzy Hash: 889119B1D012116AEB60BFB64C4277F7EA8FF05760F10805CF95967282EF708E04A7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00BAA7EB, Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 142
windowcomregistryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00BAA7EB(void* __ebx, struct HINSTANCE__* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __eflags, intOrPtr _a8, struct HINSTANCE__* _a20, WCHAR* _a40, struct tagMSG _a48, short _a76, char _a84, signed int _a8272, signed int _a8276, struct HWND__** _a8292, intOrPtr _a8296, intOrPtr _a8300, intOrPtr _a8304) {
				struct _WNDCLASSEXW _v0;
				signed int _t22;
				void* _t25;
				WCHAR* _t26;
				struct HWND__** _t61;
				void* _t82;
				struct HINSTANCE__* _t85;
				struct HWND__* _t87;
				WCHAR* _t92;
				signed int _t94;
				void* _t96;

				_t96 = __eflags;
				E00C33550();
				_t22 =  *0xcdaf54; // 0x8a028f78
				_a8276 = _t22 ^ _t94;
				_t61 = _a8292;
				_t85 = __ecx;
				 *0xce9ba0 = 0xce13f0;
				_t82 = __edx;
				_t25 = E00BA9179(_t96, E00BA91D6(0xcc5af0), __edi);
				__imp__OleInitialize(0, __esi, __ebp, __ebx);
				if(_t25 != 0) {
					_t26 = E00BA91D6(L"CPPMP");
					__eflags = MessageBoxW(0, E00BA91D6(0xcc5b30), _t26, 0) | 0xffffffff;
				} else {
					_push(0x30);
					L00C4BBB0(_t82,  &_v0, _t25, 0);
					_t94 = _t94 + 0xc;
					_v0.cbSize = 0;
					_a20 = _t85;
					_t92 = L"Notification";
					_a8 = E00BA9666;
					_a40 = _t92;
					RegisterClassExW( &_v0);
					_t87 = CreateWindowExW(0, _t92, E00BA91D6(0xcc5b10), 0x86080080, 0, 0, 0, 0, 0, 0, _t85, 0);
					if(_t87 != 0) {
						SetWindowLongW(_t87, 0xffffffec, GetWindowLongW(_t87, 0xfffffff0));
						SetWindowPos(_t87, 0xffffffff,  &(_a8292[5]), _a8296 + 0x14, _a8300 - _a8292, _a8304 - _a8296, 0x80);
						L00C4AF80(_t82, 0x3f);
						_t75 =  !=  ? L"$esgb;" : L"=esgb;";
						wsprintfW( &_a76, L"%ws%ws%ws", _t82, E00BA91D6( !=  ? L"$esgb;" : L"=esgb;"),  *0xce9ba0);
						_t94 = _t94 + 0x14;
						E00BA9456(_t87,  &_a84);
						UpdateWindow(_t87);
						 *_t61 = _t87;
					}
					if(GetMessageW( &_a48, 0, 0, 0) == 1) {
						TranslateMessage( &_a48);
						DispatchMessageW( &_a48);
					}
					__imp__OleUninitialize();
				}
				return L00C32D6C(_a8272 ^ _t94);
			}

0x00baa7eb
0x00baa7f0
0x00baa7f5
0x00baa7fc
0x00baa804
0x00baa80d
0x00baa80f
0x00baa81f
0x00baa827
0x00baa830
0x00baa838
0x00baa973
0x00baa98b
0x00baa83e
0x00baa83e
0x00baa848
0x00baa84d
0x00baa850
0x00baa858
0x00baa85c
0x00baa861
0x00baa869
0x00baa86e
0x00baa898
0x00baa89c
0x00baa8af
0x00baa8e7
0x00baa8f0
0x00baa909
0x00baa91d
0x00baa923
0x00baa92c
0x00baa932
0x00baa938
0x00baa938
0x00baa94b
0x00baa952
0x00baa95d
0x00baa95d
0x00baa963
0x00baa969
0x00baa9a6

APIs

OleInitialize.OLE32(00000000), ref: 00BAA830
RegisterClassExW.USER32 ref: 00BAA86E
CreateWindowExW.USER32 ref: 00BAA892
GetWindowLongW.USER32(00000000,000000F0), ref: 00BAA8A5
SetWindowLongW.USER32 ref: 00BAA8AF
SetWindowPos.USER32(00000000,000000FF,00000008,00000008,?,?,00000080,?,00000000), ref: 00BAA8E7
wsprintfW.USER32 ref: 00BAA91D

Part of subcall function 00BA9456: GetWindowLongW.USER32(?,000000EB), ref: 00BA9462
Part of subcall function 00BA9456: VariantInit.OLEAUT32(?), ref: 00BA9480
Part of subcall function 00BA9456: SysAllocString.OLEAUT32 ref: 00BA948E

UpdateWindow.USER32(00000000), ref: 00BAA932
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BAA942
TranslateMessage.USER32(?), ref: 00BAA952
DispatchMessageW.USER32 ref: 00BAA95D
OleUninitialize.OLE32(?,00000000), ref: 00BAA963
MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 00BAA985

Strings

Notification, xrefs: 00BAA85C, 00BAA88E
20D83542-CB48-FFC7-AA5E-D037A04953D7, xrefs: 00BAA80F
CPPMP, xrefs: 00BAA96E
=esgb;, xrefs: 00BAA904
$esgb;, xrefs: 00BAA8FF
%ws%ws%ws, xrefs: 00BAA917

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$Message$Long$AllocClassCreateDispatchInitInitializeRegisterStringTranslateUninitializeUpdateVariantwsprintf
String ID: $esgb;$%ws%ws%ws$20D83542-CB48-FFC7-AA5E-D037A04953D7$=esgb;$CPPMP$Notification
API String ID: 2690704239-3043426325
Opcode ID: 9eb0e61b3aa2e647a7bb494ec68332536c1b44dac11d8eca567dfd910cd66a11
Instruction ID: cd32769551988fdbf7f154b9e0872db988b6d8e66d761c8b821448385d002a82
Opcode Fuzzy Hash: 9eb0e61b3aa2e647a7bb494ec68332536c1b44dac11d8eca567dfd910cd66a11
Instruction Fuzzy Hash: 0141A071508605AFCB28AF65DC4DF6F7BECFF85750F40061AF906D2151DA30A805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF4CF, Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 377
comCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00BCF4CF(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				short* _t156;
				intOrPtr* _t157;
				intOrPtr _t164;
				signed short** _t180;
				signed int _t181;
				signed short** _t185;
				signed int _t186;
				void* _t188;
				void* _t190;
				signed int _t194;
				intOrPtr _t203;
				struct HWND__* _t210;
				intOrPtr _t214;
				signed int _t221;
				signed int _t226;
				signed int _t234;
				intOrPtr* _t237;
				intOrPtr* _t238;
				void* _t255;
				signed short* _t257;
				void* _t260;
				signed short* _t262;
				void* _t312;
				intOrPtr _t313;
				signed int* _t314;
				signed int* _t315;
				short* _t317;
				int _t318;
				int _t320;
				intOrPtr _t322;
				int _t323;
				void* _t325;
				void* _t327;
				intOrPtr _t328;
				int _t329;
				int _t330;
				int _t331;
				int _t332;
				int _t333;
				int _t334;
				void* _t335;
				void* _t336;
				int _t337;
				void* _t338;
				void* _t339;
				void* _t342;
				int _t357;

				_t342 = __eflags;
				_t312 = __edx;
				_t238 = __ecx;
				L00C8999C(0xc90710, __ebx, __edi, __esi, 0x48);
				_t237 = _t238;
				 *((intOrPtr*)(_t335 - 0x44)) = _t237;
				 *((intOrPtr*)(_t335 - 0x40)) = _t237;
				_t322 =  *0xce19b8; // 0xb90000
				L00BCF9F2(_t237 + 4);
				L00BCF9F2(_t237 + 0x92c);
				 *((short*)(_t237 + 0x1284)) = 0;
				L00C4BBB0(__edi, _t237 + 0x1286, 0, 0x1fe);
				_t337 = _t336 + 0xc;
				E00BD55F9(_t312, _t342);
				 *((intOrPtr*)(_t237 + 0x1490)) = 0x2710;
				_t317 = _t237 + 0x14a0;
				 *((intOrPtr*)(_t237 + 0x1494)) = 0xdbba0;
				 *((intOrPtr*)(_t237 + 0x1498)) = 0;
				 *((intOrPtr*)(_t237 + 0x149c)) = 0;
				_t313 = 7;
				 *((intOrPtr*)(_t317 + 0x10)) = 0;
				 *((intOrPtr*)(_t317 + 0x14)) = _t313;
				 *_t317 = 0;
				_t156 = _t237 + 0x14b8;
				 *((intOrPtr*)(_t335 - 4)) = 0;
				 *((intOrPtr*)(_t156 + 0x10)) = 0;
				 *((intOrPtr*)(_t156 + 0x14)) = _t313;
				 *_t156 = 0;
				 *((char*)(_t335 - 4)) = 1;
				_t157 = E00BD55F9(_t313, _t342);
				 *0xce19bc =  *0xce19bc | 0xffffffff;
				_push(L"Qr_prKclsCvncpgclacFmqr,cvc");
				 *(_t237 + 0x1278) =  *(_t237 + 0x1278) & 0x00000000;
				 *(_t237 + 0x14d8) =  *(_t237 + 0x14d8) | 0xffffffff;
				 *((intOrPtr*)(_t237 + 0x1254)) = _t322;
				_t323 = 0;
				 *((intOrPtr*)(_t237 + 0x1498)) =  *_t157;
				 *((intOrPtr*)(_t237 + 0x149c)) =  *((intOrPtr*)(_t157 + 4));
				 *((intOrPtr*)(_t237 + 0x1260)) = 0;
				 *((intOrPtr*)(_t237 + 0x1258)) = 0;
				 *((intOrPtr*)(_t237 + 0x125c)) = 0;
				 *_t237 = 0;
				E00BCC079(_t237, _t335 - 0x44, _t313, _t317, 0);
				_push(L"QfcjjCvncpgclacFmqr,cvc");
				 *((char*)(_t335 - 4)) = 2;
				E00BCC079(_t237, _t335 - 0x54, _t313, _t317, 0);
				_push(L"cvnjmpcp,cvc");
				 *((char*)(_t335 - 4)) = 3;
				E00BCC079(_t237, _t335 - 0x50, _t313, _t317, 0);
				_push(L"Qc_paf?nn,cvc");
				 *((char*)(_t335 - 4)) = 4;
				E00BCC079(_t237, _t335 - 0x4c, _t313, _t317, 0);
				_push(L"Qc_pafSG,cvc");
				_t249 = _t335 - 0x48;
				 *((char*)(_t335 - 4)) = 5;
				E00BCC079(_t237, _t335 - 0x48, _t313, _t317, 0);
				 *((char*)(_t335 - 4)) = 6;
				_t164 =  *0xce13e4; // 0x3
				if(_t164 != 3) {
					__eflags = _t164;
					if(_t164 != 0) {
						goto L9;
					}
					_t330 = _t337;
					 *(_t335 - 0x30) = _t330;
					_t214 = L00BADF62( *((intOrPtr*)(_t335 - 0x50)) - 0x10, _t317, _t249) + 0x10;
					__eflags = _t214;
					 *_t330 = _t214;
					_push(L00BBEA69(_t237, _t335 - 0x30, _t317, _t330));
					 *((char*)(_t335 - 4)) = 0xb;
					 *(_t237 + 0x14d8) = L00BD4F08(_t237, _t313, _t317, _t330);
					goto L7;
				} else {
					_t331 = _t337;
					 *(_t335 - 0x30) = _t331;
					 *_t331 = L00BADF62( *((intOrPtr*)(_t335 - 0x44)) - 0x10, _t317, _t249) + 0x10;
					_push(L00BBEA69(_t237, _t335 - 0x30, _t317, _t331));
					 *((char*)(_t335 - 4)) = 7;
					_t221 = L00BD4F08(_t237, _t313, _t317, _t331);
					 *((char*)(_t335 - 4)) = 6;
					_t296 =  *(_t335 - 0x30) + 0xfffffff0;
					 *(_t237 + 0x14d8) = _t221;
					E00BAE6AB(_t221,  *(_t335 - 0x30) + 0xfffffff0);
					if( *(_t237 + 0x14d8) == 0xffffffff) {
						_t334 = _t337;
						 *(_t335 - 0x30) = _t334;
						 *_t334 = L00BADF62( *((intOrPtr*)(_t335 - 0x54)) - 0x10, _t317, _t296) + 0x10;
						_push(L00BBEA69(_t237, _t335 - 0x30, _t317, _t334));
						 *((char*)(_t335 - 4)) = 8;
						_t234 = L00BD4F08(_t237, _t313, _t317, _t334);
						 *((char*)(_t335 - 4)) = 6;
						_t296 =  *(_t335 - 0x30) + 0xfffffff0;
						 *(_t237 + 0x14d8) = _t234;
						E00BAE6AB(_t234,  *(_t335 - 0x30) + 0xfffffff0);
					}
					_t332 = _t337;
					 *(_t335 - 0x30) = _t332;
					 *_t332 = L00BADF62( *((intOrPtr*)(_t335 - 0x4c)) - 0x10, _t317, _t296) + 0x10;
					_push(L00BBEA69(_t237, _t335 - 0x30, _t317, _t332));
					 *((char*)(_t335 - 4)) = 9;
					_t226 = L00BD4F08(_t237, _t313, _t317, _t332);
					 *((char*)(_t335 - 4)) = 6;
					_t302 =  *(_t335 - 0x30) + 0xfffffff0;
					 *0xce19bc = _t226;
					E00BAE6AB(_t226,  *(_t335 - 0x30) + 0xfffffff0);
					if( *0xce19bc != 0xffffffff) {
						L8:
						_t323 = 0;
						L9:
						E00BAC468(L"frrn8--na_nn,qrmpc-_nnqrmpc+kcls-");
						E00BAC468(L"frrnq8--na_nn,qrmpc-qc_paf+kcls-");
						L00BD1CCF(_t237, _t237, _t317, _t323, 0);
						 *((intOrPtr*)(_t237 + 0x1260)) = E00BD046E(_t237, _t317, _t335);
						 *((intOrPtr*)(_t237 + 0x1270)) = 0x1010101;
						_push(_t335 - 0x3c);
						 *((char*)(_t237 + 0x1274)) = 1;
						 *(_t237 + 0x14d0) = _t323;
						 *(_t237 + 0x14d4) = _t323;
						L00BD1B6E(_t237, _t237, _t317, _t323, 0);
						if( *_t237 == _t323) {
							__imp__CoInitialize(_t323);
							__imp__CoCreateInstance(0xcb6bb4, _t323, 1, 0xcb6ba4, _t237);
						}
						_t318 = GetSystemMetrics(1);
						 *(_t335 - 0x1c) = _t323;
						 *(_t335 - 0x18) = 7;
						 *(_t335 - 0x2c) = 0;
						E00BAC468(0xcc99fc);
						 *((char*)(_t335 - 4)) = 0xc;
						SetRect(_t237 + 0x908, 0x64, _t323, 0x258, _t318);
						SetRect(_t237 + 0x918, 0x64, 0, 0x2bc, _t318);
						_t338 = _t337 - 0x18;
						_t255 = _t338;
						 *((intOrPtr*)(_t255 + 0x10)) = 0;
						 *((intOrPtr*)(_t255 + 0x14)) = 0;
						E00BAC48D(_t335 - 0x2c, _t255, _t335 - 0x2c);
						_t180 = L00BBEA0A(_t237, _t335 - 0x30, 0, SetRect);
						_t339 = _t338 + 0x18;
						_t314 = _t237 + 4;
						_t257 =  *_t180;
						_t325 = 2;
						do {
							_t181 =  *_t257 & 0x0000ffff;
							_t257 = _t257 + SetRect;
							 *_t314 = _t181;
							_t314 = _t314 + SetRect;
						} while (_t181 != 0);
						E00BAE6AB(_t181,  *(_t335 - 0x30) - 0x10);
						_t260 = _t339 - 0x18;
						 *((intOrPtr*)(_t260 + 0x10)) = 0;
						 *((intOrPtr*)(_t260 + 0x14)) = 0;
						E00BAC48D(_t237 + 0x14a0, _t260, _t237 + 0x14a0);
						_t185 = L00BBEA0A(_t237, _t335 - 0x30, 0, _t325);
						_t315 = _t237 + 0x104;
						_t262 =  *_t185;
						do {
							_t186 =  *_t262 & 0x0000ffff;
							_t262 = _t262 + SetRect;
							 *_t315 = _t186;
							_t315 = _t315 + SetRect;
						} while (_t186 != 0);
						_t264 =  *(_t335 - 0x30) + 0xfffffff0;
						E00BAE6AB(_t186,  *(_t335 - 0x30) + 0xfffffff0);
						_t188 = _t237 + 4;
						_t320 = _t335 - 0x3c;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if( *(_t335 - 0x3c) >= 0) {
							_t328 =  *((intOrPtr*)(_t335 - 0x34));
							if(_t328 >= 0) {
								_t320 =  *(_t335 - 0x30);
								if(_t320 >= 0) {
									_t355 =  *(_t335 - 0x38);
									if( *(_t335 - 0x38) >= 0) {
										_t264 = _t237;
										L00BD3E4B(_t237, _t355, _t188);
										_t210 =  *(_t237 + 0x904);
										if(_t210 != 0) {
											_t320 = _t320 -  *(_t335 - 0x38);
											_t329 = _t328 -  *(_t335 - 0x3c);
											_t357 = _t329;
											SetWindowPos(_t210, 0,  *(_t335 - 0x3c),  *(_t335 - 0x38), _t329, _t320, 0x80);
											_t264 = _t237 + 4;
											E00BD025B(_t237 + 4);
										}
									}
								}
							}
						}
						_t327 = L00BD0A47(_t237, _t264);
						_t190 = E00BBEC2D(_t237, _t315, _t320, _t327, _t357);
						_t358 = _t190;
						if(_t190 == 0) {
							 *((intOrPtr*)(_t237 + 0x1494)) = 0xea60;
						} else {
							_push( *((intOrPtr*)(_t237 + 0x910)) -  *(_t237 + 0x908));
							_push(_t327);
							L00BD29A4(_t237, _t237, _t315, _t320, _t327, _t358);
						}
						L00BD2964(_t237);
						ShowWindow( *(_t237 + 0x904), 5);
						UpdateWindow( *(_t237 + 0x904));
						_t194 =  *(_t335 - 0x18);
						if(_t194 >= 8) {
							_t277 =  *(_t335 - 0x2c);
							_t203 = 2 + _t194 * 2;
							 *((intOrPtr*)(_t335 - 0x40)) = _t203;
							 *(_t335 - 0x30) =  *(_t335 - 0x2c);
							if(_t203 >= 0x1000) {
								E00BAE6CD(_t237, _t320, _t335, _t335 - 0x30, _t335 - 0x40);
								_t203 =  *((intOrPtr*)(_t335 - 0x40));
								_t277 =  *(_t335 - 0x30);
							}
							_push(_t203);
							L00C32F7D(_t277);
						}
						 *(_t335 - 0x1c) =  *(_t335 - 0x1c) & 0x00000000;
						 *(_t335 - 0x18) = 7;
						 *(_t335 - 0x2c) = 0;
						E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(E00BAE6AB(0,  *((intOrPtr*)(_t335 - 0x48)) - 0x10),  *((intOrPtr*)(_t335 - 0x4c)) - 0x10),  *((intOrPtr*)(_t335 - 0x50)) - 0x10),  *((intOrPtr*)(_t335 - 0x54)) + 0xfffffff0),  *((intOrPtr*)(_t335 - 0x44)) + 0xfffffff0);
						return L00C89946(_t237, _t237, _t320, _t327);
					} else {
						_t333 = _t337;
						 *(_t335 - 0x30) = _t333;
						 *_t333 = L00BADF62( *((intOrPtr*)(_t335 - 0x48)) - 0x10, _t317, _t302) + 0x10;
						_push(L00BBEA69(_t237, _t335 - 0x30, _t317, _t333));
						 *((char*)(_t335 - 4)) = 0xa;
						 *0xce19bc = L00BD4F08(_t237, _t313, _t317, _t333);
						L7:
						 *((char*)(_t335 - 4)) = 6;
						E00BAE6AB(_t216,  *(_t335 - 0x30) - 0x10);
						goto L8;
					}
				}
			}

0x00bcf4cf
0x00bcf4cf
0x00bcf4cf
0x00bcf4d6
0x00bcf4db
0x00bcf4dd
0x00bcf4e0
0x00bcf4e6
0x00bcf4ec
0x00bcf4f7
0x00bcf504
0x00bcf512
0x00bcf517
0x00bcf520
0x00bcf525
0x00bcf52f
0x00bcf535
0x00bcf543
0x00bcf54b
0x00bcf551
0x00bcf552
0x00bcf555
0x00bcf558
0x00bcf55b
0x00bcf561
0x00bcf564
0x00bcf567
0x00bcf56a
0x00bcf570
0x00bcf574
0x00bcf579
0x00bcf580
0x00bcf58a
0x00bcf591
0x00bcf598
0x00bcf59e
0x00bcf5a0
0x00bcf5a9
0x00bcf5af
0x00bcf5b5
0x00bcf5bb
0x00bcf5c1
0x00bcf5c3
0x00bcf5c8
0x00bcf5d0
0x00bcf5d4
0x00bcf5d9
0x00bcf5e1
0x00bcf5e5
0x00bcf5ea
0x00bcf5f2
0x00bcf5f6
0x00bcf5fb
0x00bcf600
0x00bcf603
0x00bcf607
0x00bcf60c
0x00bcf610
0x00bcf618
0x00bcf719
0x00bcf71b
0x00000000
0x00000000
0x00bcf71e
0x00bcf720
0x00bcf72e
0x00bcf72e
0x00bcf734
0x00bcf73c
0x00bcf73d
0x00bcf746
0x00000000
0x00bcf61e
0x00bcf61f
0x00bcf621
0x00bcf635
0x00bcf63d
0x00bcf63e
0x00bcf642
0x00bcf647
0x00bcf64e
0x00bcf651
0x00bcf657
0x00bcf663
0x00bcf666
0x00bcf668
0x00bcf67c
0x00bcf684
0x00bcf685
0x00bcf689
0x00bcf68e
0x00bcf695
0x00bcf698
0x00bcf69e
0x00bcf69e
0x00bcf6a4
0x00bcf6a6
0x00bcf6ba
0x00bcf6c2
0x00bcf6c3
0x00bcf6c7
0x00bcf6cc
0x00bcf6d3
0x00bcf6d6
0x00bcf6db
0x00bcf6e7
0x00bcf75b
0x00bcf75b
0x00bcf75d
0x00bcf764
0x00bcf774
0x00bcf77b
0x00bcf785
0x00bcf790
0x00bcf79a
0x00bcf79b
0x00bcf7a2
0x00bcf7a8
0x00bcf7ae
0x00bcf7b5
0x00bcf7b8
0x00bcf7cc
0x00bcf7cc
0x00bcf7da
0x00bcf7dc
0x00bcf7e1
0x00bcf7f0
0x00bcf7f4
0x00bcf806
0x00bcf813
0x00bcf827
0x00bcf829
0x00bcf82f
0x00bcf832
0x00bcf835
0x00bcf838
0x00bcf840
0x00bcf845
0x00bcf848
0x00bcf84b
0x00bcf84f
0x00bcf850
0x00bcf850
0x00bcf853
0x00bcf855
0x00bcf858
0x00bcf85a
0x00bcf865
0x00bcf873
0x00bcf876
0x00bcf879
0x00bcf87c
0x00bcf884
0x00bcf88c
0x00bcf892
0x00bcf894
0x00bcf894
0x00bcf897
0x00bcf899
0x00bcf89c
0x00bcf89e
0x00bcf8a6
0x00bcf8a9
0x00bcf8ae
0x00bcf8b7
0x00bcf8ba
0x00bcf8bb
0x00bcf8bc
0x00bcf8bd
0x00bcf8c2
0x00bcf8c4
0x00bcf8c9
0x00bcf8cb
0x00bcf8d0
0x00bcf8d2
0x00bcf8d6
0x00bcf8d9
0x00bcf8db
0x00bcf8e0
0x00bcf8e8
0x00bcf8ea
0x00bcf8ed
0x00bcf8ed
0x00bcf900
0x00bcf906
0x00bcf909
0x00bcf909
0x00bcf8e8
0x00bcf8d6
0x00bcf8d0
0x00bcf8c9
0x00bcf916
0x00bcf918
0x00bcf91d
0x00bcf91f
0x00bcf938
0x00bcf921
0x00bcf92d
0x00bcf92e
0x00bcf931
0x00bcf931
0x00bcf944
0x00bcf951
0x00bcf95d
0x00bcf963
0x00bcf969
0x00bcf96b
0x00bcf96e
0x00bcf975
0x00bcf978
0x00bcf980
0x00bcf98a
0x00bcf98f
0x00bcf994
0x00bcf994
0x00bcf997
0x00bcf999
0x00bcf99f
0x00bcf9a5
0x00bcf9a9
0x00bcf9b0
0x00bcf9e3
0x00bcf9ef
0x00bcf6e9
0x00bcf6ea
0x00bcf6ec
0x00bcf700
0x00bcf708
0x00bcf709
0x00bcf712
0x00bcf74c
0x00bcf74c
0x00bcf756
0x00000000
0x00bcf756
0x00bcf6e7

APIs

__EH_prolog3_GS.LIBCMT ref: 00BCF4D6

Part of subcall function 00BD55F9: __alldvrm.LIBCMT ref: 00BD5615
Part of subcall function 00BD55F9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD5633

CoInitialize.OLE32(00000000), ref: 00BCF7B8
CoCreateInstance.OLE32(00CB6BB4,00000000,00000001,00CB6BA4), ref: 00BCF7CC
GetSystemMetrics.USER32 ref: 00BCF7D4
SetRect.USER32 ref: 00BCF813
SetRect.USER32 ref: 00BCF827
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000080,0000000C), ref: 00BCF900

Part of subcall function 00BD29A4: __EH_prolog3_GS.LIBCMT ref: 00BD29AE

Part of subcall function 00BD2964: MoveWindow.USER32(?,FFFFB1E0,FFFFB1E0,?,?,00000001,00000000,00BCF949), ref: 00BD2990
Part of subcall function 00BD2964: UpdateWindow.USER32(?), ref: 00BD299C

ShowWindow.USER32(?,00000005), ref: 00BCF951
UpdateWindow.USER32(?), ref: 00BCF95D

Strings

Qc_pafSG,cvc, xrefs: 00BCF5FB
`, xrefs: 00BCF938
QfcjjCvncpgclacFmqr,cvc, xrefs: 00BCF5C8
cvnjmpcp,cvc, xrefs: 00BCF5D9
Qr_prKclsCvncpgclacFmqr,cvc, xrefs: 00BCF580
Qc_paf?nn,cvc, xrefs: 00BCF5EA
frrn8--na_nn,qrmpc-_nnqrmpc+kcls-, xrefs: 00BCF75D
frrnq8--na_nn,qrmpc-qc_paf+kcls-, xrefs: 00BCF769

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$H_prolog3_RectUpdate$CreateInitializeInstanceMetricsMoveShowSystemUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID: Qc_paf?nn,cvc$Qc_pafSG,cvc$QfcjjCvncpgclacFmqr,cvc$Qr_prKclsCvncpgclacFmqr,cvc$`$cvnjmpcp,cvc$frrn8--na_nn,qrmpc-_nnqrmpc+kcls-$frrnq8--na_nn,qrmpc-qc_paf+kcls-
API String ID: 2603940401-2944111864
Opcode ID: 5bac0018493214bf4fae4718f49b61387fa1766af0595bb1617b2c5155a7eff7
Instruction ID: 90ac96d4c3184311a24e8d80d2a1624fab781b1abec13b1e93a55feb137b2251
Opcode Fuzzy Hash: 5bac0018493214bf4fae4718f49b61387fa1766af0595bb1617b2c5155a7eff7
Instruction Fuzzy Hash: 2BF18A70910245DFCF04EFA8D895BEDBBB5BF55304F1405AEF819AB292EB709905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5202, Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 460
registryprocesswindowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00BC5202(void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v4;
				signed int _v24;
				signed int _v40;
				char _v60;
				char _v64;
				intOrPtr _v80;
				signed int _v84;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				intOrPtr _v116;
				signed int _v120;
				char _v124;
				char _v136;
				char _v164;
				char _v176;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v204;
				void* _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				intOrPtr _v236;
				short _v536;
				signed int _v540;
				int _v544;
				char _v548;
				short _v560;
				signed int _v564;
				int _v568;
				char _v584;
				signed int _v588;
				int _v592;
				char _v608;
				signed int _v612;
				int _v616;
				signed int _v632;
				signed int _v636;
				CHAR* _v640;
				char _v644;
				signed int _v648;
				signed int _v652;
				void* _v656;
				char _v660;
				char _v664;
				short** _t227;
				long _t228;
				void* _t229;
				signed int _t232;
				signed int _t234;
				CHAR* _t236;
				CHAR* _t240;
				intOrPtr* _t268;
				void* _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t289;
				char _t295;
				char* _t296;
				intOrPtr* _t301;
				void* _t302;
				signed int _t310;
				signed int _t323;
				signed int _t342;
				char _t346;
				void* _t356;
				signed int _t359;
				void* _t364;
				void* _t384;
				void* _t391;
				void* _t396;
				void* _t401;
				short* _t416;
				void* _t418;
				char* _t429;
				signed int _t468;
				int _t469;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				intOrPtr _t478;
				void* _t482;
				signed int _t483;
				void* _t485;
				void* _t486;
				signed int _t487;
				void* _t492;
				signed int _t494;
				void* _t495;
				signed int _t496;
				void* _t514;

				_t459 = __edx;
				_t359 = __ecx;
				L00C8999C(0xc8f2b8, __ebx, __edi, __esi, 0x28c);
				_t355 = __edx;
				_t468 = _t359;
				_v612 = 7;
				_v632 = 0;
				_v616 = 0;
				E00BAC468(L"Qmdru_pcZZNA?nnQrmpc");
				_v4 = 0;
				_v592 = 0;
				_v588 = 7;
				_v608 = 0;
				E00BAC468(L"_srm]qr_pr]ml");
				_push(L"npmbsar");
				_v4 = 1;
				E00BCC079(_t355,  &_v664, _t459, _t468, 0);
				_push(L"qcrrgleq]_nnjw");
				_v4 = 2;
				E00BCC079(_t355,  &_v660, _t459, _t468, 0);
				_v4 = 3;
				_t486 = _t485 - 0x18;
				_t364 = _t486;
				 *((intOrPtr*)(_t364 + 0x10)) = 0;
				 *((intOrPtr*)(_t364 + 0x14)) = 0;
				E00BAC48D( &_v632, _t364,  &_v632);
				_t227 = L00BBEA0A(_t355,  &_v640, _t468, 0);
				_t487 = _t486 + 0x18;
				_v4 = 4;
				_t228 = RegOpenKeyExW(0x80000001,  *_t227, 0, 0xf003f,  &_v656);
				_v4 = 3;
				_t474 = _t228;
				_t229 = E00BAE6AB(_t228,  &(_v640[0xfffffffffffffff0]));
				if(_t228 != 0) {
					L8:
					_t504 = _t355;
					if(_t355 == 0) {
						_t469 = 0;
						__eflags = 0;
					} else {
						E00BAC123( &_v644, _t474);
						_v4 = 8;
						E00BC4059(_t355,  &_v644, _t468, _t468, _t474);
						_t475 = _t487;
						_v652 = _t487;
						_v636 = _t475;
						_t355 = _v644;
						_t384 = _v644 - 0x10;
						 *_t475 = L00BADF62(_t384, _t468,  &_v644) + 0x10;
						_v4 = 9;
						_t470 = _t487;
						_v636 = _t487;
						_t476 = _t487;
						_v648 = _t476;
						 *_t476 = L00BADF62(_v660 - 0x10, _t487, _t384) + 0x10;
						L00BBEA69(_v644, _t487, _t487, _t476);
						_v4 = 0xa;
						_t477 = _t487;
						_v648 = _t477;
						 *_t477 = L00BADF62(_v664 - 0x10, _t487, _t470) + 0x10;
						L00BBEA69(_v644, _t487, _t487, _t477);
						_t391 = _t384;
						_v4 = 8;
						L00BC7C63(_v644, _t391, _t468, _t487, _t477, _t504);
						_t469 = 0;
						GetModuleFileNameW(0,  &_v536, 0x104);
						_v568 = 0;
						_v564 = 7;
						_v584 = 0;
						E00BAC468(L"-glgr");
						E00BAC123( &_v636, _t477);
						_v4 = 0xc;
						_v544 = 0;
						_v540 = 7;
						_v560 = 0;
						E00BAC468(0xcc5734);
						_v4 = 0xd;
						E00BC37F1(_v644,  &_v560, 0, _t477, _t504);
						_t265 =  >=  ? _v560 :  &_v560;
						_push( >=  ? _v560 :  &_v560);
						_t396 = _t487 + 0xc - 0x18;
						 *((intOrPtr*)(_t396 + 0x10)) = 0;
						 *((intOrPtr*)(_t396 + 0x14)) = 0;
						E00BAC48D( &_v584, _t396,  &_v584);
						_t268 = L00BBEA0A(_t355,  &_v652, 0, _t477);
						_v4 = 0xe;
						_push( *_t268);
						_t271 = L00BAC838( &_v636, L"\"%ws\" %ws %ws",  &_v536);
						_v4 = 0xd;
						E00BAE6AB(_t271, _v652 - 0x10);
						_t474 = _v636;
						_push(_v636);
						E00BBF204(_t355,  &_v640, _t468, 0, _v636);
						_t401 = 2;
						_v4 = 0xf;
						L00BC3A1A(_t355, _t401, 0, _v636, _v540 - 8);
						Shell_NotifyIconW(2, 0xce15f8);
						WinExec(_v640, 9);
						E00BAE6AB(TerminateProcess( *0xce19b4, 0), _v640 - 0x10);
						_t279 = _v540;
						if(_t279 >= 8) {
							_t411 = _v560;
							_t289 = 2 + _t279 * 2;
							_v636 = _t289;
							_v644 = _v560;
							if(_t289 >= 0x1000) {
								E00BAE6CD(_t355, 0, _t482,  &_v644,  &_v636);
								_t289 = _v636;
								_t411 = _v644;
							}
							_push(_t289);
							L00C32F7D(_t411);
						}
						_v544 = _t469;
						_v540 = 7;
						_v560 = 0;
						E00BAE6AB(0, _t474 - 0x10);
						_t282 = _v564;
						if(_t282 >= 8) {
							_t406 = _v584;
							_t284 = 2 + _t282 * 2;
							_v636 = _t284;
							_v644 = _v584;
							if(_t284 >= 0x1000) {
								E00BAE6CD(_t355, _t469, _t482,  &_v644,  &_v636);
								_t284 = _v636;
								_t406 = _v644;
							}
							_push(_t284);
							L00C32F7D(_t406);
						}
						_v568 = _t469;
						_v564 = 7;
						_v584 = 0;
						_t229 = E00BAE6AB(0, _t355 - 0x10);
					}
					E00BAE6AB(E00BAE6AB(_t229, _v660 - 0x10), _v664 - 0x10);
					_t232 = _v588;
					if(_t232 >= 8) {
						_t377 = _v608;
						_t240 = 2 + _t232 * 2;
						_v640 = _t240;
						_v636 = _v608;
						if(_t240 >= 0x1000) {
							E00BAE6CD(_t355, _t469, _t482,  &_v636,  &_v640);
							_t240 = _v640;
							_t377 = _v636;
						}
						_push(_t240);
						L00C32F7D(_t377);
					}
					_v592 = _t469;
					_v608 = 0;
					_t234 = _v612;
					_v588 = 7;
					if(_t234 >= 8) {
						_t372 = _v632;
						_t236 = 2 + _t234 * 2;
						_v640 = _t236;
						_v636 = _v632;
						if(_t236 >= 0x1000) {
							E00BAE6CD(_t355, _t469, _t482,  &_v636,  &_v640);
							_t236 = _v640;
							_t372 = _v636;
						}
						_push(_t236);
						_t234 = L00C32F7D(_t372);
					}
					return L00C89946(_t234, _t355, _t469, _t474);
				} else {
					_t295 =  *((intOrPtr*)( *_t468));
					_v644 = _t295;
					while( *((char*)(_t295 + 0xd)) == 0) {
						__eflags =  *((intOrPtr*)(_t295 + 0x24)) - 8;
						_t416 = _t295 + 0x10;
						if( *((intOrPtr*)(_t295 + 0x24)) >= 8) {
							_t416 =  *(_t295 + 0x10);
						}
						_t296 = _t295 + 0x28;
						__eflags = _t296;
						RegSetValueExW(_v656, _t416, 0, 4, _t296, 4);
						L00BB092F( &_v644);
						_t295 = _v644;
					}
					_t492 = _t487 - 0x18;
					_t418 = _t492;
					 *(_t418 + 0x10) =  *(_t418 + 0x10) & 0x00000000;
					 *(_t418 + 0x14) =  *(_t418 + 0x14) & 0x00000000;
					E00BAC48D( &_v608, _t418,  &_v608);
					_t301 = L00BBEA0A(_t355,  &_v640, _t468, _t474);
					_t487 = _t492 + 0x18;
					_v4 = 5;
					_t302 = E00BAC01A( &_v584,  *_t301);
					_v4 = 7;
					E00BAE6AB(_t302, _v640 - 0x10);
					_t423 = _t468;
					E00BC96C3(_t468,  &_v548,  &_v584);
					_t474 = _v540;
					if(L00BC9712(_t474,  &_v584) == 0) {
						_push("invalid map<K, T> key");
						E00C341D4();
						asm("int3");
						_push(_t482);
						_t483 = _t487;
						_t494 = (_t487 & 0xfffffff8) - 0xc8;
						_t310 =  *0xcdaf54; // 0x8a028f78
						_v24 = _t310 ^ _t494;
						_push(_t355);
						_push(_t474);
						E00BAC01A( &_v96, _t423);
						__eflags = _v80 - 8;
						_t426 =  >=  ? _v100 :  &_v100;
						_t478 = 0xf;
						_push(_v220);
						_v104 = _t478;
						_t428 =  >=  ? _v100 :  &_v100;
						_t356 = 0;
						_push(( >=  ? _v100 :  &_v100) + _v84 * 2);
						_push( >=  ? _v100 :  &_v100);
						_t429 =  &_v124;
						_v108 = 0;
						_v124 = 0;
						E00BBF783(0, _t429, _t468, _t478);
						_t495 = _t494 - 0x28;
						_push(_t429);
						_push(_t429);
						 *((intOrPtr*)(_t495 + 0x24)) = 0;
						E00BC95E1(0,  &_v196,  &_v136, _t468, _t478, __eflags, _t514);
						_t496 = _t495 + 0x30;
						L00BC8BC5();
						E00BBB3AA( &_v196,  &_v212);
						while(1) {
							_push(E00BBB507( &_v192,  &_v176));
							_t323 = E00BBB42A(_t356,  &_v212, _t468, _t478);
							__eflags = _t323;
							if(_t323 == 0) {
								break;
							}
							L00BCBE1B(_t356, L00BB8EED(_t356,  &_v212, _t468, _t478),  &_v232, _t468, _t478);
							__eflags =  *_v212 - 1;
							if(__eflags != 0) {
								L00BADBE0( &_v60, "cannot use key() for non-object iterators");
								_t438 =  &_v164;
								E00BBB545(_t356,  &_v164, 0xcf, _t468, _t478, __eflags);
								 *_t496 = 0xcd7aa8;
								L00C4CA25( &_v164,  &_v64);
								asm("int3");
								_push(_t478);
								L00BCAA2D( &_v164, _t438,  *((intOrPtr*)( *_t438 + 4)));
								_push(0x2c);
								return L00C32F7D( *_t438);
							} else {
								_push(E00BAE7A9(_t356,  &_v84, _v204 + 0x10, _t468, _t478, __eflags));
								_push( &_v224);
								 *((intOrPtr*)( *((intOrPtr*)(E00BC9736(_t356,  &_v216, _v204 + 0x10, _t468, _t478, __eflags))) + 0x28)) = _v236;
								E00BAE71B( &_v92);
								E00BBB3F0( &_v216);
								continue;
							}
							goto L42;
						}
						__eflags = _v120 - _t356;
						if(_v120 != _t356) {
							_t356 = 1;
							__eflags = 1;
							E00BC5202(1,  &_v220, 1, _t468, _t478, 1);
						}
						L41();
						E00BBE30A( &_v188, _v196);
						_t342 = _v120;
						__eflags = _t342 - 0x10;
						if(_t342 >= 0x10) {
							_t451 = _v136;
							_t346 = _t342 + 1;
							_v228 = _t346;
							_v232 = _v136;
							__eflags = _t346 - 0x1000;
							if(_t346 >= 0x1000) {
								E00BAE6CD(_t356, _t468, _t483,  &_v232,  &_v228);
								_t346 = _v228;
								_t451 = _v232;
							}
							_push(_t346);
							L00C32F7D(_t451);
						}
						_v120 = _v120 & 0x00000000;
						_v116 = _t478;
						_v136 = 0;
						E00BAE71B( &_v112);
						__eflags = _v40 ^ _t496;
						return L00C32D6C(_v40 ^ _t496);
					} else {
						L00BC3BE6(_t355, _t423 & 0xffffff00 |  *((intOrPtr*)(_t474 + 0x28)) != 0x00000000, _t468, _t474,  *((intOrPtr*)(_t474 + 0x28)) != 0);
						RegCloseKey(_v656);
						_v4 = 3;
						_t229 = E00BAE71B( &_v584);
						goto L8;
					}
				}
				L42:
			}

0x00bc5202
0x00bc5202
0x00bc520c
0x00bc5211
0x00bc5213
0x00bc5217
0x00bc5223
0x00bc5235
0x00bc523b
0x00bc5240
0x00bc524b
0x00bc5256
0x00bc5260
0x00bc5267
0x00bc526c
0x00bc5277
0x00bc527b
0x00bc5280
0x00bc528b
0x00bc528f
0x00bc529a
0x00bc52a5
0x00bc52ae
0x00bc52b1
0x00bc52b4
0x00bc52b7
0x00bc52c2
0x00bc52c7
0x00bc52ca
0x00bc52d5
0x00bc52db
0x00bc52df
0x00bc52ea
0x00bc52f1
0x00bc53de
0x00bc53de
0x00bc53e0
0x00bc56be
0x00bc56be
0x00bc53e6
0x00bc53ec
0x00bc53f3
0x00bc53fd
0x00bc5403
0x00bc5405
0x00bc540b
0x00bc5411
0x00bc5417
0x00bc5422
0x00bc5425
0x00bc5429
0x00bc542b
0x00bc5438
0x00bc543a
0x00bc544d
0x00bc544f
0x00bc5454
0x00bc5461
0x00bc5463
0x00bc5476
0x00bc5478
0x00bc547d
0x00bc547e
0x00bc5482
0x00bc5490
0x00bc5499
0x00bc54a1
0x00bc54b2
0x00bc54bc
0x00bc54c3
0x00bc54ce
0x00bc54d3
0x00bc54df
0x00bc54ea
0x00bc54f4
0x00bc54fb
0x00bc5506
0x00bc550a
0x00bc551c
0x00bc5523
0x00bc552d
0x00bc5530
0x00bc5533
0x00bc5536
0x00bc5541
0x00bc5549
0x00bc554d
0x00bc5562
0x00bc5567
0x00bc5577
0x00bc557c
0x00bc5588
0x00bc5589
0x00bc5590
0x00bc5591
0x00bc5595
0x00bc55a1
0x00bc55af
0x00bc55cb
0x00bc55d0
0x00bc55d9
0x00bc55db
0x00bc55e1
0x00bc55e8
0x00bc55ee
0x00bc55f9
0x00bc5609
0x00bc560e
0x00bc5616
0x00bc5616
0x00bc561c
0x00bc561e
0x00bc5624
0x00bc5627
0x00bc5630
0x00bc563a
0x00bc5641
0x00bc5646
0x00bc564f
0x00bc5651
0x00bc5657
0x00bc565e
0x00bc5664
0x00bc566f
0x00bc567f
0x00bc5684
0x00bc568c
0x00bc568c
0x00bc5692
0x00bc5694
0x00bc569a
0x00bc569d
0x00bc56a6
0x00bc56b0
0x00bc56b7
0x00bc56b7
0x00bc56d7
0x00bc56dc
0x00bc56e5
0x00bc56e7
0x00bc56ed
0x00bc56f4
0x00bc56fa
0x00bc5705
0x00bc5715
0x00bc571a
0x00bc5722
0x00bc5722
0x00bc5728
0x00bc572a
0x00bc5730
0x00bc5733
0x00bc5739
0x00bc5740
0x00bc5746
0x00bc5753
0x00bc5755
0x00bc575b
0x00bc5762
0x00bc5768
0x00bc5773
0x00bc5783
0x00bc5788
0x00bc5790
0x00bc5790
0x00bc5796
0x00bc5798
0x00bc579e
0x00bc57a4
0x00bc52f7
0x00bc52f9
0x00bc52fb
0x00bc5337
0x00bc5303
0x00bc5307
0x00bc530a
0x00bc530c
0x00bc530c
0x00bc5311
0x00bc5311
0x00bc5320
0x00bc532c
0x00bc5331
0x00bc5331
0x00bc533d
0x00bc5346
0x00bc5349
0x00bc534d
0x00bc5351
0x00bc535c
0x00bc5361
0x00bc5364
0x00bc5370
0x00bc5375
0x00bc5382
0x00bc538d
0x00bc5397
0x00bc539c
0x00bc53b1
0x00bc57a5
0x00bc57aa
0x00bc57af
0x00bc57b0
0x00bc57b1
0x00bc57b6
0x00bc57bc
0x00bc57c3
0x00bc57ca
0x00bc57cb
0x00bc57d4
0x00bc57d9
0x00bc57ef
0x00bc57f9
0x00bc57fa
0x00bc5801
0x00bc580f
0x00bc5817
0x00bc5819
0x00bc581a
0x00bc581b
0x00bc581f
0x00bc5826
0x00bc582a
0x00bc582f
0x00bc583b
0x00bc583c
0x00bc5841
0x00bc5844
0x00bc5849
0x00bc5850
0x00bc585e
0x00bc58c6
0x00bc58d4
0x00bc58d9
0x00bc58de
0x00bc58e0
0x00000000
0x00000000
0x00bc5874
0x00bc587d
0x00bc5880
0x00bc598d
0x00bc599f
0x00bc59a3
0x00bc59ac
0x00bc59b4
0x00bc59b9
0x00bc8bf1
0x00bc8bfa
0x00bc8bff
0x00bc8c0b
0x00bc5886
0x00bc5899
0x00bc589e
0x00bc58ae
0x00bc58b8
0x00bc58c1
0x00000000
0x00bc58c1
0x00000000
0x00bc5880
0x00bc58e2
0x00bc58e6
0x00bc58ee
0x00bc58ee
0x00bc58f1
0x00bc58f1
0x00bc58fa
0x00bc5907
0x00bc590c
0x00bc5913
0x00bc5916
0x00bc5918
0x00bc591c
0x00bc591d
0x00bc5921
0x00bc5925
0x00bc592a
0x00bc5936
0x00bc593b
0x00bc5941
0x00bc5941
0x00bc5945
0x00bc5947
0x00bc594d
0x00bc594e
0x00bc595a
0x00bc5961
0x00bc5966
0x00bc5976
0x00bc5980
0x00bc53b7
0x00bc53be
0x00bc53c9
0x00bc53d5
0x00bc53d9
0x00000000
0x00bc53d9
0x00bc53b1
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC520C
RegOpenKeyExW.ADVAPI32(80000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BC52D5
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00BC5320
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 00BC53C9
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00BC5499
Shell_NotifyIconW.SHELL32(00000002,00CE15F8), ref: 00BC55A1
WinExec.KERNEL32 ref: 00BC55AF
TerminateProcess.KERNEL32(00000000), ref: 00BC55BC

Strings

-glgr, xrefs: 00BC54A7
Qmdru_pcZZNA?nnQrmpc, xrefs: 00BC522A
"%ws" %ws %ws, xrefs: 00BC555C
npmbsar, xrefs: 00BC526C
_srm]qr_pr]ml, xrefs: 00BC5251
qcrrgleq]_nnjw, xrefs: 00BC5280
invalid map<K, T> key, xrefs: 00BC57A5

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CloseExecFileH_prolog3_IconModuleNameNotifyOpenProcessShell_TerminateValue
String ID: "%ws" %ws %ws$-glgr$Qmdru_pcZZNA?nnQrmpc$_srm]qr_pr]ml$invalid map<K, T> key$npmbsar$qcrrgleq]_nnjw
API String ID: 1747926810-4117314579
Opcode ID: 79336be561e3ea984e76b3bb6114dbc3961097f417c20e3e46801b61ea5a1e0d
Instruction ID: 0962c2896350d264fa239a8c8be6906c4654cbd4900ea67471d89a79372a4c3a
Opcode Fuzzy Hash: 79336be561e3ea984e76b3bb6114dbc3961097f417c20e3e46801b61ea5a1e0d
Instruction Fuzzy Hash: A6126771819258DFDB28EB64C889BEDB7F4EF58304F5044DEE059A7291DB30AA88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C6B69C, Relevance: 25.9, APIs: 17, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00C6B69C(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				void* _t233;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t241;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E00C4C290(_t295, 0x3d);
					_v20 = _t116;
					_pop(_t233);
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E00C5449E(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0xce0cf4 - _t222; // 0x121f708
							if(__eflags != 0) {
								L14:
								_t121 =  *0xce0cf4; // 0x121f708
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = L00C6BCCF(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = L00C5A819(_t237, _t282, 4);
													L00C63981(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											L00C63981( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = L00C5A819(_t282, _t281, 4);
												L00C63981(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0xce0cf4 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E00C63924(_t239, _t295 - _t239 + 2, 1);
												_pop(_t241);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													L00C63981(_t298);
													goto L40;
												} else {
													_t133 = L00C63890(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E00C543F1();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_push(0x3d);
															_push(_t225);
															_t288 = _t225;
															_t135 = L00C8AC22(_t241);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E00C5449E(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t246 =  *(_t135 + 2) & 0x0000ffff;
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	L00C6BCB5();
																	_t300 =  *0xce0cf8; // 0x12255c0
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = L00C6BD24(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = L00C5A819(_t300, _t252, 4);
																						L00C63981(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				L00C63981( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = L00C5A819(_t300, _t274, 4);
																					L00C63981(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0xce0cf8 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E00C63924(_t254 - _t283 >> 1, _t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						L00C63981(_t302);
																						goto L83;
																					} else {
																						_t152 = L00C6382C(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E00C543F1();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t303 = E00C63924(_t260, _t260 + 1, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									L00C61889(_t226, _t262, _t283, _t290, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										L00C63981(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t283 = _t270 + 1;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_v16 = _t262 + 1;
																											 *(_t226 + _t290) = E00C63924(_t262, _t262 + 1, 1);
																											L00C63981(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = L00C63890( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E00C543F1();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t304 = E00C63924(_t263, _t263 + 1, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															L00C61889(_t226, _t265, _t284, _t291, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																L00C63981(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t284 = _t267 + 2;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t265 = _t267 - _t284 >> 1;
																																	_v24 = (_t267 - _t284 >> 1) + 1;
																																	 *(_t226 + _t291) = E00C63924(_t267 - _t284 >> 1, (_t267 - _t284 >> 1) + 1, 2);
																																	L00C63981(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = L00C6382C( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E00C543F1();
																																			asm("int3");
																																			_t166 =  *0xce0cf4;
																																			__eflags = _t166 -  *0xce0d00;
																																			if(_t166 ==  *0xce0d00) {
																																				_push(_t166);
																																				L86();
																																				 *0xce0cf4 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E00C5449E(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0xce0cf4; // 0x121f708
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0xce0cf8 = E00C63924(_t246, 1, 4);
																					L00C63981(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0xce0cf4 = E00C63924(_t246, 1, 4);
																					L00C63981(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0xce0cf4 - _t226; // 0x121f708
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0xce0cf8; // 0x12255c0
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L00C5ED33(0);
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					L00C6BCB5();
																					L58:
																					_t300 =  *0xce0cf8; // 0x12255c0
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						L00C63981(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E00C5449E(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = L00C72FCF(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E00C5449E(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0xce0cf4 = E00C63924(_t233, 1, 4);
										L00C63981(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0xce0cf4 - _t222; // 0x121f708
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0xce0cf8 - _t222; // 0x12255c0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0xce0cf8 = E00C63924(_t233, 1, 4);
												L00C63981(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0xce0cf8 - _t222; // 0x12255c0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										L00C63981(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0xce0cf8 - _t222; // 0x12255c0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L00C5ED2E(0);
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E00C5449E(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

0x00c6b69c
0x00c6b69f
0x00c6b6a1
0x00c6b6a5
0x00c6b6a8
0x00c6b6aa
0x00c6b6bf
0x00c6b6c4
0x00c6b6c6
0x00c6b6cb
0x00c6b6cf
0x00c6b6d0
0x00c6b6d2
0x00c6b8b3
0x00c6b8b8
0x00000000
0x00c6b6d8
0x00c6b6d8
0x00c6b6da
0x00000000
0x00c6b6e0
0x00c6b6e3
0x00c6b6e6
0x00c6b6eb
0x00c6b6ed
0x00c6b6f3
0x00c6b770
0x00c6b770
0x00c6b775
0x00c6b778
0x00c6b77a
0x00000000
0x00c6b780
0x00c6b787
0x00c6b78c
0x00c6b791
0x00c6b794
0x00c6b796
0x00c6b7e7
0x00c6b7e7
0x00c6b7ea
0x00000000
0x00c6b7f0
0x00c6b7f0
0x00c6b7f2
0x00c6b7f5
0x00c6b7f5
0x00c6b7f8
0x00c6b7fa
0x00000000
0x00c6b800
0x00c6b800
0x00c6b806
0x00000000
0x00c6b80c
0x00c6b816
0x00c6b819
0x00c6b81e
0x00c6b821
0x00c6b824
0x00c6b826
0x00000000
0x00c6b82c
0x00c6b82c
0x00c6b82f
0x00c6b831
0x00c6b834
0x00000000
0x00c6b834
0x00c6b826
0x00c6b806
0x00c6b7fa
0x00c6b798
0x00c6b798
0x00c6b79a
0x00000000
0x00c6b79c
0x00c6b79f
0x00c6b7a5
0x00c6b7a8
0x00c6b7ab
0x00c6b7e0
0x00c6b7e2
0x00c6b7ad
0x00c6b7ad
0x00c6b7ba
0x00c6b7ba
0x00c6b7bd
0x00000000
0x00000000
0x00c6b7b6
0x00c6b7b9
0x00c6b7b9
0x00c6b7b9
0x00c6b7c9
0x00c6b7cc
0x00c6b7d1
0x00c6b7d4
0x00c6b7d7
0x00c6b7d9
0x00c6b838
0x00c6b838
0x00c6b838
0x00c6b7d9
0x00c6b83d
0x00c6b840
0x00000000
0x00c6b842
0x00c6b842
0x00c6b845
0x00c6b845
0x00c6b847
0x00c6b848
0x00c6b848
0x00c6b854
0x00c6b85c
0x00c6b85f
0x00c6b860
0x00c6b862
0x00c6b8aa
0x00c6b8ab
0x00000000
0x00c6b864
0x00c6b86b
0x00c6b870
0x00c6b873
0x00c6b875
0x00c6b8cf
0x00c6b8d0
0x00c6b8d1
0x00c6b8d2
0x00c6b8d3
0x00c6b8d4
0x00c6b8d9
0x00c6b8dc
0x00c6b8dd
0x00c6b8df
0x00c6b8e2
0x00c6b8e3
0x00c6b8e6
0x00c6b8e8
0x00c6b8fd
0x00c6b8fe
0x00c6b8ff
0x00c6b901
0x00c6b902
0x00c6b904
0x00c6b909
0x00c6b90e
0x00c6b910
0x00c6bb06
0x00c6bb0b
0x00000000
0x00c6b916
0x00c6b916
0x00c6b918
0x00000000
0x00c6b91e
0x00c6b91e
0x00c6b922
0x00c6b924
0x00c6b927
0x00c6b92a
0x00c6b92f
0x00c6b935
0x00c6b937
0x00c6b939
0x00c6b9c4
0x00c6b9cf
0x00c6b9d2
0x00c6b9d7
0x00c6b9dc
0x00c6b9de
0x00c6ba2c
0x00c6ba2c
0x00c6ba30
0x00000000
0x00c6ba36
0x00c6ba36
0x00c6ba38
0x00c6ba3b
0x00c6ba3b
0x00c6ba3e
0x00c6ba40
0x00000000
0x00c6ba46
0x00c6ba46
0x00c6ba4c
0x00000000
0x00c6ba52
0x00c6ba5c
0x00c6ba5e
0x00c6ba63
0x00c6ba66
0x00c6ba68
0x00000000
0x00c6ba6e
0x00c6ba6e
0x00c6ba71
0x00c6ba73
0x00c6ba76
0x00c6ba79
0x00000000
0x00c6ba79
0x00c6ba68
0x00c6ba4c
0x00c6ba40
0x00c6b9e0
0x00c6b9e0
0x00c6b9e2
0x00000000
0x00c6b9e4
0x00c6b9e7
0x00c6b9ed
0x00c6b9f0
0x00c6b9f4
0x00c6ba0b
0x00c6ba0b
0x00c6ba0e
0x00000000
0x00000000
0x00c6ba07
0x00c6ba0a
0x00c6ba0a
0x00c6ba0a
0x00c6ba1a
0x00c6ba1c
0x00c6ba21
0x00c6ba24
0x00c6ba26
0x00c6ba28
0x00c6ba7d
0x00c6ba7d
0x00c6ba7d
0x00c6b9f6
0x00c6b9f6
0x00c6b9f9
0x00c6b9fb
0x00c6b9fb
0x00c6ba83
0x00c6ba86
0x00000000
0x00c6ba8c
0x00c6ba8c
0x00c6ba8e
0x00c6ba8e
0x00c6ba91
0x00c6ba91
0x00c6ba94
0x00c6ba97
0x00c6ba97
0x00c6baa2
0x00c6baa6
0x00c6baae
0x00c6bab1
0x00c6bab2
0x00c6bab4
0x00c6bafd
0x00c6bafe
0x00000000
0x00c6bab6
0x00c6babe
0x00c6bac3
0x00c6bac6
0x00c6bac8
0x00c6bb22
0x00c6bb23
0x00c6bb24
0x00c6bb25
0x00c6bb26
0x00c6bb27
0x00c6bb2c
0x00c6bb2f
0x00c6bb30
0x00c6bb33
0x00c6bb34
0x00c6bb37
0x00c6bb39
0x00c6bb40
0x00c6bb42
0x00c6bb44
0x00c6bb46
0x00c6bb48
0x00c6bb48
0x00c6bb4b
0x00c6bb4c
0x00c6bb4c
0x00c6bb48
0x00c6bb5d
0x00c6bb60
0x00c6bb61
0x00c6bb63
0x00c6bbcb
0x00c6bbcb
0x00000000
0x00c6bb65
0x00c6bb65
0x00c6bb67
0x00c6bb69
0x00c6bbbb
0x00c6bbbd
0x00c6bbc3
0x00000000
0x00c6bb6b
0x00c6bb6b
0x00c6bb6e
0x00c6bb6e
0x00c6bb70
0x00c6bb70
0x00c6bb73
0x00c6bb73
0x00c6bb75
0x00c6bb76
0x00c6bb76
0x00c6bb7a
0x00c6bb82
0x00c6bb8c
0x00c6bb8f
0x00c6bb94
0x00c6bb97
0x00c6bb9b
0x00000000
0x00c6bb9d
0x00c6bba5
0x00c6bbaa
0x00c6bbad
0x00c6bbaf
0x00c6bbd0
0x00c6bbd2
0x00c6bbd3
0x00c6bbd4
0x00c6bbd5
0x00c6bbd6
0x00c6bbd7
0x00c6bbdc
0x00c6bbdf
0x00c6bbe2
0x00c6bbe3
0x00c6bbe4
0x00c6bbe5
0x00c6bbe8
0x00c6bbea
0x00c6bbf1
0x00c6bbf3
0x00c6bbf5
0x00c6bbf7
0x00c6bbfa
0x00c6bbfc
0x00c6bbfe
0x00c6bbfe
0x00c6bc01
0x00c6bc02
0x00c6bc02
0x00c6bbfe
0x00c6bc12
0x00c6bc15
0x00c6bc16
0x00c6bc18
0x00c6bc89
0x00c6bc89
0x00000000
0x00c6bc1a
0x00c6bc1a
0x00c6bc1c
0x00c6bc1e
0x00c6bc78
0x00c6bc7b
0x00c6bc81
0x00000000
0x00c6bc20
0x00c6bc20
0x00c6bc23
0x00c6bc23
0x00c6bc25
0x00c6bc25
0x00c6bc28
0x00c6bc28
0x00c6bc2b
0x00c6bc2e
0x00c6bc2e
0x00c6bc36
0x00c6bc3e
0x00c6bc46
0x00c6bc4c
0x00c6bc51
0x00c6bc54
0x00c6bc58
0x00000000
0x00c6bc5a
0x00c6bc62
0x00c6bc67
0x00c6bc6a
0x00c6bc6c
0x00c6bc8e
0x00c6bc90
0x00c6bc91
0x00c6bc92
0x00c6bc93
0x00c6bc94
0x00c6bc95
0x00c6bc9a
0x00c6bc9b
0x00c6bca0
0x00c6bca6
0x00c6bca8
0x00c6bca9
0x00c6bcaf
0x00000000
0x00c6bcaf
0x00c6bcb4
0x00000000
0x00000000
0x00000000
0x00c6bc6c
0x00000000
0x00c6bc6e
0x00c6bc6e
0x00c6bc71
0x00c6bc73
0x00c6bc73
0x00000000
0x00c6bc77
0x00c6bc1e
0x00c6bbec
0x00c6bbec
0x00c6bbec
0x00c6bbee
0x00c6bbf0
0x00c6bbf0
0x00000000
0x00000000
0x00000000
0x00c6bbaf
0x00000000
0x00c6bbb1
0x00c6bbb1
0x00c6bbb4
0x00c6bbb6
0x00c6bbb6
0x00000000
0x00c6bbba
0x00c6bb69
0x00c6bb3b
0x00c6bb3b
0x00c6bb3b
0x00c6bb3d
0x00c6bb3f
0x00c6bb3f
0x00c6baca
0x00c6bace
0x00c6bad3
0x00c6badf
0x00c6baeb
0x00c6baed
0x00c6baef
0x00c6baf4
0x00c6baf4
0x00c6baf7
0x00c6baf7
0x00000000
0x00c6baed
0x00c6bac8
0x00c6bab4
0x00c6ba86
0x00c6b9e2
0x00c6b93f
0x00c6b93f
0x00c6b944
0x00c6b947
0x00c6b961
0x00c6b961
0x00c6b965
0x00c6b96e
0x00c6b970
0x00c6b99f
0x00c6b9a9
0x00c6b9ae
0x00c6b9b3
0x00000000
0x00c6b972
0x00c6b97c
0x00c6b981
0x00c6b986
0x00c6b989
0x00c6b98f
0x00000000
0x00c6b995
0x00c6b995
0x00c6b99b
0x00c6b99d
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6b99d
0x00c6b98f
0x00c6b967
0x00c6b967
0x00000000
0x00c6b967
0x00c6b949
0x00c6b949
0x00c6b94b
0x00000000
0x00c6b94d
0x00c6b952
0x00c6b954
0x00000000
0x00c6b95a
0x00c6b95a
0x00c6b9b6
0x00c6b9b6
0x00c6b9bc
0x00c6b9be
0x00c6bb11
0x00c6bb11
0x00c6bb11
0x00c6bb14
0x00c6bb15
0x00c6bb1c
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6b9be
0x00c6b954
0x00c6b94b
0x00c6b947
0x00c6b939
0x00c6b918
0x00c6b8ea
0x00c6b8ea
0x00c6b8ef
0x00c6b8f5
0x00c6bb1f
0x00c6bb21
0x00c6bb21
0x00c6b877
0x00c6b888
0x00c6b88c
0x00c6b898
0x00c6b89a
0x00c6b89c
0x00c6b8a1
0x00c6b8a1
0x00c6b8a4
0x00c6b8a4
0x00000000
0x00c6b89a
0x00c6b875
0x00c6b862
0x00c6b840
0x00c6b79a
0x00c6b796
0x00c6b6f5
0x00c6b6f5
0x00c6b6f8
0x00c6b716
0x00c6b716
0x00c6b719
0x00c6b72c
0x00c6b731
0x00c6b736
0x00c6b739
0x00c6b73f
0x00c6b8be
0x00c6b8be
0x00c6b8be
0x00000000
0x00c6b745
0x00c6b745
0x00c6b74b
0x00000000
0x00c6b74d
0x00c6b757
0x00c6b75c
0x00c6b761
0x00c6b764
0x00c6b76a
0x00000000
0x00000000
0x00000000
0x00000000
0x00c6b76a
0x00c6b74b
0x00c6b71b
0x00c6b71b
0x00c6b8c1
0x00c6b8c2
0x00c6b8c9
0x00000000
0x00c6b8cb
0x00c6b6fa
0x00c6b6fa
0x00c6b700
0x00000000
0x00c6b702
0x00c6b707
0x00c6b709
0x00000000
0x00c6b70f
0x00c6b70f
0x00000000
0x00c6b70f
0x00c6b709
0x00c6b700
0x00c6b6f8
0x00c6b6f3
0x00c6b6da
0x00c6b6ac
0x00c6b6ac
0x00c6b6b1
0x00c6b6b7
0x00c6b8cc
0x00c6b8ce
0x00c6b8ce
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C6B6C6
_free.LIBCMT ref: 00C6B79F
_free.LIBCMT ref: 00C6B7CC

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: d7f80267562e445649c6082d9a70ef643d7d6e5efe30033eb2fdeadb5acdff98
Instruction ID: e74076d7c05a444390077a23a4c02588dbf1804b009452b8d412ae095b7914aa
Opcode Fuzzy Hash: d7f80267562e445649c6082d9a70ef643d7d6e5efe30033eb2fdeadb5acdff98
Instruction Fuzzy Hash: DDD11571904241AFDB34AFB888C2B6D77E8EF05314F24456DE921DB282EB709EC1DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00BD1710, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00BD1710(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t70;
				signed int _t77;
				struct HWND__* _t80;
				intOrPtr* _t100;
				intOrPtr _t105;
				void* _t107;
				int _t108;
				void* _t111;
				void* _t114;
				void* _t123;
				intOrPtr* _t125;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				int _t133;
				void* _t135;
				void* _t137;
				void* _t138;
				struct tagPOINT _t139;
				struct HWND__* _t140;
				void* _t142;
				void* _t143;

				_t111 = __ecx;
				L00C8999C(0xc9096a, __ebx, __edi, __esi, 0x85c);
				_t135 = _t111;
				 *(_t142 - 0x828) = 7;
				_t133 = 0;
				 *(_t142 - 0x83c) = 0;
				 *((intOrPtr*)(_t142 - 0x82c)) = 0;
				E00BAC468(L"BT0AmlrpmjFmqr");
				 *((intOrPtr*)(_t142 - 4)) = 0;
				 *(_t142 - 0x860) = E00BD046E(__ebx, 0, _t142);
				SystemParametersInfoW(0x30, 0, _t142 - 0x824, 0);
				E00BD16A8(_t135, _t142 - 0x84c);
				_t129 =  *(_t142 - 0x860);
				_t105 =  *((intOrPtr*)(_t142 - 0x820));
				 *(_t142 - 0x864) =  *(_t142 - 0x84c);
				 *((intOrPtr*)(_t142 - 0x868)) =  *((intOrPtr*)(_t142 - 0x848));
				if( *((char*)(_t135 + 0x1283)) == 0) {
					_t114 =  *((intOrPtr*)(_t142 - 0x81c)) - 1;
					_t137 =  *(_t142 - 0x824) + 1;
					__eflags = _t129 - 2;
				} else {
					_t114 =  *(_t142 - 0x824) + 1;
					_t137 =  *((intOrPtr*)(_t142 - 0x81c)) - 1;
				}
				_t138 =  ==  ? _t114 : _t137;
				_t107 =  ==  ?  *((intOrPtr*)(_t142 - 0x818)) - 1 : _t105 + 1;
				if( *0xce13e4 == 0 && (_t129 == 0 || _t129 == 2 || _t129 == 1)) {
					GetWindowRect( *0xce19cc, _t142 - 0x85c);
					_t107 =  *((intOrPtr*)(_t142 - 0x820)) + 1 +  *((intOrPtr*)(_t142 - 0x850));
				}
				_t108 = _t107 +  *((intOrPtr*)(_t142 - 0x868));
				_t139 = _t138 +  *(_t142 - 0x864);
				_push(_t108);
				 *(_t142 - 0x864) = _t139;
				_t70 = WindowFromPoint(_t139);
				_t156 =  *0xce13e4;
				_t140 = _t70;
				if( *0xce13e4 != 0) {
					L00C4BBB0(_t133, _t142 - 0x614, _t133, 0x200);
					_t108 = 0x100;
					GetClassNameW(_t140, _t142 - 0x814, 0x100);
					GetWindowTextW(_t140, _t142 - 0x614, 0x100);
				} else {
					 *(_t142 - 0x860) = GetParent(_t140);
					L00C4BBB0(_t133, _t142 - 0x214, _t133, 0x200);
					GetClassNameW( *(_t142 - 0x860), _t142 - 0x414, 0x100);
					GetWindowTextW( *(_t142 - 0x860), _t142 - 0x214, 0x100);
					E00BA9179(_t156, L"GET HWND -> Class name: %ws \n", _t142 - 0x414);
					E00BA9179(_t156, L"GET HWND -> name: %ws \n", _t142 - 0x214);
					_push(_t108);
					E00BA9179(_t156, L"POINT-> X: %d, Y: %d\n",  *(_t142 - 0x864));
					_t123 = _t143 + 0xc;
					 *((intOrPtr*)(_t123 + 0x10)) = _t133;
					 *((intOrPtr*)(_t123 + 0x14)) = _t133;
					E00BAC48D(_t142 - 0x83c, _t123, _t142 - 0x83c);
					_t125 =  *((intOrPtr*)(L00BBEA0A(_t108, _t142 - 0x868, _t133, _t140)));
					_t100 = _t142 - 0x414;
					while(1) {
						_t130 =  *_t100;
						if(_t130 !=  *_t125) {
							break;
						}
						if(_t130 != 0) {
							_t131 =  *((intOrPtr*)(_t100 + 2));
							if(_t131 !=  *((intOrPtr*)(_t125 + 2))) {
								break;
							} else {
								_t100 = _t100 + 4;
								_t125 = _t125 + 4;
								if(_t131 != 0) {
									continue;
								} else {
								}
							}
						}
						L16:
						E00BAE6AB(_t100,  *((intOrPtr*)(_t142 - 0x868)) - 0x10);
						_t140 =  ==  ?  *(_t142 - 0x860) : _t140;
						goto L18;
					}
					asm("sbb edi, edi");
					__eflags = _t133;
					goto L16;
				}
				L18:
				_t77 =  *(_t142 - 0x828);
				if(_t77 >= 8) {
					_t117 =  *(_t142 - 0x83c);
					_t80 = 2 + _t77 * 2;
					 *(_t142 - 0x860) = _t80;
					 *(_t142 - 0x864) =  *(_t142 - 0x83c);
					if(_t80 >= 0x1000) {
						E00BAE6CD(_t108, _t133, _t142, _t142 - 0x864, _t142 - 0x860);
						_t80 =  *(_t142 - 0x860);
						_t117 =  *(_t142 - 0x864);
					}
					_push(_t80);
					L00C32F7D(_t117);
				}
				return L00C89946(_t140, _t108, _t133, _t140);
			}

0x00bd1710
0x00bd171a
0x00bd171f
0x00bd1723
0x00bd172d
0x00bd172f
0x00bd1741
0x00bd1747
0x00bd174c
0x00bd1755
0x00bd1765
0x00bd1772
0x00bd1784
0x00bd178a
0x00bd1790
0x00bd179c
0x00bd17a2
0x00bd17c2
0x00bd17c3
0x00bd17c4
0x00bd17a4
0x00bd17b0
0x00bd17b1
0x00bd17b2
0x00bd17c7
0x00bd17d5
0x00bd17df
0x00bd17fc
0x00bd1809
0x00bd1809
0x00bd180f
0x00bd1815
0x00bd181b
0x00bd181d
0x00bd1823
0x00bd1829
0x00bd1830
0x00bd1832
0x00bd1937
0x00bd1945
0x00bd194d
0x00bd195c
0x00bd1838
0x00bd1844
0x00bd1852
0x00bd186c
0x00bd1884
0x00bd1896
0x00bd18a7
0x00bd18ac
0x00bd18b8
0x00bd18be
0x00bd18c7
0x00bd18ca
0x00bd18cd
0x00bd18e0
0x00bd18e2
0x00bd18e8
0x00bd18e8
0x00bd18ee
0x00000000
0x00000000
0x00bd18f3
0x00bd18f5
0x00bd18fd
0x00000000
0x00bd18ff
0x00bd18ff
0x00bd1902
0x00bd1908
0x00000000
0x00000000
0x00bd190a
0x00bd1908
0x00bd18fd
0x00bd1911
0x00bd191a
0x00bd1921
0x00000000
0x00bd1921
0x00bd190c
0x00bd190e
0x00000000
0x00bd190e
0x00bd1962
0x00bd1962
0x00bd196b
0x00bd196d
0x00bd1973
0x00bd197a
0x00bd1980
0x00bd198b
0x00bd199b
0x00bd19a0
0x00bd19a8
0x00bd19a8
0x00bd19ae
0x00bd19b0
0x00bd19b6
0x00bd19be

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD171A

Part of subcall function 00BD046E: SystemParametersInfoW.USER32 ref: 00BD048D
Part of subcall function 00BD046E: GetSystemMetrics.USER32 ref: 00BD0494
Part of subcall function 00BD046E: GetSystemMetrics.USER32 ref: 00BD049E

SystemParametersInfoW.USER32 ref: 00BD1765

Part of subcall function 00BD16A8: GetPhysicalCursorPos.USER32(?), ref: 00BD16C0
Part of subcall function 00BD16A8: MonitorFromPoint.USER32(?,?,00000002), ref: 00BD16CE
Part of subcall function 00BD16A8: GetMonitorInfoA.USER32 ref: 00BD16E4
Part of subcall function 00BD16A8: SetRect.USER32 ref: 00BD16FB

GetWindowRect.USER32 ref: 00BD17FC
WindowFromPoint.USER32(?,?), ref: 00BD1823
GetParent.USER32(00000000), ref: 00BD1839
GetClassNameW.USER32 ref: 00BD186C
GetWindowTextW.USER32 ref: 00BD1884
GetClassNameW.USER32 ref: 00BD194D
GetWindowTextW.USER32 ref: 00BD195C

Strings

POINT-> X: %d, Y: %d, xrefs: 00BD18B3
BT0AmlrpmjFmqr, xrefs: 00BD1736
GET HWND -> name: %ws , xrefs: 00BD18A2
GET HWND -> Class name: %ws , xrefs: 00BD1891

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: SystemWindow$Info$ClassFromMetricsMonitorNameParametersPointRectText$CursorH_prolog3_ParentPhysical
String ID: BT0AmlrpmjFmqr$GET HWND -> Class name: %ws $GET HWND -> name: %ws $POINT-> X: %d, Y: %d
API String ID: 7407559-4187287570
Opcode ID: 117b699c11609996e22064f91e4c817e19ea6437cfff824aaed5d1d9420bc4b1
Instruction ID: 90425cb155a0ceef8e888d892b8b47a6c6fb4fa81f1a3e19f994a38191160207
Opcode Fuzzy Hash: 117b699c11609996e22064f91e4c817e19ea6437cfff824aaed5d1d9420bc4b1
Instruction Fuzzy Hash: 30716D7190022DABDB24EB54DD85BEDB3F9FB58300F0480DAE549A2251EF325E81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC23C, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00BCC23C(void* __ebx, short** __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, signed short* _a4) {
				signed int _v4;
				short _v244;
				short _v252;
				short _v500;
				short _v516;
				void* _v520;
				int _v524;
				int _v528;
				void* _v532;
				signed short* _v544;
				void* _v552;
				signed int _t27;
				void* _t79;
				int _t82;
				void* _t86;
				signed int _t87;

				_t87 =  &_v552;
				_t27 =  *0xcdaf54; // 0x8a028f78
				_v4 = _t27 ^ _t87;
				_t65 = _a4;
				_v552 = __ecx;
				_t86 = __edx;
				_v544 = _a4;
				_t82 = GetFileVersionInfoSizeW( *__ecx,  &_v532);
				if(_t82 != 0) {
					_t79 = GlobalAlloc(0x40, _t82);
					if(_t79 != 0) {
						GetFileVersionInfoW( *_v552, 0, _t82, _t79);
						_t66 = VerQueryValueW;
						VerQueryValueW(_t79, "\\",  &_v524,  &_v528);
						if(VerQueryValueW(_t79, L"\\VarFileInfo\\Translation",  &_v552,  &_v520) != 0) {
							wsprintfW( &_v516, L"\\StringFileInfo\\%04x%04x\\FileDescription",  *_v552 & 0x0000ffff,  *(_v552 + 2) & 0x0000ffff);
							wsprintfW( &_v252, L"\\StringFileInfo\\%04x%04x\\ProductVersion",  *_v544 & 0x0000ffff, _v544[1] & 0x0000ffff);
							_t87 = _t87 + 0x20;
							if(VerQueryValueW(_t79,  &_v500,  &_v532,  &_v524) != 0) {
								E00BCC03F(VerQueryValueW, _v528, _v532);
							}
							if(VerQueryValueW(_t79,  &_v244,  &_v520,  &_v524) != 0) {
								E00BCC03F(_t66, _t86, _v520);
							}
						}
						GlobalFree(_t79);
					}
				} else {
					E00BCC03F(_t65, _t86, 0xcc5734);
					E00BCC03F(_t65, _t65, 0xcc5734);
				}
				return L00C32D6C(_v4 ^ _t87);
			}

0x00bcc23c
0x00bcc242
0x00bcc249
0x00bcc251
0x00bcc260
0x00bcc267
0x00bcc269
0x00bcc273
0x00bcc277
0x00bcc29f
0x00bcc2a3
0x00bcc2b3
0x00bcc2b9
0x00bcc2cf
0x00bcc2e5
0x00bcc308
0x00bcc324
0x00bcc326
0x00bcc33d
0x00bcc347
0x00bcc347
0x00bcc363
0x00bcc36b
0x00bcc36b
0x00bcc363
0x00bcc371
0x00bcc371
0x00bcc279
0x00bcc281
0x00bcc289
0x00bcc28e
0x00bcc391

APIs

GetFileVersionInfoSizeW.VERSION(?,?,00000000,?,?), ref: 00BCC26D
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,?), ref: 00BCC299
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BCC2B3
VerQueryValueW.VERSION(00000000,00CC7A70,?,?,?,?), ref: 00BCC2CF
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?), ref: 00BCC2E1
wsprintfW.USER32 ref: 00BCC308
wsprintfW.USER32 ref: 00BCC324
VerQueryValueW.VERSION(00000000,?,?,?), ref: 00BCC339
VerQueryValueW.VERSION(00000000,?,?,?), ref: 00BCC35F
GlobalFree.KERNEL32 ref: 00BCC371

Strings

\StringFileInfo\%04x%04x\FileDescription, xrefs: 00BCC302
\VarFileInfo\Translation, xrefs: 00BCC2DB
\StringFileInfo\%04x%04x\ProductVersion, xrefs: 00BCC31E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: QueryValue$FileGlobalInfoVersionwsprintf$AllocFreeSize
String ID: \StringFileInfo\%04x%04x\FileDescription$\StringFileInfo\%04x%04x\ProductVersion$\VarFileInfo\Translation
API String ID: 3118491668-227869778
Opcode ID: 2e5859c2c6249284f1fc5bfe297ce88137b8a1233c0aa0a001f0d72c87fad612
Instruction ID: e72381b4a02295db49e2fb33a1d6f33aeb997dd9938b06773f3cc1486f11ceed
Opcode Fuzzy Hash: 2e5859c2c6249284f1fc5bfe297ce88137b8a1233c0aa0a001f0d72c87fad612
Instruction Fuzzy Hash: E6312972104345ABC715DBA4DC85FBFBBECEB99700F00056EF98992250EA35E9058B66

Uniqueness

Uniqueness Score: -1.00%

Function 00C7959E, Relevance: 21.2, APIs: 14, Instructions: 200
timeregistryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00C7959E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8) {
				char _v4;
				intOrPtr* _v16;
				char _v36;
				intOrPtr _v52;
				intOrPtr* _t88;
				signed int _t99;
				signed int _t101;
				intOrPtr _t103;
				void* _t104;
				signed short _t105;
				void* _t112;
				intOrPtr _t115;
				intOrPtr* _t122;
				void* _t136;
				intOrPtr* _t137;
				void* _t138;
				intOrPtr* _t140;
				void* _t147;
				intOrPtr* _t148;
				void* _t153;
				void* _t154;

				_t154 = __eflags;
				_t138 = __edx;
				_t122 = __ecx;
				L00C89968(0xc92b95, __ebx, __edi, __esi, 0x14);
				_t140 = _t122;
				_v16 = _t140;
				_t120 = _a8;
				 *_t140 = 0xcc435c;
				_v4 = 0;
				L00C7FF67(_t140 + 4, _a8);
				 *((intOrPtr*)(_t140 + 0x30)) = 0;
				 *((intOrPtr*)(_t140 + 0x34)) = 0;
				 *((intOrPtr*)(_t140 + 0x38)) = 0;
				 *((intOrPtr*)(_t140 + 0x3c)) = 0;
				 *((intOrPtr*)(_t140 + 0x40)) = 0;
				 *((intOrPtr*)(_t140 + 0x44)) = 0;
				 *((intOrPtr*)(_t140 + 0x48)) = 0;
				 *((intOrPtr*)(_t140 + 0x4c)) = 0;
				 *((intOrPtr*)(_t140 + 0x50)) = 0;
				 *((intOrPtr*)(_t140 + 0x54)) = 0;
				 *((intOrPtr*)(_t140 + 0x58)) = 0;
				_v4 = 5;
				E00C793D9(_t140 + 0x60, 0, 0x100, 0x40);
				 *((intOrPtr*)(_t140 + 0xb4)) = 0;
				 *(_t140 + 0xb8) =  *(_t140 + 0xb8) & 0x00000000;
				_v4 = 6;
				E00C741EA(_t140 + 0xbc);
				E00C793D9(_t140 + 0xc8, 0, 0x100, 0x7fffffff);
				_v4 = 7;
				E00C741D5(_t140 + 0x118);
				_v4 = 8;
				 *((intOrPtr*)(_t140 + 0x130)) = 0;
				E00C741EA(_t140 + 0x134);
				_t88 = _t140 + 0x13c;
				 *_t88 = 0;
				 *((intOrPtr*)(_t88 + 4)) = _t88;
				 *((intOrPtr*)(_t88 + 8)) = 0;
				 *((intOrPtr*)(_t140 + 0x148)) = 0xffffffff;
				 *((intOrPtr*)(_t140 + 0x14c)) = 0xffffffff;
				 *((intOrPtr*)(_t140 + 0x150)) = 0;
				 *((intOrPtr*)(_t140 + 0x154)) = 0;
				 *((intOrPtr*)(_t140 + 0x158)) = 0;
				E00C7939B(_t140 + 0x15c, _t140, _t154, 0x1001);
				_v4 = 9;
				E00C7939B(_t140 + 0x168, _t140, _t154, 0x1001);
				 *(_t140 + 0x174) =  *(_t140 + 0x174) | 0xffffffff;
				 *((intOrPtr*)(_t140 + 0x178)) = 0;
				 *((intOrPtr*)(_t140 + 0x180)) = 0;
				 *((intOrPtr*)(_t140 + 0x184)) = 0;
				 *((intOrPtr*)(_t140 + 0x188)) = 1;
				 *((intOrPtr*)(_t140 + 0x18c)) = 0;
				 *((intOrPtr*)(_t140 + 0x190)) = 0;
				_v4 = 0xa;
				 *((intOrPtr*)(_t140 + 0x194)) = 0;
				 *((intOrPtr*)(_t140 + 0x198)) = 0;
				 *((intOrPtr*)(_t140 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t140 + 0x1a4)) = 0;
				 *((intOrPtr*)(_t140 + 0x1a8)) = 0;
				 *((intOrPtr*)(_t140 + 0x1b0)) = 0;
				 *((intOrPtr*)(_t140 + 0x1b8)) = 0;
				 *((intOrPtr*)(_t140 + 0x1bc)) = 0;
				 *((intOrPtr*)(_t140 + 0x1c0)) = 0;
				 *((intOrPtr*)(_t140 + 0x1c4)) = 0;
				 *((intOrPtr*)(_t140 + 0x1c8)) = 0;
				 *((intOrPtr*)(_t140 + 0x1d0)) = 0;
				 *((intOrPtr*)(_t140 + 0x1d4)) = 0;
				 *((intOrPtr*)(_t140 + 0x1e4)) = 0;
				__imp__InitializeSListHead(_t140 + 0x1e8);
				__imp__InitializeSListHead(_t140 + 0x1f0);
				__imp__InitializeSListHead(_t140 + 0x1f8);
				__imp__InitializeSListHead(_t140 + 0x200);
				 *((intOrPtr*)(_t140 + 0x84)) = _t140;
				 *((intOrPtr*)(_t140 + 8)) = E00C80004(_a8, 0);
				 *((short*)(_t140 + 0x10)) = E00C80004(_t120, 4);
				 *((intOrPtr*)(_t140 + 0xc)) = E00C80004(_t120, 7);
				_t147 = E00C80004(_t120, 1);
				_t99 = L00C7741D(_t120, _t140, _t147);
				_t155 = _t99 << 2 - _t147;
				if(_t99 << 2 <= _t147) {
					_t101 = E00C80004(_t120, 1);
				} else {
					_t101 = L00C7741D(_t120, _t140, _t147) << 2;
				}
				 *(_t140 + 0x1cc) = _t101;
				 *((intOrPtr*)(_t140 + 0x18)) = L00C74EAF();
				_push(0);
				_t103 = L00C74AD3(_t155);
				_pop(_t136);
				 *((intOrPtr*)(_t140 + 0x1d8)) = _t103;
				_t104 = _t140 + 0x1dc;
				__imp__RegisterWaitForSingleObject(_t104, _t103, 0xc7cb14, _t140, 0xffffffff, 0);
				if(_t104 == 0) {
					_t105 = GetLastError();
					__eflags = _t105;
					if(_t105 > 0) {
						goto L12;
					}
					goto L13;
				} else {
					_t112 = L00C77418(0, _t140, _t147);
					_t157 = _t112 - 3;
					if(_t112 < 3) {
						_t115 = L00C74B3E(_t140 + 0x1e0, _t140 + 0x1e0, 0, 0xc7cb05, _t140, 0x7fffffff, 0x7fffffff, 0);
						_t153 = _t153 + 0x1c;
					} else {
						_t115 = E00C75146(_t136, _t138, _t140, _t157, 0x7fffffff, 0xc7caf6, _t140, 1);
						_t153 = _t153 + 0x10;
						 *((intOrPtr*)(_t140 + 0x1e0)) = _t115;
					}
					if(_t115 != 0) {
						return L00C89931(_t140);
					} else {
						_t105 = GetLastError();
						if(_t105 > 0) {
							L12:
							_t105 = _t105 & 0x0000ffff | 0x80070000;
						}
						L13:
						_t137 =  &_v36;
						E00C753D3(_t137, _t105);
						L00C4CA25( &_v36, 0xcd63a8);
						asm("int3");
						_push(_t147);
						_t148 = _t137;
						L00BADEFF(_t137, _v52);
						 *_t148 = 0xcc4208;
						return _t148;
					}
				}
			}

0x00c7959e
0x00c7959e
0x00c7959e
0x00c795a5
0x00c795aa
0x00c795ac
0x00c795af
0x00c795b7
0x00c795be
0x00c795c1
0x00c795c6
0x00c795c9
0x00c795cc
0x00c795cf
0x00c795d2
0x00c795d5
0x00c795d8
0x00c795db
0x00c795de
0x00c795e1
0x00c795e4
0x00c795ee
0x00c795f8
0x00c795fd
0x00c7960d
0x00c79614
0x00c79618
0x00c7962c
0x00c79637
0x00c7963b
0x00c79646
0x00c7964a
0x00c79650
0x00c79655
0x00c7965b
0x00c79663
0x00c79666
0x00c79669
0x00c79673
0x00c7967d
0x00c79683
0x00c79689
0x00c79695
0x00c796a0
0x00c796a5
0x00c796aa
0x00c796b3
0x00c796b9
0x00c796bf
0x00c796c5
0x00c796cf
0x00c796d5
0x00c796db
0x00c796df
0x00c796e5
0x00c796f1
0x00c796f7
0x00c796fd
0x00c79703
0x00c79709
0x00c7970f
0x00c79715
0x00c7971b
0x00c79721
0x00c79727
0x00c7972d
0x00c79734
0x00c7973a
0x00c79747
0x00c79754
0x00c79761
0x00c7976a
0x00c79779
0x00c79785
0x00c79792
0x00c7979a
0x00c7979c
0x00c797a4
0x00c797a6
0x00c797b6
0x00c797a8
0x00c797ad
0x00c797ad
0x00c797bb
0x00c797c8
0x00c797cb
0x00c797cc
0x00c797d1
0x00c797dc
0x00c797e2
0x00c797e9
0x00c797f1
0x00c7984e
0x00c79854
0x00c79856
0x00000000
0x00000000
0x00000000
0x00c797f3
0x00c797f3
0x00c797f8
0x00c79800
0x00c7983a
0x00c7983f
0x00c79802
0x00c7980b
0x00c79810
0x00c79813
0x00c79813
0x00c7981b
0x00c7984b
0x00c7981d
0x00c7981d
0x00c79825
0x00c79858
0x00c7985b
0x00c7985b
0x00c79860
0x00c79861
0x00c79864
0x00c79872
0x00c79877
0x00c7987b
0x00c7987f
0x00c79881
0x00c79886
0x00c79890
0x00c79890
0x00c7981b

APIs

ListArray.LIBCONCRT ref: 00C795F8

Part of subcall function 00C793D9: InitializeSListHead.KERNEL32(?,00000000,?,00C74322), ref: 00C794A5
Part of subcall function 00C793D9: InitializeSListHead.KERNEL32(?), ref: 00C794AF

ListArray.LIBCONCRT ref: 00C7962C
Hash.LIBCMT ref: 00C79695
Hash.LIBCMT ref: 00C796A5
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00C7973A
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00C79747
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00C79754
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 00C79761

Part of subcall function 00C80004: std::bad_exception::bad_exception.LIBCMT ref: 00C80026

RegisterWaitForSingleObject.KERNEL32(?,00000000,00C7CB14,?,000000FF,00000000), ref: 00C797E9
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00C7980B
GetLastError.KERNEL32(?,?,00000000,?,00C74322), ref: 00C7981D
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00C7983A

Part of subcall function 00C74B3E: CreateTimerQueueTimer.KERNEL32(?,00C74322,?,00000000,?,?,00000000,?,00C7983F,?,00000000,00C7CB05,?,7FFFFFFF,7FFFFFFF,00000000), ref: 00C74B56

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00C79864

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: 5673f674bcf246e33c0fa84ea7fc3dc10d536d74b2a7fae322eebb13c260987f
Instruction ID: 331c705e0611800df189644f5b947e270eb70af78fec2a104756b22bbde31f72
Opcode Fuzzy Hash: 5673f674bcf246e33c0fa84ea7fc3dc10d536d74b2a7fae322eebb13c260987f
Instruction Fuzzy Hash: 1C816FB0A10A16ABC708EF74C845BD9FBA8FF09714F10421BF52C97291DBB0A624DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC10C1, Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 248
sleepCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00BC10C1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t126;
				intOrPtr* _t129;
				intOrPtr* _t132;
				intOrPtr* _t135;
				void* _t140;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				intOrPtr _t154;
				intOrPtr _t159;
				intOrPtr _t164;
				intOrPtr _t169;
				void* _t177;
				void* _t185;
				void* _t187;
				void* _t189;
				void* _t191;
				void* _t228;
				intOrPtr _t231;
				void* _t232;
				void* _t233;
				void* _t234;
				void* _t236;
				void* _t238;
				void* _t243;

				_t243 = __eflags;
				_t230 = __esi;
				_t177 = __ecx;
				L00C8999C(0xc8e76c, __ebx, __edi, __esi, 0x7c);
				_t228 = _t177;
				E00BAC123(_t232 - 0x74, __esi);
				 *((intOrPtr*)(_t232 - 4)) = 0;
				E00BA9179(_t243, L"last id: %l \n", _t228);
				 *((intOrPtr*)(_t232 - 0x60)) = 0;
				 *(_t232 - 0x5c) = 7;
				 *((short*)(_t232 - 0x70)) = 0;
				E00BAC468(L"frrnq8--na_nn,qrmpc-lmrgdw]qfmu]t0,nfn=$mgb;");
				 *((char*)(_t232 - 4)) = 1;
				 *((intOrPtr*)(_t232 - 0x48)) = 0;
				 *(_t232 - 0x44) = 7;
				 *((short*)(_t232 - 0x58)) = 0;
				E00BAC468(L"$esgb;");
				 *((char*)(_t232 - 4)) = 2;
				 *((intOrPtr*)(_t232 - 0x30)) = 0;
				 *(_t232 - 0x2c) = 7;
				 *((short*)(_t232 - 0x40)) = 0;
				E00BAC468(L"$lma_afc;");
				 *((char*)(_t232 - 4)) = 3;
				 *((intOrPtr*)(_t232 - 0x18)) = 0;
				 *(_t232 - 0x14) = 7;
				 *((short*)(_t232 - 0x28)) = 0;
				E00BAC468(L"$clb]t;");
				 *((char*)(_t232 - 4)) = 4;
				_push(GetTickCount());
				_t234 = _t233 - 0x18;
				_t185 = _t234;
				 *((intOrPtr*)(_t185 + 0x10)) = 0;
				 *((intOrPtr*)(_t185 + 0x14)) = 0;
				E00BAC48D(_t232 - 0x40, _t185, _t232 - 0x40);
				_t126 = L00BBEA0A(0, _t232 - 0x88, _t228, __esi);
				 *((char*)(_t232 - 4)) = 5;
				_push( *_t126);
				_push( *0xce1a00);
				_t236 = _t234 + 0x18 - 0x18;
				_t187 = _t236;
				 *((intOrPtr*)(_t187 + 0x10)) = 0;
				 *((intOrPtr*)(_t187 + 0x14)) = 0;
				E00BAC48D(_t232 - 0x28, _t187, _t232 - 0x28);
				_t129 = L00BBEA0A(0, _t232 - 0x84, _t228, _t230);
				 *((char*)(_t232 - 4)) = 6;
				_push( *_t129);
				_push("20D83542-CB48-FFC7-AA5E-D037A04953D7");
				_t238 = _t236 + 0x18 - 0x18;
				_t189 = _t238;
				 *((intOrPtr*)(_t189 + 0x10)) = 0;
				 *((intOrPtr*)(_t189 + 0x14)) = 0;
				E00BAC48D(_t232 - 0x58, _t189, _t232 - 0x58);
				_t132 = L00BBEA0A(0, _t232 - 0x80, _t228, _t230);
				 *((char*)(_t232 - 4)) = 7;
				_push( *_t132);
				_push(_t228);
				_t191 = _t238 + 0x18 - 0x18;
				 *((intOrPtr*)(_t191 + 0x10)) = 0;
				 *((intOrPtr*)(_t191 + 0x14)) = 0;
				E00BAC48D(_t232 - 0x70, _t191, _t232 - 0x70);
				_t135 = L00BBEA0A(0, _t232 - 0x78, _t228, _t230);
				 *((char*)(_t232 - 4)) = 8;
				_t140 = E00BAE6AB(E00BAE6AB(E00BAE6AB(L00BAC838(_t232 - 0x74, L"%ws%d%ws%ws%ws%s%ws%d",  *_t135),  *((intOrPtr*)(_t232 - 0x78)) - 0x10),  *((intOrPtr*)(_t232 - 0x80)) - 0x10),  *((intOrPtr*)(_t232 - 0x84)) - 0x10);
				 *((char*)(_t232 - 4)) = 4;
				E00BAE6AB(_t140,  *((intOrPtr*)(_t232 - 0x88)) - 0x10);
				_t231 =  *((intOrPtr*)(_t232 - 0x74));
				E00BA9179(_t243, L"%ws", _t231);
				if( *((intOrPtr*)(_t231 - 4)) > 1) {
					_push( *((intOrPtr*)(_t231 - 0xc)));
					E00BAE42C(0, _t232 - 0x74);
					_t231 =  *((intOrPtr*)(_t232 - 0x74));
				}
				if(L00BBFBDB(_t228) != 0) {
					Sleep(0x1388);
				}
				_t144 =  *(_t232 - 0x14);
				if(_t144 >= 8) {
					_t220 =  *((intOrPtr*)(_t232 - 0x28));
					_t169 = 2 + _t144 * 2;
					 *((intOrPtr*)(_t232 - 0x74)) = _t169;
					 *((intOrPtr*)(_t232 - 0x78)) =  *((intOrPtr*)(_t232 - 0x28));
					if(_t169 >= 0x1000) {
						E00BAE6CD(0, 0x1000, _t232, _t232 - 0x78, _t232 - 0x74);
						_t169 =  *((intOrPtr*)(_t232 - 0x74));
						_t220 =  *((intOrPtr*)(_t232 - 0x78));
					}
					_push(_t169);
					L00C32F7D(_t220);
				}
				 *((intOrPtr*)(_t232 - 0x18)) = 0;
				 *((short*)(_t232 - 0x28)) = 0;
				_t146 =  *(_t232 - 0x2c);
				 *(_t232 - 0x14) = 7;
				if(_t146 >= 8) {
					_t215 =  *((intOrPtr*)(_t232 - 0x40));
					_t164 = 2 + _t146 * 2;
					 *((intOrPtr*)(_t232 - 0x78)) = _t164;
					 *((intOrPtr*)(_t232 - 0x74)) =  *((intOrPtr*)(_t232 - 0x40));
					if(_t164 >= 0x1000) {
						E00BAE6CD(0, 0x1000, _t232, _t232 - 0x74, _t232 - 0x78);
						_t164 =  *((intOrPtr*)(_t232 - 0x78));
						_t215 =  *((intOrPtr*)(_t232 - 0x74));
					}
					_push(_t164);
					L00C32F7D(_t215);
				}
				 *((intOrPtr*)(_t232 - 0x30)) = 0;
				 *((short*)(_t232 - 0x40)) = 0;
				_t148 =  *(_t232 - 0x44);
				 *(_t232 - 0x2c) = 7;
				if(_t148 >= 8) {
					_t210 =  *((intOrPtr*)(_t232 - 0x58));
					_t159 = 2 + _t148 * 2;
					 *((intOrPtr*)(_t232 - 0x78)) = _t159;
					 *((intOrPtr*)(_t232 - 0x74)) =  *((intOrPtr*)(_t232 - 0x58));
					if(_t159 >= 0x1000) {
						E00BAE6CD(0, 0x1000, _t232, _t232 - 0x74, _t232 - 0x78);
						_t159 =  *((intOrPtr*)(_t232 - 0x78));
						_t210 =  *((intOrPtr*)(_t232 - 0x74));
					}
					_push(_t159);
					L00C32F7D(_t210);
				}
				 *((intOrPtr*)(_t232 - 0x48)) = 0;
				 *((short*)(_t232 - 0x58)) = 0;
				_t150 =  *(_t232 - 0x5c);
				 *(_t232 - 0x44) = 7;
				if(_t150 >= 8) {
					_t205 =  *((intOrPtr*)(_t232 - 0x70));
					_t154 = 2 + _t150 * 2;
					 *((intOrPtr*)(_t232 - 0x78)) = _t154;
					 *((intOrPtr*)(_t232 - 0x74)) =  *((intOrPtr*)(_t232 - 0x70));
					if(_t154 >= 0x1000) {
						E00BAE6CD(0, 0x1000, _t232, _t232 - 0x74, _t232 - 0x78);
						_t154 =  *((intOrPtr*)(_t232 - 0x78));
						_t205 =  *((intOrPtr*)(_t232 - 0x74));
					}
					_push(_t154);
					L00C32F7D(_t205);
				}
				 *((intOrPtr*)(_t232 - 0x60)) = 0;
				 *(_t232 - 0x5c) = 7;
				 *((short*)(_t232 - 0x70)) = 0;
				return L00C89946(E00BAE6AB(0, _t231 - 0x10), 0, 0x1000, _t231);
			}

0x00bc10c1
0x00bc10c1
0x00bc10c1
0x00bc10c8
0x00bc10cd
0x00bc10d2
0x00bc10df
0x00bc10e2
0x00bc10eb
0x00bc10f6
0x00bc10fd
0x00bc1101
0x00bc1106
0x00bc110f
0x00bc1117
0x00bc111e
0x00bc1122
0x00bc1127
0x00bc1130
0x00bc1138
0x00bc113f
0x00bc1143
0x00bc1148
0x00bc1151
0x00bc1159
0x00bc1160
0x00bc1164
0x00bc1169
0x00bc1173
0x00bc1174
0x00bc117a
0x00bc117d
0x00bc1180
0x00bc1183
0x00bc118e
0x00bc1196
0x00bc119a
0x00bc119f
0x00bc11a5
0x00bc11a8
0x00bc11ab
0x00bc11ae
0x00bc11b1
0x00bc11bc
0x00bc11c4
0x00bc11c8
0x00bc11cd
0x00bc11d2
0x00bc11d5
0x00bc11d7
0x00bc11da
0x00bc11de
0x00bc11e6
0x00bc11ee
0x00bc11f2
0x00bc11f7
0x00bc11fb
0x00bc11fe
0x00bc1201
0x00bc1204
0x00bc120c
0x00bc1214
0x00bc124a
0x00bc124f
0x00bc125c
0x00bc1261
0x00bc126a
0x00bc1275
0x00bc1277
0x00bc127d
0x00bc1282
0x00bc1282
0x00bc1290
0x00bc1297
0x00bc1297
0x00bc129d
0x00bc12a8
0x00bc12aa
0x00bc12ad
0x00bc12b4
0x00bc12b7
0x00bc12bc
0x00bc12c6
0x00bc12cb
0x00bc12d0
0x00bc12d0
0x00bc12d3
0x00bc12d5
0x00bc12db
0x00bc12de
0x00bc12e1
0x00bc12e5
0x00bc12e8
0x00bc12f2
0x00bc12f4
0x00bc12f7
0x00bc12fe
0x00bc1301
0x00bc1306
0x00bc1310
0x00bc1315
0x00bc131a
0x00bc131a
0x00bc131d
0x00bc131f
0x00bc1325
0x00bc1328
0x00bc132b
0x00bc132f
0x00bc1332
0x00bc133c
0x00bc133e
0x00bc1341
0x00bc1348
0x00bc134b
0x00bc1350
0x00bc135a
0x00bc135f
0x00bc1364
0x00bc1364
0x00bc1367
0x00bc1369
0x00bc136f
0x00bc1372
0x00bc1375
0x00bc1379
0x00bc137c
0x00bc1386
0x00bc1388
0x00bc138b
0x00bc1392
0x00bc1395
0x00bc139a
0x00bc13a4
0x00bc13a9
0x00bc13ae
0x00bc13ae
0x00bc13b1
0x00bc13b3
0x00bc13b9
0x00bc13bc
0x00bc13c2
0x00bc13c9
0x00bc13d7

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC10C8
GetTickCount.KERNEL32 ref: 00BC116D
Sleep.KERNEL32(00001388), ref: 00BC1297

Strings

frrnq8--na_nn,qrmpc-lmrgdw]qfmu]t0,nfn=$mgb;, xrefs: 00BC10EE
20D83542-CB48-FFC7-AA5E-D037A04953D7, xrefs: 00BC11CD
%ws, xrefs: 00BC1265
$clb]t;, xrefs: 00BC1154
last id: %l , xrefs: 00BC10DA
$esgb;, xrefs: 00BC1112
$lma_afc;, xrefs: 00BC1133
%ws%d%ws%ws%ws%s%ws%d, xrefs: 00BC121D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CountH_prolog3_SleepTick
String ID: $clb]t;$$esgb;$$lma_afc;$%ws$%ws%d%ws%ws%ws%s%ws%d$20D83542-CB48-FFC7-AA5E-D037A04953D7$frrnq8--na_nn,qrmpc-lmrgdw]qfmu]t0,nfn=$mgb;$last id: %l
API String ID: 950497751-4259123438
Opcode ID: 9dfca5de9b159566a7d72fe2b298a6c3d9aae9dd6b56b48702029830d2806259
Instruction ID: 2ebf28b79b3a5f8e2ade4431e2482441a14dea75551a64f240f3ec1c06f41688
Opcode Fuzzy Hash: 9dfca5de9b159566a7d72fe2b298a6c3d9aae9dd6b56b48702029830d2806259
Instruction Fuzzy Hash: 14A13971D08248DFDF14EFA8C985ADDBBB5BF49304F6004AEE005A7292EB35AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00BC62F7, Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 445
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00BC62F7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t235;
				void* _t236;
				void* _t238;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t256;
				void* _t257;
				void* _t259;
				void* _t263;
				void* _t264;
				void* _t266;
				void* _t270;
				void* _t271;
				void* _t273;
				void* _t277;
				void* _t278;
				intOrPtr* _t279;
				void* _t280;
				signed int _t283;
				signed int _t285;
				signed int _t287;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				signed int _t295;
				intOrPtr _t299;
				intOrPtr _t304;
				intOrPtr _t309;
				intOrPtr _t314;
				intOrPtr _t319;
				intOrPtr _t324;
				intOrPtr _t329;
				signed int _t335;
				void* _t345;
				void* _t352;
				void* _t359;
				void* _t366;
				void* _t373;
				void* _t380;
				void* _t387;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t448;
				void* _t450;
				void* _t452;
				void* _t454;
				void* _t456;
				void* _t460;

				_t460 = __eflags;
				_t441 = __esi;
				L00C8999C(0xc8f528, __ebx, __edi, __esi, 0xd4);
				L00BC8BC5();
				 *(_t444 - 4) = 0;
				E00BC4135(__ebx, _t444 - 0xe0, 0, __esi, _t460);
				_t335 = 7;
				 *((intOrPtr*)(_t444 - 0xc0)) = 0;
				 *(_t444 - 0xbc) = _t335;
				 *((short*)(_t444 - 0xd0)) = 0;
				E00BAC468(L"_srm]qr_pr]ml");
				 *(_t444 - 4) = 1;
				 *((intOrPtr*)(_t444 - 0xa8)) = 0;
				 *(_t444 - 0xa4) = _t335;
				 *((short*)(_t444 - 0xb8)) = 0;
				E00BAC468(L"f_pbu_pc]amjjcargle");
				 *(_t444 - 4) = 2;
				 *((intOrPtr*)(_t444 - 0x90)) = 0;
				 *(_t444 - 0x8c) = _t335;
				 *((short*)(_t444 - 0xa0)) = 0;
				E00BAC468(L"qmdru_pc]amjjcargle");
				 *(_t444 - 4) = 3;
				 *((intOrPtr*)(_t444 - 0x78)) = 0;
				 *(_t444 - 0x74) = _t335;
				 *((short*)(_t444 - 0x88)) = 0;
				E00BAC468(L"`pmuqcp]qc_paf");
				 *(_t444 - 4) = 4;
				 *((intOrPtr*)(_t444 - 0x60)) = 0;
				 *(_t444 - 0x5c) = _t335;
				 *((short*)(_t444 - 0x70)) = 0;
				E00BAC468(L"ncpgmbga_j]mddcpq");
				 *(_t444 - 4) = 5;
				 *((intOrPtr*)(_t444 - 0x48)) = 0;
				 *(_t444 - 0x44) = _t335;
				 *((short*)(_t444 - 0x58)) = 0;
				E00BAC468(L"amlrcvrs_j]mddcpq");
				 *(_t444 - 4) = 6;
				 *((intOrPtr*)(_t444 - 0x30)) = 0;
				 *(_t444 - 0x2c) = _t335;
				 *((short*)(_t444 - 0x40)) = 0;
				E00BAC468(L"qc_paf]kcls");
				_t446 = _t445 - 0x18;
				 *(_t444 - 4) = _t335;
				_t345 = _t446;
				 *((intOrPtr*)(_t345 + 0x10)) = 0;
				 *((intOrPtr*)(_t345 + 0x14)) = 0;
				E00BAC48D(_t444 - 0xd0, _t345, _t444 - 0xd0);
				_t235 = L00BBEA0A(_t335, _t444 - 0xd4, 0, __esi);
				 *(_t444 - 4) = 8;
				_t236 = L00BAE74E(_t335, _t444 - 0x28, _t235, 0, _t441);
				 *(_t444 - 4) = 9;
				L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t236);
				_t238 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t238,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				_t448 = _t446 + 0x18 - 0x18;
				_t352 = _t448;
				 *((intOrPtr*)(_t352 + 0x10)) = 0;
				 *((intOrPtr*)(_t352 + 0x14)) = 0;
				E00BAC48D(_t444 - 0xb8, _t352, _t444 - 0xb8);
				_t242 = L00BBEA0A(_t335, _t444 - 0xd4, 0, _t441);
				 *(_t444 - 4) = 0xa;
				_t243 = L00BAE74E(_t335, _t444 - 0x28, _t242, 0, _t441);
				 *(_t444 - 4) = 0xb;
				 *0xcdbb82 =  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t243))) != 0;
				_t245 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t245,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				_t450 = _t448 + 0x18 - 0x18;
				_t359 = _t450;
				 *((intOrPtr*)(_t359 + 0x10)) = 0;
				 *((intOrPtr*)(_t359 + 0x14)) = 0;
				E00BAC48D(_t444 - 0xa0, _t359, _t444 - 0xa0);
				_t249 = L00BBEA0A(_t335, _t444 - 0xd4, 0, _t441);
				 *(_t444 - 4) = 0xc;
				_t250 = L00BAE74E(_t335, _t444 - 0x28, _t249, 0, _t441);
				 *(_t444 - 4) = 0xd;
				 *0xcdbb81 =  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t243))), _t250))) != 0;
				_t252 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t252,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				_t452 = _t450 + 0x18 - 0x18;
				_t366 = _t452;
				 *((intOrPtr*)(_t366 + 0x10)) = 0;
				 *((intOrPtr*)(_t366 + 0x14)) = 0;
				E00BAC48D(_t444 - 0x88, _t366, _t444 - 0x88);
				_t256 = L00BBEA0A(_t335, _t444 - 0xd4, 0, _t441);
				 *(_t444 - 4) = 0xe;
				_t257 = L00BAE74E(_t335, _t444 - 0x28, _t256, 0, _t441);
				 *(_t444 - 4) = 0xf;
				 *0xcdbb80 =  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t243))), _t250))), _t257))) != 0;
				_t259 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t259,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				_t454 = _t452 + 0x18 - 0x18;
				_t373 = _t454;
				 *((intOrPtr*)(_t373 + 0x10)) = 0;
				 *((intOrPtr*)(_t373 + 0x14)) = 0;
				E00BAC48D(_t444 - 0x70, _t373, _t444 - 0x70);
				_t263 = L00BBEA0A(_t335, _t444 - 0xd4, 0, _t441);
				 *(_t444 - 4) = 0x10;
				_t264 = L00BAE74E(_t335, _t444 - 0x28, _t263, 0, _t441);
				 *(_t444 - 4) = 0x11;
				 *0xcdba93 =  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t243))), _t250))), _t257))), _t264))) == 0;
				_t266 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t266,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				_t456 = _t454 + 0x18 - 0x18;
				_t380 = _t456;
				 *((intOrPtr*)(_t380 + 0x10)) = 0;
				 *((intOrPtr*)(_t380 + 0x14)) = 0;
				E00BAC48D(_t444 - 0x58, _t380, _t444 - 0x58);
				_t270 = L00BBEA0A(_t335, _t444 - 0xd4, 0, _t441);
				 *(_t444 - 4) = 0x12;
				_t271 = L00BAE74E(_t335, _t444 - 0x28, _t270, 0, _t441);
				 *(_t444 - 4) = 0x13;
				 *0xcdba91 =  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t243))), _t250))), _t257))), _t264))), _t271))) != 0;
				_t273 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t273,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				_t387 = _t456 + 0x18 - 0x18;
				 *((intOrPtr*)(_t387 + 0x10)) = 0;
				 *((intOrPtr*)(_t387 + 0x14)) = 0;
				E00BAC48D(_t444 - 0x40, _t387, _t444 - 0x40);
				_t277 = L00BBEA0A(_t335, _t444 - 0xd4, 0, _t441);
				 *(_t444 - 4) = 0x14;
				_t278 = L00BAE74E(_t335, _t444 - 0x28, _t277, 0, _t441);
				 *(_t444 - 4) = 0x15;
				_t279 = L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0,  *((intOrPtr*)(L00BC8B1D(_t335, _t444 - 0xe0, 0, _t460, _t243))), _t250))), _t257))), _t264))), _t271))), _t278);
				_t280 = E00BAE71B(_t444 - 0x28);
				 *(_t444 - 4) = _t335;
				E00BAE6AB(_t280,  *((intOrPtr*)(_t444 - 0xd4)) - 0x10);
				 *0xcdba92 =  *_t279 != 2;
				L00BC3A1A(_t335, 1, 0,  *_t279,  *_t279 - 2);
				_t283 =  *(_t444 - 0x2c);
				if(_t283 >= 8) {
					_t427 =  *((intOrPtr*)(_t444 - 0x40));
					_t329 = 2 + _t283 * 2;
					 *((intOrPtr*)(_t444 - 0xd8)) = _t329;
					 *((intOrPtr*)(_t444 - 0xd4)) =  *((intOrPtr*)(_t444 - 0x40));
					if(_t329 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd4, _t444 - 0xd8);
						_t329 =  *((intOrPtr*)(_t444 - 0xd8));
						_t427 =  *((intOrPtr*)(_t444 - 0xd4));
					}
					_push(_t329);
					L00C32F7D(_t427);
				}
				 *((intOrPtr*)(_t444 - 0x30)) = 0;
				 *((short*)(_t444 - 0x40)) = 0;
				_t285 =  *(_t444 - 0x44);
				 *(_t444 - 0x2c) = _t335;
				if(_t285 >= 8) {
					_t422 =  *((intOrPtr*)(_t444 - 0x58));
					_t324 = 2 + _t285 * 2;
					 *((intOrPtr*)(_t444 - 0xd4)) = _t324;
					 *((intOrPtr*)(_t444 - 0xd8)) =  *((intOrPtr*)(_t444 - 0x58));
					if(_t324 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd8, _t444 - 0xd4);
						_t324 =  *((intOrPtr*)(_t444 - 0xd4));
						_t422 =  *((intOrPtr*)(_t444 - 0xd8));
					}
					_push(_t324);
					L00C32F7D(_t422);
				}
				 *((intOrPtr*)(_t444 - 0x48)) = 0;
				 *((short*)(_t444 - 0x58)) = 0;
				_t287 =  *(_t444 - 0x5c);
				 *(_t444 - 0x44) = _t335;
				if(_t287 >= 8) {
					_t417 =  *((intOrPtr*)(_t444 - 0x70));
					_t319 = 2 + _t287 * 2;
					 *((intOrPtr*)(_t444 - 0xd4)) = _t319;
					 *((intOrPtr*)(_t444 - 0xd8)) =  *((intOrPtr*)(_t444 - 0x70));
					if(_t319 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd8, _t444 - 0xd4);
						_t319 =  *((intOrPtr*)(_t444 - 0xd4));
						_t417 =  *((intOrPtr*)(_t444 - 0xd8));
					}
					_push(_t319);
					L00C32F7D(_t417);
				}
				 *((intOrPtr*)(_t444 - 0x60)) = 0;
				 *((short*)(_t444 - 0x70)) = 0;
				_t289 =  *(_t444 - 0x74);
				 *(_t444 - 0x5c) = _t335;
				if(_t289 >= 8) {
					_t412 =  *((intOrPtr*)(_t444 - 0x88));
					_t314 = 2 + _t289 * 2;
					 *((intOrPtr*)(_t444 - 0xd4)) = _t314;
					 *((intOrPtr*)(_t444 - 0xd8)) =  *((intOrPtr*)(_t444 - 0x88));
					if(_t314 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd8, _t444 - 0xd4);
						_t314 =  *((intOrPtr*)(_t444 - 0xd4));
						_t412 =  *((intOrPtr*)(_t444 - 0xd8));
					}
					_push(_t314);
					L00C32F7D(_t412);
				}
				 *((intOrPtr*)(_t444 - 0x78)) = 0;
				 *((short*)(_t444 - 0x88)) = 0;
				_t291 =  *(_t444 - 0x8c);
				 *(_t444 - 0x74) = _t335;
				if(_t291 >= 8) {
					_t407 =  *((intOrPtr*)(_t444 - 0xa0));
					_t309 = 2 + _t291 * 2;
					 *((intOrPtr*)(_t444 - 0xd4)) = _t309;
					 *((intOrPtr*)(_t444 - 0xd8)) =  *((intOrPtr*)(_t444 - 0xa0));
					if(_t309 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd8, _t444 - 0xd4);
						_t309 =  *((intOrPtr*)(_t444 - 0xd4));
						_t407 =  *((intOrPtr*)(_t444 - 0xd8));
					}
					_push(_t309);
					L00C32F7D(_t407);
				}
				 *((intOrPtr*)(_t444 - 0x90)) = 0;
				 *((short*)(_t444 - 0xa0)) = 0;
				_t293 =  *(_t444 - 0xa4);
				 *(_t444 - 0x8c) = _t335;
				if(_t293 >= 8) {
					_t402 =  *((intOrPtr*)(_t444 - 0xb8));
					_t304 = 2 + _t293 * 2;
					 *((intOrPtr*)(_t444 - 0xd4)) = _t304;
					 *((intOrPtr*)(_t444 - 0xd8)) =  *((intOrPtr*)(_t444 - 0xb8));
					if(_t304 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd8, _t444 - 0xd4);
						_t304 =  *((intOrPtr*)(_t444 - 0xd4));
						_t402 =  *((intOrPtr*)(_t444 - 0xd8));
					}
					_push(_t304);
					L00C32F7D(_t402);
				}
				 *((intOrPtr*)(_t444 - 0xa8)) = 0;
				 *((short*)(_t444 - 0xb8)) = 0;
				_t295 =  *(_t444 - 0xbc);
				 *(_t444 - 0xa4) = _t335;
				if(_t295 >= 8) {
					_t397 =  *((intOrPtr*)(_t444 - 0xd0));
					_t299 = 2 + _t295 * 2;
					 *((intOrPtr*)(_t444 - 0xd4)) = _t299;
					 *((intOrPtr*)(_t444 - 0xd8)) =  *((intOrPtr*)(_t444 - 0xd0));
					if(_t299 >= 0x1000) {
						E00BAE6CD(_t335, 0, _t444, _t444 - 0xd8, _t444 - 0xd4);
						_t299 =  *((intOrPtr*)(_t444 - 0xd4));
						_t397 =  *((intOrPtr*)(_t444 - 0xd8));
					}
					_push(_t299);
					L00C32F7D(_t397);
				}
				 *((intOrPtr*)(_t444 - 0xc0)) = 0;
				 *(_t444 - 0xbc) = _t335;
				 *((short*)(_t444 - 0xd0)) = 0;
				return L00C89946(L00BC8BF1(_t444 - 0xe0), _t335, 0, 0x1000);
			}

0x00bc62f7
0x00bc62f7
0x00bc6301
0x00bc630c
0x00bc6319
0x00bc631c
0x00bc6323
0x00bc6326
0x00bc6337
0x00bc633d
0x00bc6344
0x00bc6349
0x00bc6355
0x00bc6360
0x00bc6366
0x00bc636d
0x00bc6372
0x00bc637e
0x00bc6389
0x00bc638f
0x00bc6396
0x00bc639b
0x00bc63a7
0x00bc63af
0x00bc63b2
0x00bc63b9
0x00bc63be
0x00bc63c7
0x00bc63cf
0x00bc63d2
0x00bc63d6
0x00bc63db
0x00bc63e4
0x00bc63ec
0x00bc63ef
0x00bc63f3
0x00bc63f8
0x00bc6401
0x00bc6409
0x00bc640c
0x00bc6410
0x00bc6415
0x00bc6418
0x00bc641b
0x00bc6424
0x00bc6427
0x00bc642a
0x00bc6435
0x00bc643f
0x00bc6446
0x00bc6452
0x00bc6456
0x00bc645e
0x00bc6463
0x00bc646f
0x00bc6474
0x00bc647d
0x00bc6480
0x00bc6483
0x00bc6486
0x00bc6491
0x00bc649b
0x00bc64a2
0x00bc64ae
0x00bc64bc
0x00bc64c3
0x00bc64c8
0x00bc64d4
0x00bc64d9
0x00bc64e2
0x00bc64e5
0x00bc64e8
0x00bc64eb
0x00bc64f6
0x00bc6500
0x00bc6507
0x00bc6513
0x00bc6521
0x00bc6528
0x00bc652d
0x00bc6539
0x00bc653e
0x00bc6547
0x00bc654a
0x00bc654d
0x00bc6550
0x00bc655b
0x00bc6565
0x00bc656c
0x00bc6578
0x00bc6586
0x00bc658d
0x00bc6592
0x00bc659e
0x00bc65a3
0x00bc65a9
0x00bc65ac
0x00bc65af
0x00bc65b2
0x00bc65bd
0x00bc65c7
0x00bc65ce
0x00bc65da
0x00bc65e8
0x00bc65ef
0x00bc65f4
0x00bc6600
0x00bc6605
0x00bc660b
0x00bc660e
0x00bc6611
0x00bc6614
0x00bc661f
0x00bc6629
0x00bc6630
0x00bc663c
0x00bc664a
0x00bc6651
0x00bc6656
0x00bc6662
0x00bc666d
0x00bc666f
0x00bc6672
0x00bc6676
0x00bc6681
0x00bc668b
0x00bc6692
0x00bc669e
0x00bc66a2
0x00bc66ac
0x00bc66b1
0x00bc66bd
0x00bc66c5
0x00bc66cf
0x00bc66d4
0x00bc66df
0x00bc66e1
0x00bc66e4
0x00bc66eb
0x00bc66f1
0x00bc66f9
0x00bc6709
0x00bc670e
0x00bc6716
0x00bc6716
0x00bc671c
0x00bc671e
0x00bc6724
0x00bc6727
0x00bc672a
0x00bc672e
0x00bc6731
0x00bc6737
0x00bc6739
0x00bc673c
0x00bc6743
0x00bc6749
0x00bc6751
0x00bc6761
0x00bc6766
0x00bc676e
0x00bc676e
0x00bc6774
0x00bc6776
0x00bc677c
0x00bc677f
0x00bc6782
0x00bc6786
0x00bc6789
0x00bc678f
0x00bc6791
0x00bc6794
0x00bc679b
0x00bc67a1
0x00bc67a9
0x00bc67b9
0x00bc67be
0x00bc67c6
0x00bc67c6
0x00bc67cc
0x00bc67ce
0x00bc67d4
0x00bc67d7
0x00bc67da
0x00bc67de
0x00bc67e1
0x00bc67e7
0x00bc67e9
0x00bc67ef
0x00bc67f6
0x00bc67fc
0x00bc6804
0x00bc6814
0x00bc6819
0x00bc6821
0x00bc6821
0x00bc6827
0x00bc6829
0x00bc682f
0x00bc6832
0x00bc6835
0x00bc683c
0x00bc6842
0x00bc6848
0x00bc684a
0x00bc6850
0x00bc6857
0x00bc685d
0x00bc6865
0x00bc6875
0x00bc687a
0x00bc6882
0x00bc6882
0x00bc6888
0x00bc688a
0x00bc6890
0x00bc6893
0x00bc6899
0x00bc68a0
0x00bc68a6
0x00bc68af
0x00bc68b1
0x00bc68b7
0x00bc68be
0x00bc68c4
0x00bc68cc
0x00bc68dc
0x00bc68e1
0x00bc68e9
0x00bc68e9
0x00bc68ef
0x00bc68f1
0x00bc68f7
0x00bc68fa
0x00bc6900
0x00bc6907
0x00bc690d
0x00bc6916
0x00bc6918
0x00bc691e
0x00bc6925
0x00bc692b
0x00bc6933
0x00bc6943
0x00bc6948
0x00bc6950
0x00bc6950
0x00bc6956
0x00bc6958
0x00bc695e
0x00bc6961
0x00bc696d
0x00bc6973
0x00bc6984

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC6301

Part of subcall function 00BC4135: __EH_prolog3_GS.LIBCMT ref: 00BC413F

Part of subcall function 00BAE71B: _Deallocate.LIBCONCRT ref: 00BAE730

Part of subcall function 00BC3A1A: __EH_prolog3_GS.LIBCMT ref: 00BC3A24
Part of subcall function 00BC3A1A: GetModuleFileNameW.KERNEL32(00000000,?,00000104,NA?nnQrmpc,Qmdru_pcZZNA?nnQrmpc,0000024C,00BC559A,?), ref: 00BC3A8E
Part of subcall function 00BC3A1A: RegOpenKeyExW.ADVAPI32(80000001,00000000), ref: 00BC3AD1
Part of subcall function 00BC3A1A: RegSetValueExW.ADVAPI32(?,status,00000000,00000004,?,00000004), ref: 00BC3B0C
Part of subcall function 00BC3A1A: RegCloseKey.ADVAPI32(?), ref: 00BC3B18

Strings

ncpgmbga_j]mddcpq, xrefs: 00BC63CA
f_pbu_pc]amjjcargle, xrefs: 00BC635B
qmdru_pc]amjjcargle, xrefs: 00BC6384
amlrcvrs_j]mddcpq, xrefs: 00BC63E7
qc_paf]kcls, xrefs: 00BC6404
_srm]qr_pr]ml, xrefs: 00BC632C
`pmuqcp]qc_paf, xrefs: 00BC63AA

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: H_prolog3_$CloseDeallocateFileModuleNameOpenValue
String ID: _srm]qr_pr]ml$`pmuqcp]qc_paf$amlrcvrs_j]mddcpq$f_pbu_pc]amjjcargle$ncpgmbga_j]mddcpq$qc_paf]kcls$qmdru_pc]amjjcargle
API String ID: 1514101343-1276383317
Opcode ID: 3541026827b6a191444d4989d267b9e657c20b04215fcd49cada6d1e7c281b27
Instruction ID: fac2c718ad2f065041e731847f562b1399213104a9ab1e7f816200e31ffb9c79
Opcode Fuzzy Hash: 3541026827b6a191444d4989d267b9e657c20b04215fcd49cada6d1e7c281b27
Instruction Fuzzy Hash: 7212D471D042589FCB14EFA8C991BDDBBF5AF59300F9044DEE009A7252EB309A89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BD109B, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 166
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00BD109B(void* __ebx, struct HWND__* __ecx, signed int __edi, void* __esi, void* __eflags) {
				struct HWND__* _t61;
				intOrPtr* _t67;
				signed int _t69;
				intOrPtr _t72;
				intOrPtr* _t82;
				struct HWND__* _t83;
				intOrPtr* _t84;
				struct HWND__* _t85;
				intOrPtr* _t86;
				struct HWND__* _t96;
				signed int _t105;
				struct HWND__* _t106;
				void* _t107;
				intOrPtr* _t109;
				intOrPtr _t122;
				intOrPtr _t125;
				signed int _t126;
				signed int _t127;
				struct HWND__* _t129;
				void* _t130;
				void* _t131;
				void* _t146;

				_t126 = __edi;
				_t106 = __ecx;
				L00C8999C(0xc908f6, __ebx, __edi, __esi, 0x44c);
				 *(_t130 - 0x454) = _t106;
				_t129 = E00BD1710(__ebx, _t106, __edi, __esi, __eflags);
				 *(_t130 - 0x414) = 7;
				 *((intOrPtr*)(_t130 - 0x418)) = 0;
				 *(_t130 - 0x428) = 0;
				 *((intOrPtr*)(_t130 - 4)) = 0;
				_t61 =  *0xce13e4; // 0x3
				if(_t61 != 3) {
					__eflags = _t61;
					if(_t61 == 0) {
						_push(L"BT0AmlrpmjFmqr");
						goto L4;
					}
				} else {
					_push(L"Uglbmuq,SG,Ampc,AmpcUglbmu");
					L4:
					E00BAC468();
				}
				GetClassNameW(_t129, _t130 - 0x210, 0x100);
				_t107 = _t131 - 0x18;
				 *((intOrPtr*)(_t107 + 0x10)) = 0;
				 *((intOrPtr*)(_t107 + 0x14)) = 0;
				E00BAC48D(_t130 - 0x428, _t107, _t130 - 0x428);
				_t109 =  *((intOrPtr*)(L00BBEA0A(0, _t130 - 0x44c, _t126, _t129)));
				_t67 = _t130 - 0x210;
				while(1) {
					_t122 =  *_t67;
					_t105 = 1;
					if(_t122 !=  *_t109) {
						break;
					}
					if(_t122 == 0) {
						L10:
						_t127 = 0;
					} else {
						_t125 =  *((intOrPtr*)(_t67 + 2));
						if(_t125 !=  *((intOrPtr*)(_t109 + 2))) {
							break;
						} else {
							_t67 = _t67 + 4;
							_t109 = _t109 + 4;
							if(_t125 != 0) {
								continue;
							} else {
								goto L10;
							}
						}
					}
					L12:
					E00BAE6AB(_t67,  *((intOrPtr*)(_t130 - 0x44c)) - 0x10);
					if(_t127 != 0) {
						L27:
						_t105 = 0;
						__eflags = 0;
					} else {
						GetWindowTextW(_t129, _t130 - 0x410, 0x100);
						 *(_t130 - 0x450) =  *(_t130 - 0x450) & _t127;
						GetWindowThreadProcessId(_t129, _t130 - 0x450);
						_t127 =  *(_t130 - 0x454);
						if( *(_t130 - 0x450) !=  *((intOrPtr*)(_t127 + 0x14d8))) {
							L22:
							_t82 =  *_t127;
							_t83 =  *((intOrPtr*)( *_t82 + 0x18))(_t82, _t129, _t130 - 0x44c);
							__eflags = _t83;
							if(_t83 == 0) {
								_t84 =  *((intOrPtr*)(_t130 - 0x44c));
								_t85 =  *((intOrPtr*)( *_t84 + 0x40))(_t84, 0x2719, _t130 - 0x454);
								__eflags = _t85;
								if(_t85 != 0) {
									L26:
									_t86 =  *((intOrPtr*)(_t130 - 0x44c));
									 *((intOrPtr*)( *_t86 + 8))(_t86);
								} else {
									_t129 =  *(_t130 - 0x454);
									__eflags = _t129;
									if(_t129 != 0) {
										 *((intOrPtr*)(_t129->i + 0x2c))(_t129, _t130 - 0x458);
										 *((intOrPtr*)(_t129->i + 8))(_t129);
										goto L26;
									}
								}
							}
							goto L27;
						} else {
							GetWindowRect(_t129, _t130 - 0x438);
							SystemParametersInfoW(0x30, 0, _t130 - 0x448, 0);
							_t96 =  *0xce13e4; // 0x3
							if(_t96 != 3) {
								__eflags = _t96;
								goto L20;
							} else {
								if( *(_t130 - 0x438) !=  *(_t130 - 0x448) ||  *((intOrPtr*)(_t130 - 0x430)) !=  *((intOrPtr*)(_t130 - 0x440)) ||  *((intOrPtr*)(_t130 - 0x434)) !=  *((intOrPtr*)(_t130 - 0x444))) {
									goto L22;
								} else {
									_t146 =  *((intOrPtr*)(_t130 - 0x42c)) -  *((intOrPtr*)(_t130 - 0x43c));
									L20:
									if(_t146 != 0) {
										goto L22;
									} else {
										 *(_t127 + 0x1278) = _t129;
									}
								}
							}
						}
					}
					_t69 =  *(_t130 - 0x414);
					if(_t69 >= 8) {
						_t112 =  *(_t130 - 0x428);
						_t72 = 2 + _t69 * 2;
						 *((intOrPtr*)(_t130 - 0x44c)) = _t72;
						 *(_t130 - 0x450) =  *(_t130 - 0x428);
						if(_t72 >= 0x1000) {
							E00BAE6CD(_t105, _t127, _t130, _t130 - 0x450, _t130 - 0x44c);
							_t72 =  *((intOrPtr*)(_t130 - 0x44c));
							_t112 =  *(_t130 - 0x450);
						}
						_push(_t72);
						L00C32F7D(_t112);
					}
					return L00C89946(_t105, _t105, _t127, _t129);
				}
				asm("sbb edi, edi");
				_t127 = _t126 | _t105;
				__eflags = _t127;
				goto L12;
			}

0x00bd109b
0x00bd109b
0x00bd10a5
0x00bd10ac
0x00bd10b7
0x00bd10b9
0x00bd10c7
0x00bd10cd
0x00bd10d4
0x00bd10d7
0x00bd10df
0x00bd10e8
0x00bd10ea
0x00bd10ec
0x00000000
0x00bd10ec
0x00bd10e1
0x00bd10e1
0x00bd10f1
0x00bd10f7
0x00bd10f7
0x00bd1109
0x00bd1118
0x00bd111b
0x00bd111e
0x00bd1121
0x00bd1134
0x00bd1136
0x00bd113c
0x00bd113c
0x00bd1141
0x00bd1145
0x00000000
0x00000000
0x00bd114a
0x00bd1161
0x00bd1161
0x00bd114c
0x00bd114c
0x00bd1154
0x00000000
0x00bd1156
0x00bd1156
0x00bd1159
0x00bd115f
0x00000000
0x00000000
0x00000000
0x00000000
0x00bd115f
0x00bd1154
0x00bd1169
0x00bd1172
0x00bd1179
0x00bd1282
0x00bd1282
0x00bd1282
0x00bd117f
0x00bd118c
0x00bd1192
0x00bd11a0
0x00bd11a6
0x00bd11b8
0x00bd1229
0x00bd1229
0x00bd1236
0x00bd1239
0x00bd123b
0x00bd123d
0x00bd1252
0x00bd1255
0x00bd1257
0x00bd1276
0x00bd1276
0x00bd127f
0x00bd1259
0x00bd1259
0x00bd125f
0x00bd1261
0x00bd126d
0x00bd1273
0x00000000
0x00bd1273
0x00bd1261
0x00bd1257
0x00000000
0x00bd11ba
0x00bd11c2
0x00bd11d5
0x00bd11db
0x00bd11e3
0x00bd121d
0x00000000
0x00bd11e5
0x00bd11f1
0x00000000
0x00bd120f
0x00bd1215
0x00bd121f
0x00bd121f
0x00000000
0x00bd1221
0x00bd1221
0x00bd1221
0x00bd121f
0x00bd11f1
0x00bd11e3
0x00bd11b8
0x00bd1284
0x00bd128d
0x00bd128f
0x00bd1295
0x00bd129c
0x00bd12a2
0x00bd12ad
0x00bd12bd
0x00bd12c2
0x00bd12ca
0x00bd12ca
0x00bd12d0
0x00bd12d2
0x00bd12d8
0x00bd12e0
0x00bd12e0
0x00bd1165
0x00bd1167
0x00bd1167
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD10A5

Part of subcall function 00BD1710: __EH_prolog3_GS.LIBCMT ref: 00BD171A
Part of subcall function 00BD1710: SystemParametersInfoW.USER32 ref: 00BD1765
Part of subcall function 00BD1710: GetWindowRect.USER32 ref: 00BD17FC
Part of subcall function 00BD1710: WindowFromPoint.USER32(?,?), ref: 00BD1823
Part of subcall function 00BD1710: GetParent.USER32(00000000), ref: 00BD1839
Part of subcall function 00BD1710: GetClassNameW.USER32 ref: 00BD186C
Part of subcall function 00BD1710: GetWindowTextW.USER32 ref: 00BD1884

GetClassNameW.USER32 ref: 00BD1109
GetWindowTextW.USER32 ref: 00BD118C
GetWindowThreadProcessId.USER32(00000000,?), ref: 00BD11A0
GetWindowRect.USER32 ref: 00BD11C2
SystemParametersInfoW.USER32 ref: 00BD11D5

Strings

Uglbmuq,SG,Ampc,AmpcUglbmu, xrefs: 00BD10E1
BT0AmlrpmjFmqr, xrefs: 00BD10EC

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$ClassH_prolog3_InfoNameParametersRectSystemText$FromParentPointProcessThread
String ID: BT0AmlrpmjFmqr$Uglbmuq,SG,Ampc,AmpcUglbmu
API String ID: 1493542921-2564481283
Opcode ID: e755521728d9081744e55762a68cd26df8a04c5b7c2dacace481d671bc1696e0
Instruction ID: 3714b09c58e217d7a7b140f3b3d11fd9c6efec4d27317962c4fec5bd73993818
Opcode Fuzzy Hash: e755521728d9081744e55762a68cd26df8a04c5b7c2dacace481d671bc1696e0
Instruction Fuzzy Hash: 27612AB1900128ABDB64DF58DC84BEDB3B9EF58304F5004DAE609E7251EB31AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00BD12E1, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 161
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00BD12E1(void* __ebx, signed int __ecx, void* __edi, signed int __esi, void* __eflags) {
				intOrPtr* _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t87;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				long _t108;
				signed int _t109;
				void* _t111;
				intOrPtr* _t113;
				intOrPtr _t125;
				intOrPtr _t128;
				struct HWND__* _t130;
				signed int _t131;
				signed int _t132;
				void* _t133;
				void* _t134;
				void* _t144;

				_t131 = __esi;
				_t109 = __ecx;
				L00C8999C(0xc90930, __ebx, __edi, __esi, 0x454);
				 *(_t133 - 0x458) = _t109;
				_t130 = L00BD19BF(__ebx, __edi, __esi, _t133, __eflags);
				GetClassNameW(_t130, _t133 - 0x214, 0x100);
				_t108 = 0;
				 *(_t133 - 0x438) = 7;
				 *((char*)(_t133 - 0x44e)) = 0;
				 *((char*)(_t133 - 0x44d)) = 0;
				 *((intOrPtr*)(_t133 - 0x43c)) = 0;
				 *(_t133 - 0x44c) = 0;
				E00BAC468(L"Uglbmuq,SG,Ampc,AmpcUglbmu");
				 *((intOrPtr*)(_t133 - 4)) = 0;
				_t111 = _t134 - 0x18;
				 *((intOrPtr*)(_t111 + 0x10)) = 0;
				 *((intOrPtr*)(_t111 + 0x14)) = 0;
				E00BAC48D(_t133 - 0x44c, _t111, _t133 - 0x44c);
				_t113 =  *((intOrPtr*)(L00BBEA0A(0, _t133 - 0x454, _t130, __esi)));
				_t72 = _t133 - 0x214;
				while(1) {
					_t125 =  *_t72;
					if(_t125 !=  *_t113) {
						break;
					}
					if(_t125 == 0) {
						L5:
						_t132 = _t108;
						L7:
						E00BAE6AB(_t72,  *((intOrPtr*)(_t133 - 0x454)) - 0x10);
						if(_t132 != 0) {
							L22:
							_t74 =  *(_t133 - 0x438);
							if(_t74 >= 8) {
								_t116 =  *(_t133 - 0x44c);
								_t77 = 2 + _t74 * 2;
								 *((intOrPtr*)(_t133 - 0x454)) = _t77;
								 *(_t133 - 0x45c) =  *(_t133 - 0x44c);
								if(_t77 >= 0x1000) {
									E00BAE6CD(_t108, _t130, _t133, _t133 - 0x45c, _t133 - 0x454);
									_t77 =  *((intOrPtr*)(_t133 - 0x454));
									_t116 =  *(_t133 - 0x45c);
								}
								_push(_t77);
								L00C32F7D(_t116);
							}
							return L00C89946(_t108, _t108, _t130, _t132);
						}
						GetWindowTextW(_t130, _t133 - 0x414, 0x100);
						 *(_t133 - 0x45c) = _t108;
						GetWindowThreadProcessId(_t130, _t133 - 0x45c);
						_t144 =  *(_t133 - 0x45c) -  *0xce19bc; // 0x0
						if(_t144 != 0) {
							L14:
							_t87 =  *(_t133 - 0x458);
							L15:
							_t88 =  *_t87;
							_push(_t133 - 0x454);
							_push(_t130);
							_push(_t88);
							if( *((intOrPtr*)( *_t88 + 0x18))() != 0) {
								goto L22;
							}
							_t90 =  *((intOrPtr*)(_t133 - 0x454));
							_push(_t133 - 0x458);
							_push(0x2719);
							_push(_t90);
							if( *((intOrPtr*)( *_t90 + 0x40))() != 0) {
								L19:
								_t92 =  *((intOrPtr*)(_t133 - 0x454));
								 *((intOrPtr*)( *_t92 + 8))(_t92);
								if( *((char*)(_t133 - 0x44d)) != 0 &&  *((char*)(_t133 - 0x44e)) != 0) {
									_t108 = 1;
								}
								goto L22;
							}
							_t132 =  *(_t133 - 0x458);
							if(_t132 == 0) {
								goto L22;
							}
							 *((intOrPtr*)( *_t132 + 0x2c))(_t132, _t133 - 0x460);
							 *((char*)(_t133 - 0x44d)) =  *((intOrPtr*)(_t133 - 0x460)) != 0;
							 *((intOrPtr*)( *_t132 + 8))(_t132);
							goto L19;
						}
						_t132 = GetWindowRect;
						GetWindowRect(_t130, _t133 - 0x424);
						GetWindowRect(GetDesktopWindow(), _t133 - 0x434);
						if( *(_t133 - 0x424) !=  *(_t133 - 0x434) ||  *((intOrPtr*)(_t133 - 0x41c)) !=  *((intOrPtr*)(_t133 - 0x42c)) ||  *((intOrPtr*)(_t133 - 0x420)) !=  *((intOrPtr*)(_t133 - 0x430)) ||  *((intOrPtr*)(_t133 - 0x418)) !=  *((intOrPtr*)(_t133 - 0x428))) {
							_t87 =  *(_t133 - 0x458);
							 *((char*)(_t133 - 0x44e)) = 1;
							 *(_t87 + 0x127c) = _t130;
							goto L15;
						} else {
							goto L14;
						}
					}
					_t128 =  *((intOrPtr*)(_t72 + 2));
					if(_t128 !=  *((intOrPtr*)(_t113 + 2))) {
						break;
					}
					_t72 = _t72 + 4;
					_t113 = _t113 + 4;
					if(_t128 != 0) {
						continue;
					}
					goto L5;
				}
				asm("sbb esi, esi");
				_t132 = _t131 | 0x00000001;
				__eflags = _t132;
				goto L7;
			}

0x00bd12e1
0x00bd12e1
0x00bd12eb
0x00bd12f0
0x00bd12fb
0x00bd130a
0x00bd1310
0x00bd1312
0x00bd131e
0x00bd132f
0x00bd1335
0x00bd133b
0x00bd1342
0x00bd134a
0x00bd134d
0x00bd1356
0x00bd1359
0x00bd135c
0x00bd136f
0x00bd1371
0x00bd1377
0x00bd1377
0x00bd137d
0x00000000
0x00000000
0x00bd1382
0x00bd1399
0x00bd1399
0x00bd13a2
0x00bd13ab
0x00bd13b2
0x00bd14db
0x00bd14db
0x00bd14e4
0x00bd14e6
0x00bd14ec
0x00bd14f3
0x00bd14f9
0x00bd1504
0x00bd1514
0x00bd1519
0x00bd1521
0x00bd1521
0x00bd1527
0x00bd1529
0x00bd152f
0x00bd1537
0x00bd1537
0x00bd13c5
0x00bd13d1
0x00bd13d9
0x00bd13e5
0x00bd13eb
0x00bd145a
0x00bd145a
0x00bd1460
0x00bd1460
0x00bd1468
0x00bd1469
0x00bd146a
0x00bd1472
0x00000000
0x00000000
0x00bd1474
0x00bd1480
0x00bd1481
0x00bd1486
0x00bd148e
0x00bd14bb
0x00bd14bb
0x00bd14c4
0x00bd14ce
0x00bd14d9
0x00bd14d9
0x00000000
0x00bd14ce
0x00bd1490
0x00bd1498
0x00000000
0x00000000
0x00bd14a4
0x00bd14b1
0x00bd14b8
0x00000000
0x00bd14b8
0x00bd13ed
0x00bd13fb
0x00bd140b
0x00bd1419
0x00bd1445
0x00bd144b
0x00bd1452
0x00000000
0x00000000
0x00000000
0x00000000
0x00bd1419
0x00bd1384
0x00bd138c
0x00000000
0x00000000
0x00bd138e
0x00bd1391
0x00bd1397
0x00000000
0x00000000
0x00000000
0x00bd1397
0x00bd139d
0x00bd139f
0x00bd139f
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD12EB

Part of subcall function 00BD19BF: GetWindowRect.USER32 ref: 00BD19E5
Part of subcall function 00BD19BF: WindowFromPoint.USER32(?,?), ref: 00BD1A78

GetClassNameW.USER32 ref: 00BD130A
GetWindowTextW.USER32 ref: 00BD13C5
GetWindowThreadProcessId.USER32(00000000,?), ref: 00BD13D9
GetWindowRect.USER32 ref: 00BD13FB
GetDesktopWindow.USER32 ref: 00BD1404
GetWindowRect.USER32 ref: 00BD140B

Strings

Uglbmuq,SG,Ampc,AmpcUglbmu, xrefs: 00BD1324

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$Rect$ClassDesktopFromH_prolog3_NamePointProcessTextThread
String ID: Uglbmuq,SG,Ampc,AmpcUglbmu
API String ID: 3187983461-3698825280
Opcode ID: b57be88da090632a343b80bca9a67ee9f73a00c1ecea51bb1f64625480b8c717
Instruction ID: 595ce202664ae1c2bf6d789605480120a841bafee7e28c9a6a9b842075555fbf
Opcode Fuzzy Hash: b57be88da090632a343b80bca9a67ee9f73a00c1ecea51bb1f64625480b8c717
Instruction Fuzzy Hash: 3C614EB19001289FDB20DF58CC84BEDB7B8EF55305F5444DAE609AB252EB30AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00C406A1, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00C406A1(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				intOrPtr _t37;
				intOrPtr _t42;
				intOrPtr _t50;
				intOrPtr _t51;
				signed int _t52;
				signed int _t57;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t77 = __eflags;
				_t60 = __edx;
				_t51 = __ecx;
				L00C8999C(0xc9211e, __ebx, __edi, __esi, 0x64);
				_t50 = _t51;
				 *((intOrPtr*)(_t70 - 0x6c)) = L00C55CA4(__edx);
				_t32 = L00C348FC(__edx, __eflags, _t70 - 0x68);
				_t52 = 0xb;
				_t68 = _t32;
				 *((intOrPtr*)(_t70 - 0x70)) = _t50;
				memcpy(_t70 - 0x3c, _t68, _t52 << 2);
				_t72 = _t71 + 0xc;
				_t64 = _t68 + _t52 + _t52;
				_t69 = 0;
				 *((intOrPtr*)(_t50 + 8)) = 0;
				 *((intOrPtr*)(_t50 + 0x10)) = 0;
				 *((intOrPtr*)(_t50 + 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				L00C348FC(_t60, _t77, _t70 - 0x68);
				if( *((char*)(_t70 + 0xc)) == 0) {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t70 - 0x6c)) + 8));
				} else {
					_t37 = 0xcc5ebe;
				}
				_push(_t70 - 0x68);
				_push(_t69);
				 *((intOrPtr*)(_t50 + 8)) = E00BB807C(_t37);
				 *((intOrPtr*)(_t50 + 0x10)) = L00C39E09(_t50, _t64, _t69, "false", _t69, _t70 - 0x3c);
				_t42 = L00C39E09(_t50, _t64, _t69, "true", _t69, _t70 - 0x3c);
				_t73 = _t72 + 0x24;
				 *((intOrPtr*)(_t50 + 0x14)) = _t42;
				if( *((char*)(_t70 + 0xc)) == 0) {
					_t69 = _t70 - 0x3c;
					_t57 = 0xb;
					_push( *((intOrPtr*)(_t70 - 0x6c)));
					memcpy(_t73 - 0x2c, _t69, _t57 << 2);
					_t64 = _t69 + _t57 + _t57;
					_push(0);
					_t44 = L00C39C39(_t50, _t50, _t69 + _t57 + _t57, _t69, __eflags);
				} else {
					 *((short*)(_t50 + 0xc)) = L00C39DD8(0x2e, _t69, _t70 - 0x3c);
					 *((short*)(_t50 + 0xe)) = L00C39DD8(0x2c, _t69, _t70 - 0x3c);
				}
				return L00C89946(_t44, _t50, _t64, _t69);
			}

0x00c406a1
0x00c406a1
0x00c406a1
0x00c406a8
0x00c406ad
0x00c406b4
0x00c406bb
0x00c406c2
0x00c406c3
0x00c406c5
0x00c406cb
0x00c406cb
0x00c406cb
0x00c406cd
0x00c406cf
0x00c406d2
0x00c406d5
0x00c406db
0x00c406df
0x00c406ea
0x00c406f6
0x00c406ec
0x00c406ec
0x00c406ec
0x00c406fc
0x00c406fd
0x00c40704
0x00c40716
0x00c40723
0x00c40728
0x00c4072b
0x00c40732
0x00c4075c
0x00c40761
0x00c40764
0x00c40767
0x00c40767
0x00c40769
0x00c4076d
0x00c40734
0x00c40740
0x00c40753
0x00c40753
0x00c40777

APIs

__EH_prolog3_GS.LIBCMT ref: 00C406A8
_Maklocstr.LIBCPMT ref: 00C40711
_Maklocstr.LIBCPMT ref: 00C40723
_Maklocchr.LIBCPMT ref: 00C4073B
_Maklocchr.LIBCPMT ref: 00C4074B
_Getvals.LIBCPMT ref: 00C4076D

Part of subcall function 00C39C39: _Maklocchr.LIBCPMT ref: 00C39C68
Part of subcall function 00C39C39: _Maklocchr.LIBCPMT ref: 00C39C7E

Strings

false, xrefs: 00C4070C
true, xrefs: 00C4071E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 432a0812d065b3d8e96172e8a513ce09081267a842624f4f31d5aca13be191a1
Instruction ID: 2619da1a38c2d82519b56e3e6fead6f343f134a4775515ab4ce9c74dcc2c91e6
Opcode Fuzzy Hash: 432a0812d065b3d8e96172e8a513ce09081267a842624f4f31d5aca13be191a1
Instruction Fuzzy Hash: 692195B1D40308AADF15EFE5D886ADF7BA8EF04710F10805AF9149F152DAB09644DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C2B0, Relevance: 13.7, APIs: 9, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00C6C2B0(void* __edx, void* __fp0, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t59;
				signed int _t68;
				char _t81;
				intOrPtr* _t82;
				void* _t93;
				void* _t94;
				signed int _t97;
				void* _t100;
				char _t108;
				char _t109;
				void* _t114;
				char* _t115;
				signed int _t121;
				signed int* _t122;
				char _t124;
				intOrPtr* _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				char* _t131;

				_t114 = __edx;
				_t124 = _a4;
				_v24 = _t124;
				_v20 = 0;
				if( *((intOrPtr*)(_t124 + 0xb0)) != 0 ||  *((intOrPtr*)(_t124 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00C63924(_t94, 1, 0x50);
					if(_t93 != 0) {
						_t97 = 0x14;
						memcpy(_t93,  *(_t124 + 0x88), _t97 << 2);
						_t126 = E00C64CDB(0, 4);
						_t121 = 0;
						_v8 = _t126;
						L00C63981(0);
						_pop(_t100);
						if(_t126 != 0) {
							 *_t126 = 0;
							_t124 = _a4;
							if( *((intOrPtr*)(_t124 + 0xb0)) == 0) {
								_t52 =  *0xcdb100; // 0xcdb154
								 *_t93 = _t52;
								_t53 =  *0xcdb104; // 0xce0aa8
								 *((intOrPtr*)(_t93 + 4)) = _t53;
								_t54 =  *0xcdb108; // 0xce0aa8
								 *((intOrPtr*)(_t93 + 8)) = _t54;
								_t55 =  *0xcdb130; // 0xcdb158
								 *((intOrPtr*)(_t93 + 0x30)) = _t55;
								_t56 =  *0xcdb134; // 0xce0aac
								 *((intOrPtr*)(_t93 + 0x34)) = _t56;
								L19:
								 *_v8 = 1;
								if(_t121 != 0) {
									 *_t121 = 1;
								}
								goto L21;
							}
							_t122 = E00C64CDB(_t100, 4);
							_v12 = _t122;
							L00C63981(0);
							_push(_t93);
							if(_t122 != 0) {
								 *_t122 =  *_t122 & 0x00000000;
								_t123 =  *((intOrPtr*)(_t124 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t124 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t68 = L00C6EB85(_t93, _t114,  *((intOrPtr*)(_t124 + 0xb0)), _t124);
								_t16 = _t93 + 4; // 0x4
								_t127 = _t68;
								_t128 = _t127 | L00C6EB85(_t93, _t114,  *((intOrPtr*)(_t124 + 0xb0)), _t127,  &_v24, 1, _t123, 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t129 = _t128 | L00C6EB85(_t93, _t114, _t123, _t128,  &_v24, 1, _t123, 0x10, _t18);
								_t130 = _t129 | L00C6EB85(_t93, _t114, _t123, _t129,  &_v24, 2, _t123, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((L00C6EB85(_t93, _t114, _t123, _t130,  &_v24, 2, _t123, 0xf, _t22) | _t130) == 0) {
									_t115 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t81 =  *_t115;
										if(_t81 == 0) {
											break;
										}
										_t30 = _t81 - 0x30; // -48
										_t108 = _t30;
										if(_t108 > 9) {
											if(_t81 != 0x3b) {
												L16:
												_t115 = _t115 + 1;
												continue;
											}
											_t131 = _t115;
											do {
												_t82 = _t131 + 1;
												_t109 =  *_t82;
												 *_t131 = _t109;
												_t131 = _t82;
											} while (_t109 != 0);
											continue;
										}
										 *_t115 = _t108;
										goto L16;
									}
									_t121 = _v12;
									_t124 = _a4;
									goto L19;
								}
								E00C6C247(_t93);
								L00C63981(_t93);
								L00C63981(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								L00C63981(_v8);
								return _v16;
							}
							L00C63981();
							goto L12;
						}
						L00C63981(_t93);
						return 1;
					}
					return 1;
				} else {
					_t121 = 0;
					_v8 = 0;
					_t93 = 0xcdb100;
					L21:
					_t59 =  *(_t124 + 0x80);
					if(_t59 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t124 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t59 | 0xffffffff) == 0) {
							L00C63981( *((intOrPtr*)(_t124 + 0x7c)));
							L00C63981( *(_t124 + 0x88));
						}
					}
					 *((intOrPtr*)(_t124 + 0x7c)) = _v8;
					 *(_t124 + 0x80) = _t121;
					 *(_t124 + 0x88) = _t93;
					return 0;
				}
			}

0x00c6c2b0
0x00c6c2ba
0x00c6c2c0
0x00c6c2c3
0x00c6c2cc
0x00c6c2eb
0x00c6c2f3
0x00c6c2f9
0x00c6c30c
0x00c6c30d
0x00c6c316
0x00c6c318
0x00c6c31b
0x00c6c31e
0x00c6c324
0x00c6c327
0x00c6c338
0x00c6c33a
0x00c6c343
0x00c6c493
0x00c6c498
0x00c6c49a
0x00c6c49f
0x00c6c4a2
0x00c6c4a7
0x00c6c4aa
0x00c6c4af
0x00c6c4b2
0x00c6c4b7
0x00c6c425
0x00c6c42b
0x00c6c42f
0x00c6c431
0x00c6c431
0x00000000
0x00c6c42f
0x00c6c350
0x00c6c354
0x00c6c357
0x00c6c35e
0x00c6c361
0x00c6c36e
0x00c6c374
0x00c6c37a
0x00c6c37c
0x00c6c37d
0x00c6c37f
0x00c6c380
0x00c6c385
0x00c6c388
0x00c6c399
0x00c6c39b
0x00c6c3ad
0x00c6c3c4
0x00c6c3c6
0x00c6c3dd
0x00c6c409
0x00c6c419
0x00c6c419
0x00c6c41d
0x00000000
0x00000000
0x00c6c40e
0x00c6c40e
0x00c6c414
0x00c6c480
0x00c6c418
0x00c6c418
0x00000000
0x00c6c418
0x00c6c482
0x00c6c484
0x00c6c484
0x00c6c487
0x00c6c489
0x00c6c48b
0x00c6c48d
0x00000000
0x00c6c491
0x00c6c416
0x00000000
0x00c6c416
0x00c6c41f
0x00c6c422
0x00000000
0x00c6c422
0x00c6c3e0
0x00c6c3e6
0x00c6c3ee
0x00c6c3f6
0x00c6c3fa
0x00c6c3fe
0x00000000
0x00c6c406
0x00c6c363
0x00000000
0x00c6c368
0x00c6c32a
0x00000000
0x00c6c332
0x00000000
0x00c6c2d6
0x00c6c2d6
0x00c6c2d8
0x00c6c2db
0x00c6c433
0x00c6c433
0x00c6c43b
0x00c6c43d
0x00c6c43d
0x00c6c445
0x00c6c44a
0x00c6c44e
0x00c6c453
0x00c6c45e
0x00c6c464
0x00c6c44e
0x00c6c468
0x00c6c46d
0x00c6c473
0x00000000
0x00c6c473

APIs

_free.LIBCMT ref: 00C6C31E
_free.LIBCMT ref: 00C6C32A
_free.LIBCMT ref: 00C6C453
_free.LIBCMT ref: 00C6C45E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fe5b5c90be014ce480c6db1bf2847fd4af329d2b3781902f0baf9551cd37ef60
Instruction ID: d1fece2fb9a5aaad4207a46189eb67f75f99f0accf9de84d3d302c6ad0f49f77
Opcode Fuzzy Hash: fe5b5c90be014ce480c6db1bf2847fd4af329d2b3781902f0baf9551cd37ef60
Instruction Fuzzy Hash: BD61D6719003059FDB30DF65C8D1BBAB7F8AF59710F10456AE9A6EB281EB709E01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C386D3, Relevance: 13.6, APIs: 9, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00C386D3(void* __ebx, void* __edx, void* __edi, void* __esi, signed int* _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				signed int _t49;
				signed int _t53;
				long _t54;
				signed int _t55;
				signed int _t61;
				signed int _t64;
				signed int _t65;
				void* _t68;
				signed int _t74;
				long _t78;
				signed int* _t88;
				void* _t89;
				signed int _t90;
				intOrPtr _t97;
				signed int* _t101;
				void* _t106;
				signed int _t109;
				signed int _t114;

				_t106 = __edx;
				_t49 =  *0xcdaf54; // 0x8a028f78
				_v8 = _t49 ^ _t114;
				_t88 = _a4;
				_t109 = _a8;
				_v28 = _t109;
				if(( *_t88 & 0xfffffeff) != 1) {
					__eflags = _t109;
					if(_t109 != 0) {
						__eflags =  *(_t109 + 4);
						_t53 =  *_t109;
						if(__eflags < 0) {
							L29:
							_t54 = GetCurrentThreadId();
							__eflags = _t88[0xa] - _t54;
							if(_t88[0xa] == _t54) {
								goto L8;
							} else {
								 *0xc943b8();
								_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t88[1] + 4))))();
								_t109 = _v28;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L11;
								} else {
									goto L8;
								}
							}
						} else {
							if(__eflags > 0) {
								L17:
								_t65 = _t53 |  *(_t109 + 4);
								__eflags = _t65;
								if(_t65 != 0) {
									L19:
									L00C33FEB(_t89, _t106,  &_v24, 1);
									while(1) {
										_t68 =  *_t109;
										_t97 = _v20;
										__eflags = _t97 -  *(_t109 + 4);
										if(__eflags < 0) {
											goto L26;
										}
										if(__eflags > 0) {
											L23:
											__eflags = _v24 - _t68;
											if(_v24 != _t68) {
												goto L11;
											} else {
												__eflags = _t97 -  *(_t109 + 4);
												if(_t97 !=  *(_t109 + 4)) {
													goto L11;
												} else {
													__eflags = _v16 -  *((intOrPtr*)(_t109 + 8));
													if(_v16 >=  *((intOrPtr*)(_t109 + 8))) {
														goto L11;
													} else {
														goto L26;
													}
												}
											}
										} else {
											__eflags = _v24 - _t68;
											if(_v24 < _t68) {
												goto L26;
											} else {
												goto L23;
											}
										}
										goto L36;
										L26:
										__eflags = _t88[0xa] - GetCurrentThreadId();
										if(__eflags == 0) {
											goto L8;
										} else {
											 *0xc943b8(L00C33F84(__eflags, _v28,  &_v24));
											_t39 =  &(_t88[1]); // 0x18
											_t101 = _t39;
											_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t88[1] + 8))))();
											__eflags = _t74;
											if(_t74 != 0) {
												goto L7;
											} else {
												L00C33FEB(_t101, _t106,  &_v24, 1);
												_t109 = _v28;
												continue;
											}
										}
										goto L36;
									}
								} else {
									__eflags =  *((intOrPtr*)(_t109 + 8)) - _t65;
									if( *((intOrPtr*)(_t109 + 8)) <= _t65) {
										goto L29;
									} else {
										goto L19;
									}
								}
							} else {
								__eflags = _t53;
								if(_t53 < 0) {
									goto L29;
								} else {
									goto L17;
								}
							}
						}
					} else {
						_t78 = GetCurrentThreadId();
						__eflags = _t88[0xa] - _t78;
						if(_t88[0xa] != _t78) {
							 *0xc943b8();
							 *((intOrPtr*)( *(_t88[1])))();
							L7:
							_t109 = _v28;
						}
						L8:
						_t90 = _t88[0xb];
						_t55 = _t90 + 1;
						_t88[0xb] = _t55;
						__eflags = _t55 - 1;
						if(_t55 <= 1) {
							_t88[0xa] = GetCurrentThreadId();
							goto L35;
						} else {
							__eflags =  *_t88 & 0x00000100;
							if(( *_t88 & 0x00000100) != 0) {
								goto L35;
							} else {
								_t88[0xb] = _t90;
								__eflags = _t109;
								if(_t109 == 0) {
									L32:
									_push(3);
								} else {
									L11:
									_t61 =  *_t109 |  *(_t109 + 4);
									__eflags = _t61;
									if(_t61 != 0) {
										L13:
										_push(2);
									} else {
										__eflags =  *((intOrPtr*)(_t109 + 8)) - _t61;
										if( *((intOrPtr*)(_t109 + 8)) == _t61) {
											goto L32;
										} else {
											goto L13;
										}
									}
								}
							}
						}
					}
				} else {
					if(_t88[0xa] != GetCurrentThreadId()) {
						 *0xc943b8();
						 *((intOrPtr*)( *(_t88[1])))();
						_t88[0xa] = GetCurrentThreadId();
					}
					_t88[0xb] = _t88[0xb] + 1;
					L35:
				}
				L36:
				return L00C32D6C(_v8 ^ _t114);
			}

0x00c386d3
0x00c386d9
0x00c386e0
0x00c386e4
0x00c386e8
0x00c386f3
0x00c386f9
0x00c38729
0x00c3872b
0x00c3878d
0x00c38791
0x00c38793
0x00c38826
0x00c38826
0x00c3882c
0x00c3882f
0x00000000
0x00c38835
0x00c3883d
0x00c38846
0x00c38848
0x00c3884b
0x00c3884d
0x00000000
0x00c38853
0x00000000
0x00c38853
0x00c3884d
0x00c38799
0x00c38799
0x00c387a3
0x00c387a3
0x00c387a3
0x00c387a6
0x00c387ad
0x00c387b3
0x00c387b8
0x00c387b8
0x00c387bc
0x00c387bf
0x00c387c2
0x00000000
0x00000000
0x00c387c4
0x00c387cb
0x00c387cb
0x00c387ce
0x00000000
0x00c387d0
0x00c387d0
0x00c387d3
0x00000000
0x00c387d5
0x00c387d8
0x00c387db
0x00000000
0x00000000
0x00000000
0x00000000
0x00c387db
0x00c387d3
0x00c387c6
0x00c387c6
0x00c387c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00c387c9
0x00000000
0x00c387dd
0x00c387e3
0x00c387e6
0x00000000
0x00c387ec
0x00c38803
0x00c38809
0x00c38809
0x00c3880c
0x00c3880e
0x00c38810
0x00000000
0x00c38816
0x00c3881c
0x00c38821
0x00000000
0x00c38821
0x00c38810
0x00000000
0x00c387e6
0x00c387a8
0x00c387a8
0x00c387ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00c387ab
0x00c3879b
0x00c3879b
0x00c3879d
0x00000000
0x00000000
0x00000000
0x00000000
0x00c3879d
0x00c38799
0x00c3872d
0x00c3872d
0x00c38733
0x00c38736
0x00c3873f
0x00c38748
0x00c3874a
0x00c3874a
0x00c3874a
0x00c3874d
0x00c3874d
0x00c38750
0x00c38753
0x00c38756
0x00c38759
0x00c38863
0x00000000
0x00c3875f
0x00c3875f
0x00c38765
0x00000000
0x00c3876b
0x00c3876b
0x00c3876e
0x00c38770
0x00c38858
0x00c38858
0x00c38776
0x00c38776
0x00c38778
0x00c38778
0x00c3877b
0x00c38786
0x00c38786
0x00c3877d
0x00c3877d
0x00c38780
0x00000000
0x00000000
0x00000000
0x00000000
0x00c38780
0x00c3877b
0x00c3885a
0x00c38765
0x00c38759
0x00c386fb
0x00c38704
0x00c3870d
0x00c38716
0x00c3871e
0x00c3871e
0x00c38721
0x00c38866
0x00c38866
0x00c38868
0x00c38876

APIs

GetCurrentThreadId.KERNEL32 ref: 00C386FB
GetCurrentThreadId.KERNEL32 ref: 00C38718
GetCurrentThreadId.KERNEL32 ref: 00C3872D
_xtime_get.LIBCPMT ref: 00C387B3
GetCurrentThreadId.KERNEL32 ref: 00C387DD
__Xtime_diff_to_millis2.LIBCPMT ref: 00C387F9
_xtime_get.LIBCPMT ref: 00C3881C
GetCurrentThreadId.KERNEL32 ref: 00C38826
GetCurrentThreadId.KERNEL32 ref: 00C3885D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: e3575bf2395f179cebf25c908aeb6142b3173ff2c4efdea2cc23856349849e67
Instruction ID: d7c219132708134b41f8f011e2c519be5e4e262d30231ce7bc469290eac8b1b1
Opcode Fuzzy Hash: e3575bf2395f179cebf25c908aeb6142b3173ff2c4efdea2cc23856349849e67
Instruction Fuzzy Hash: 59517830910705CFCF24DF64C985AA9BBB6FF09710F25449AF816AB295CB30EE49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC37F1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00BC37F1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				short** _t69;
				long _t70;
				signed int _t72;
				signed int _t74;
				int _t77;
				intOrPtr _t82;
				short** _t92;
				long _t93;
				char _t101;
				void* _t102;
				void* _t105;
				void* _t119;
				signed int _t127;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t134;

				_t102 = __ecx;
				L00C8999C(0xc8ee7f, __ebx, __edi, __esi, 0x444);
				_t125 = _t102;
				_t127 = 7;
				 *(_t131 - 0x430) = _t127;
				 *((short*)(_t131 - 0x444)) = 0;
				 *((intOrPtr*)(_t131 - 0x434)) = 0;
				E00BAC468(L"Qmdru_pcZZNA?nnQrmpc");
				 *((intOrPtr*)(_t131 - 4)) = 0;
				 *(_t131 - 0x41c) = 0;
				 *(_t131 - 0x418) = _t127;
				 *(_t131 - 0x42c) = 0;
				E00BAC468(L"?nnN_p_k");
				_t101 = 1;
				 *((char*)(_t131 - 4)) = 1;
				_t133 = _t132 - 0x18;
				_t105 = _t133;
				 *((intOrPtr*)(_t105 + 0x10)) = 0;
				 *((intOrPtr*)(_t105 + 0x14)) = 0;
				E00BAC48D(_t131 - 0x444, _t105, _t131 - 0x444);
				_t69 = L00BBEA0A(1, _t131 - 0x448, _t102, _t127);
				_t134 = _t133 + 0x18;
				 *((char*)(_t131 - 4)) = 2;
				_t70 = RegOpenKeyExW(0x80000001,  *_t69, 0, 0xf003f, _t131 - 0x450);
				 *((char*)(_t131 - 4)) = 1;
				_t128 = _t70;
				E00BAE6AB(_t70,  *(_t131 - 0x448) - 0x10);
				if(_t70 != 0) {
					L3:
					_t101 = 0;
				} else {
					 *(_t131 - 0x448) = 0x200;
					_t119 = _t134 - 0x18;
					 *((intOrPtr*)(_t119 + 0x10)) = 0;
					 *((intOrPtr*)(_t119 + 0x14)) = 0;
					E00BAC48D(_t131 - 0x42c, _t119, _t131 - 0x42c);
					_t92 = L00BBEA0A(1, _t131 - 0x44c, _t125, _t128);
					 *((char*)(_t131 - 4)) = 3;
					_t93 = RegQueryValueExW( *(_t131 - 0x450),  *_t92, 0, 0, _t131 - 0x414, _t131 - 0x448);
					 *((char*)(_t131 - 4)) = 1;
					E00BAE6AB(_t93,  *((intOrPtr*)(_t131 - 0x44c)) - 0x10);
					if(_t93 == 0) {
						E00BAC468(_t131 - 0x414);
						RegCloseKey( *(_t131 - 0x450));
					} else {
						RegCloseKey( *(_t131 - 0x450));
						goto L3;
					}
				}
				_t72 =  *(_t131 - 0x418);
				if(_t72 >= 8) {
					_t114 =  *(_t131 - 0x42c);
					_t82 = 2 + _t72 * 2;
					 *((intOrPtr*)(_t131 - 0x44c)) = _t82;
					 *(_t131 - 0x448) =  *(_t131 - 0x42c);
					if(_t82 >= 0x1000) {
						E00BAE6CD(_t101, _t125, _t131, _t131 - 0x448, _t131 - 0x44c);
						_t82 =  *((intOrPtr*)(_t131 - 0x44c));
						_t114 =  *(_t131 - 0x448);
					}
					_push(_t82);
					L00C32F7D(_t114);
				}
				 *(_t131 - 0x41c) =  *(_t131 - 0x41c) & 0x00000000;
				 *(_t131 - 0x42c) = 0;
				_t74 =  *(_t131 - 0x430);
				 *(_t131 - 0x418) = 7;
				if(_t74 >= 8) {
					_t109 =  *((intOrPtr*)(_t131 - 0x444));
					_t77 = 2 + _t74 * 2;
					 *(_t131 - 0x448) = _t77;
					 *((intOrPtr*)(_t131 - 0x44c)) =  *((intOrPtr*)(_t131 - 0x444));
					if(_t77 >= 0x1000) {
						E00BAE6CD(_t101, _t125, _t131, _t131 - 0x44c, _t131 - 0x448);
						_t77 =  *(_t131 - 0x448);
						_t109 =  *((intOrPtr*)(_t131 - 0x44c));
					}
					_push(_t77);
					L00C32F7D(_t109);
				}
				return L00C89946(_t101, _t101, _t125, 0x1000);
			}

0x00bc37f1
0x00bc37fb
0x00bc3800
0x00bc3804
0x00bc3807
0x00bc380f
0x00bc3821
0x00bc3827
0x00bc382c
0x00bc3837
0x00bc3842
0x00bc3848
0x00bc384f
0x00bc385a
0x00bc385e
0x00bc3867
0x00bc386a
0x00bc386c
0x00bc386f
0x00bc3879
0x00bc3884
0x00bc3889
0x00bc388c
0x00bc3897
0x00bc389d
0x00bc38a0
0x00bc38ab
0x00bc38b2
0x00bc392e
0x00bc392e
0x00bc38b4
0x00bc38ba
0x00bc38d3
0x00bc38d5
0x00bc38d8
0x00bc38e2
0x00bc38ed
0x00bc38f5
0x00bc3901
0x00bc3907
0x00bc3915
0x00bc391c
0x00bc3a04
0x00bc3a0f
0x00bc3922
0x00bc3928
0x00000000
0x00bc3928
0x00bc391c
0x00bc3930
0x00bc393e
0x00bc3940
0x00bc3946
0x00bc394d
0x00bc3953
0x00bc395b
0x00bc396b
0x00bc3970
0x00bc3978
0x00bc3978
0x00bc397e
0x00bc3980
0x00bc3986
0x00bc3987
0x00bc3990
0x00bc3997
0x00bc399d
0x00bc39aa
0x00bc39ac
0x00bc39b2
0x00bc39b9
0x00bc39bf
0x00bc39c7
0x00bc39d7
0x00bc39dc
0x00bc39e4
0x00bc39e4
0x00bc39ea
0x00bc39ec
0x00bc39f2
0x00bc39fa

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC37FB
RegOpenKeyExW.ADVAPI32(80000001,00000000,?,?,?,?,?,?,?,?,?,?,?,-glgr), ref: 00BC3897
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC3901
RegCloseKey.ADVAPI32(?), ref: 00BC3928
RegCloseKey.ADVAPI32(?,?), ref: 00BC3A0F

Strings

Qmdru_pcZZNA?nnQrmpc, xrefs: 00BC3816
?nnN_p_k, xrefs: 00BC383D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Close$H_prolog3_OpenQueryValue
String ID: ?nnN_p_k$Qmdru_pcZZNA?nnQrmpc
API String ID: 1995036563-1345596279
Opcode ID: 871003083ca8add5553ac23e2d3101251c15a52404665252118d5e920dccdf66
Instruction ID: 44d6032000b68500f8baa1b0d6152e1d2cc49fd9f80ac9f0f515ad644631ac9a
Opcode Fuzzy Hash: 871003083ca8add5553ac23e2d3101251c15a52404665252118d5e920dccdf66
Instruction Fuzzy Hash: 895126B19052289BCF64DB64CC85BDDB7F8AB48304F5044EEE20DA7252DA709F84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00BD27E0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00BD27E0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				int _t46;
				struct HWND__* _t67;
				void* _t69;
				void* _t70;
				int _t73;
				intOrPtr* _t74;
				void* _t81;
				intOrPtr* _t96;
				intOrPtr* _t97;
				void* _t98;
				intOrPtr* _t99;
				void* _t101;

				_t95 = __esi;
				_t90 = __edi;
				_t70 = __ecx;
				L00C89968(0xc90b21, __ebx, __edi, __esi, 0x14);
				_t69 = _t70;
				_push(L"kcls]qrmpc");
				E00BCC079(_t69, _t98 - 0x14, __edx, __edi, __esi);
				 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
				_push(L"qfmu");
				E00BCC079(_t69, _t98 - 0x10, __edx, __edi, __esi);
				 *(_t98 - 4) = 1;
				ShowWindow( *(_t69 + 0x904), 5);
				_t102 =  *0xce13e4 - 3;
				if( *0xce13e4 != 3) {
					_t73 =  *(_t69 + 0x90c);
					_t89 =  *(_t69 + 0x908);
					_t46 =  *((intOrPtr*)(_t69 + 0x910)) - _t89;
					__eflags = _t46;
					SetWindowPos( *(_t69 + 0x904), 0xffffffff, _t89, _t73, _t46,  *((intOrPtr*)(_t69 + 0x914)) - _t73, 0x40);
					_push(2);
					_push(0xff);
					_push(0);
					_push( *(_t69 + 0x904));
				} else {
					_t101 = _t99 - 0x928;
					_t95 = _t69 + 4;
					memcpy(_t101, _t95, 0x24a << 2);
					_t99 = _t101 + 0xc;
					_t90 = _t95 + 0x494;
					E00BD02AF(_t98, _t102);
					_t73 =  *(_t69 + 0x90c);
					_t89 =  *(_t69 + 0x908);
					SetWindowPos( *(_t69 + 0x904), 0xffffffff,  *(_t69 + 0x908), _t73,  *((intOrPtr*)(_t69 + 0x910)) -  *(_t69 + 0x908),  *((intOrPtr*)(_t69 + 0x914)) - _t73, 0x40);
					_t67 =  *(_t69 + 0x904);
					_push(2);
					if( *((char*)(_t69 + 0x1281)) == 0) {
						_push(0xff);
					} else {
						_push(0xf5);
					}
					_push(0);
					_push(_t67);
				}
				__imp__SetLayeredWindowAttributes();
				UpdateWindow( *(_t69 + 0x904));
				_push(_t73);
				_t74 = _t99;
				 *((intOrPtr*)(_t98 - 0x18)) = _t99;
				_push(0xce9bc0);
				E00BCC079(_t69, _t74, _t89, _t90, _t95);
				 *(_t98 - 4) = 2;
				_t91 = _t99;
				 *((intOrPtr*)(_t98 - 0x1c)) = _t99;
				_t96 = _t99;
				 *((intOrPtr*)(_t98 - 0x20)) = _t96;
				 *_t96 = L00BADF62( *((intOrPtr*)(_t98 - 0x10)) - 0x10, _t99, _t74) + 0x10;
				L00BBEA69(_t69, _t91, _t91, _t96);
				 *(_t98 - 4) = 3;
				_t92 = _t99;
				_t97 = _t99;
				 *((intOrPtr*)(_t98 - 0x20)) = _t97;
				 *_t97 = L00BADF62( *((intOrPtr*)(_t98 - 0x14)) - 0x10, _t99, _t91) + 0x10;
				L00BBEA69(_t69, _t99, _t99, _t97);
				_t81 = _t74;
				 *(_t98 - 4) = 1;
				return L00C89931(E00BAE6AB(E00BAE6AB(L00BC7C63(_t69, _t81, _t89, _t92, _t97, L00BADF62( *((intOrPtr*)(_t98 - 0x14)) - 0x10, _t99, _t91) + 0x10),  *((intOrPtr*)(_t98 - 0x10)) - 0x10),  *((intOrPtr*)(_t98 - 0x14)) - 0x10));
			}

0x00bd27e0
0x00bd27e0
0x00bd27e0
0x00bd27e7
0x00bd27ec
0x00bd27ee
0x00bd27f6
0x00bd27fb
0x00bd2802
0x00bd2807
0x00bd280e
0x00bd2818
0x00bd281e
0x00bd2825
0x00bd2890
0x00bd289c
0x00bd28ad
0x00bd28ad
0x00bd28ba
0x00bd28c0
0x00bd28c2
0x00bd28c7
0x00bd28c9
0x00bd2827
0x00bd2827
0x00bd282d
0x00bd2837
0x00bd2837
0x00bd2837
0x00bd2839
0x00bd283e
0x00bd284a
0x00bd2868
0x00bd2875
0x00bd287b
0x00bd287d
0x00bd2886
0x00bd287f
0x00bd287f
0x00bd287f
0x00bd288b
0x00bd288d
0x00bd288d
0x00bd28cf
0x00bd28db
0x00bd28e1
0x00bd28e2
0x00bd28e4
0x00bd28e7
0x00bd28ec
0x00bd28f2
0x00bd28f6
0x00bd28f8
0x00bd28ff
0x00bd2901
0x00bd2911
0x00bd2913
0x00bd2918
0x00bd291c
0x00bd2922
0x00bd2924
0x00bd2934
0x00bd2936
0x00bd293b
0x00bd293c
0x00bd2963

APIs

ShowWindow.USER32(?,00000005,qfmu,kcls]qrmpc,00000014,00BD34C6), ref: 00BD2818
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 00BD2868
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040), ref: 00BD28BA
SetLayeredWindowAttributes.USER32(?,00000000,000000FF,00000002), ref: 00BD28CF
UpdateWindow.USER32(?), ref: 00BD28DB

Part of subcall function 00BD02AF: SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000002,?,?), ref: 00BD0305
Part of subcall function 00BD02AF: SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BD03E2
Part of subcall function 00BD02AF: UpdateWindow.USER32(?), ref: 00BD03E9
Part of subcall function 00BD02AF: Sleep.KERNEL32(00000001), ref: 00BD043C
Part of subcall function 00BD02AF: SetLayeredWindowAttributes.USER32(?,00000000,000000FF,00000002), ref: 00BD045F

Strings

qfmu, xrefs: 00BD2802
kcls]qrmpc, xrefs: 00BD27EE

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$AttributesLayered$Update$ShowSleep
String ID: kcls]qrmpc$qfmu
API String ID: 2397216392-2056166972
Opcode ID: 725b6830f84902e04e5bf3744fb809c9c0dae88567cacf7ae39dc1b6c02c5c71
Instruction ID: bc31d3626092582212fcb2beee1c828c71f04a45d7fbe37f092012b4f6ada036
Opcode Fuzzy Hash: 725b6830f84902e04e5bf3744fb809c9c0dae88567cacf7ae39dc1b6c02c5c71
Instruction Fuzzy Hash: A4416DB0A00245AFEB08DF68CD8AFBD77A5FB94700F1401A8F905AB2D6CA716D009B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C463, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
threadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00C7C463(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _t32;
				void* _t36;
				intOrPtr* _t37;
				signed int _t41;
				signed int _t43;
				signed int _t52;
				intOrPtr* _t54;
				intOrPtr _t55;

				_t55 = __ecx;
				_t32 = _a4;
				_v16 = __ecx;
				if(_t32 == 0) {
					_push("ppVirtualProcessorRoots");
					goto L16;
				} else {
					if(_a8 >= 1) {
						_t52 = 0;
						__eflags = 0;
						_v12 = 0;
						do {
							_t37 =  *((intOrPtr*)(_t32 + _t52 * 4));
							_v8 = _t37;
							 *0xc943b8();
							_t41 = E00C837B4( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x20)) +  *((intOrPtr*)( *((intOrPtr*)( *_t37))))() * 4)), _v8);
							__eflags = _t41;
							if(_t41 == 0) {
								_t54 = _v8;
								do {
									_t14 =  &_v24;
									 *_t14 = _v24 & 0x00000000;
									__eflags =  *_t14;
									_v20 = 0xc752d3;
									do {
										_t43 = E00C74682( &_v32);
										__eflags = _t43;
									} while (_t43 != 0);
									SwitchToThread();
									 *0xc943b8();
									_t41 = E00C837B4( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x20)) +  *((intOrPtr*)( *((intOrPtr*)( *_t54))))() * 4)), _t54);
									__eflags = _t41;
								} while (_t41 == 0);
								_t52 = _v12;
							}
							__eflags =  *((char*)(_t41 + 0xac));
							if(__eflags == 0) {
								L12:
								L00C82D8B(_t41, __eflags);
							} else {
								__eflags = _t41;
								if(__eflags != 0) {
									goto L12;
								}
							}
							_t32 = _a4;
							_t52 = _t52 + 1;
							_t55 = _v16;
							_v12 = _t52;
							__eflags = _t52 - _a8;
						} while (_t52 < _a8);
						return _t32;
					} else {
						_push("count");
						L16:
						_t56 =  &_v28;
						E00C3409C( &_v28);
						L00C4CA25( &_v28, 0xcd48c8);
						asm("int3");
						_push(_t49);
						_push(_t79);
						_push(_t73);
						_t36 = E00C7C6FD(_t56 + 0x194, 0x80000000);
						asm("lock cmpxchg [ebx], edx");
						while(_t36 != _t36) {
							asm("lock cmpxchg [ebx], ecx");
						}
						asm("lock inc dword [edi+0x188]");
						return _t36;
					}
				}
			}

0x00c7c463
0x00c7c469
0x00c7c46c
0x00c7c471
0x00c7c537
0x00000000
0x00c7c477
0x00c7c47b
0x00c7c489
0x00c7c489
0x00c7c48c
0x00c7c48f
0x00c7c48f
0x00c7c495
0x00c7c49e
0x00c7c4af
0x00c7c4b4
0x00c7c4b6
0x00c7c4b8
0x00c7c4bb
0x00c7c4bb
0x00c7c4bb
0x00c7c4bb
0x00c7c4bf
0x00c7c4c6
0x00c7c4c9
0x00c7c4ce
0x00c7c4ce
0x00c7c4d2
0x00c7c4e3
0x00c7c4f1
0x00c7c4f6
0x00c7c4f6
0x00c7c4fa
0x00c7c4fa
0x00c7c4fd
0x00c7c504
0x00c7c516
0x00c7c518
0x00c7c506
0x00c7c512
0x00c7c514
0x00000000
0x00000000
0x00c7c514
0x00c7c51d
0x00c7c520
0x00c7c521
0x00c7c524
0x00c7c527
0x00c7c527
0x00c7c534
0x00c7c47d
0x00c7c47d
0x00c7c53c
0x00c7c53c
0x00c7c53f
0x00c7c54d
0x00c7c552
0x00c7c553
0x00c7c554
0x00c7c555
0x00c7c564
0x00c7c575
0x00c7c57b
0x00c7c587
0x00c7c58b
0x00c7c58f
0x00c7c599
0x00c7c599
0x00c7c47b

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00C7C4AF
SwitchToThread.KERNEL32(?), ref: 00C7C4D2
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00C7C4F1
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 00C7C50D
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C7C53F

Strings

count, xrefs: 00C7C47D
ppVirtualProcessorRoots, xrefs: 00C7C537

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::$FindMatchingNode::ProcessorSchedulingVirtual$Base::ContextInternalOversubscribedProcResetSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 1244378731-3650809737
Opcode ID: 2a51ed013c949e2adff60e750a6aec067f776a82d29f7bc47ae7acc26c164f5b
Instruction ID: 51a27e73e0e434e2bf972db9d3815762b765c845421b4b7082d8b6eee24a621a
Opcode Fuzzy Hash: 2a51ed013c949e2adff60e750a6aec067f776a82d29f7bc47ae7acc26c164f5b
Instruction Fuzzy Hash: 79214D74A00209AFCB08EFA5C9D5ABEBBB4FF45354F1081A9E919A7251CB30AE05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C766E4, Relevance: 12.2, APIs: 8, Instructions: 211
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C766E4(void* __ecx, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t111;
				intOrPtr _t121;
				intOrPtr _t122;
				signed int _t125;
				void* _t131;
				intOrPtr _t138;
				signed int _t144;
				intOrPtr _t145;
				void* _t146;
				intOrPtr _t147;
				signed int _t152;
				signed int _t162;
				intOrPtr* _t166;
				intOrPtr _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				intOrPtr _t175;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				void* _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				signed int _t183;
				void* _t184;
				intOrPtr _t186;

				_t218 = __fp0;
				_t176 = __ecx;
				L00C77DCA(__ecx, __eflags, __fp0);
				L00C77EE6(__ecx);
				_v16 = _v16 & 0x00000000;
				_t168 = 0;
				_t144 = 0;
				_v24 = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L8:
					_t145 = 0;
					_t169 = 0;
					 *(_t176 + 0x20) =  *(_t176 + 0x20) & 0;
					_v8 = 0;
					_v20 = 0;
					if( *((intOrPtr*)(_t176 + 0x18)) <= 0) {
						L19:
						 *(_t176 + 0x24) =  *(_t176 + 0x24) & 0x00000000;
						_t178 = _v16 + _t145;
						_v12 = _t178;
						_t111 = 0;
						while(_t178 != 0 ||  *(_t176 + 0x20) > _t178) {
							if(_t111 >= 2) {
								break;
							}
							if(_t111 == 1) {
								E00C776B8(_t176);
							}
							_t152 = 0;
							_t146 = 0;
							_t170 = 0;
							_v20 = 0;
							if( *((intOrPtr*)(_t176 + 8)) <= 0) {
								L40:
								 *(_t176 + 0x24) =  *(_t176 + 0x24) + 1;
								_t111 =  *(_t176 + 0x24);
								continue;
							} else {
								do {
									_t179 =  *((intOrPtr*)( *((intOrPtr*)(_t176 + 0x54)) + _t170 * 4));
									if( *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x10)) + 0xa0)) <  *((intOrPtr*)(_t179 + 0x24))) {
										 *((intOrPtr*)( *((intOrPtr*)(_t176 + 0x5c)) + _t152 * 4)) = _t179;
										_v20 = _t152 + 1;
										_t146 = _t146 +  *((intOrPtr*)(_t179 + 0x24)) -  *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x10)) + 0xa0));
										_t152 = _v20;
									}
									_t170 = _t170 + 1;
								} while (_t170 <  *((intOrPtr*)(_t176 + 8)));
								_t178 = _v12;
								if(_t152 != 0) {
									if(_t178 != 0) {
										_t181 = E00C757B1(_t176, _t218, _t178, _t146, _t152);
										_v28 = L00C77FE3(_t176, _v20);
										_t162 = 0;
										_t121 = _v8;
										if(_t121 >= _t181) {
											_t171 = _t181;
											_t122 = _t121 - _t181;
											__eflags = _t122;
											_v8 = _t122;
										} else {
											_t171 = _t121;
											_t162 = _t181 - _t121;
											_v8 = 0;
											_t125 = _v16;
											if(_t162 >= _t125) {
												_t162 = _t125;
											}
											_v16 = _t125 - _t162;
										}
										E00C76414(_t176, _t171, _t181, _t171, _t162, _v28, _v24);
										_v12 = _v12 - _t181;
										_t146 = _t146 - _t181;
										_t152 = _v20;
										_t178 = _v12;
									}
									if(_t146 != 0 &&  *(_t176 + 0x20) > 0) {
										_t180 = E00C757B1(_t176, _t218,  *(_t176 + 0x20), _t146, _t152);
										E00C76551(_t176, _t180, L00C77FE3(_t176, _v20));
										 *(_t176 + 0x20) =  *(_t176 + 0x20) - _t180;
										_t178 = _v12;
									}
								}
								goto L40;
							}
						}
						return L00C78BA9(_t176);
					}
					_t182 = 0;
					_v12 = 0;
					do {
						_v28 = _v28 & 0x00000000;
						_t131 =  *((intOrPtr*)(_t176 + 0x48)) + _t182;
						if( *((intOrPtr*)(_t131 + 4)) <= 0) {
							goto L18;
						}
						_t183 = _v28;
						_t172 = 0;
						do {
							_t147 = _v8;
							_t166 =  *((intOrPtr*)(_t131 + 0x20)) + _t172;
							if( *((intOrPtr*)(_t166 + 0x10)) != 0) {
								__eflags =  *((intOrPtr*)(_t166 + 0x10)) -  *((intOrPtr*)(_t166 + 0x1c));
								_t145 = _v8;
								if( *((intOrPtr*)(_t166 + 0x10)) ==  *((intOrPtr*)(_t166 + 0x1c))) {
									 *_t166 = 6;
									 *((intOrPtr*)(_t131 + 0x1c)) =  *((intOrPtr*)(_t131 + 0x1c)) + 1;
									_t56 = _t176 + 0x20;
									 *_t56 =  *(_t176 + 0x20) + 1;
									__eflags =  *_t56;
								}
							} else {
								 *_t166 = 2;
								 *((intOrPtr*)(_t131 + 8)) =  *((intOrPtr*)(_t131 + 8)) + 1;
								_t145 = _t147 + 1;
								_v8 = _t145;
							}
							_t183 = _t183 + 1;
							_t172 = _t172 + 0x24;
						} while (_t183 <  *((intOrPtr*)(_t131 + 4)));
						_t169 = _v20;
						_t182 = _v12;
						L18:
						_t169 = _t169 + 1;
						_t182 = _t182 + 0x28;
						_v20 = _t169;
						_v12 = _t182;
					} while (_t169 <  *((intOrPtr*)(_t176 + 0x18)));
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t176 + 0x54)) + _t144 * 4));
					if( *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x10)) + 0xa0)) >  *((intOrPtr*)(_t167 + 0x24))) {
						 *((intOrPtr*)(_t167 + 0x28)) = _t175;
						_t138 =  *((intOrPtr*)(_t184 + 0xa0)) -  *((intOrPtr*)(_t167 + 0x24)) - _t175;
						_t186 =  *((intOrPtr*)(_t184 + 0xa8)) -  *((intOrPtr*)(_t167 + 0x18));
						if(_t186 >= _t138) {
							_t186 = _t138;
						}
						 *((intOrPtr*)(_t167 + 0x2c)) = _t186;
						_t168 = _v24;
						 *((intOrPtr*)(_t167 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 0x10)) + 0xa0)) -  *((intOrPtr*)(_t167 + 0x24)) - _t186 - _t175;
					}
					_t144 = _t144 + 1;
				} while (_t144 <  *((intOrPtr*)(_t176 + 8)));
				goto L8;
			}

0x00c766e4
0x00c766ed
0x00c766ef
0x00c766f6
0x00c766fb
0x00c766ff
0x00c76701
0x00c76703
0x00c76709
0x00c7677c
0x00c7677c
0x00c7677e
0x00c76780
0x00c76783
0x00c76786
0x00c7678c
0x00c767f9
0x00c767fc
0x00c76800
0x00c76802
0x00c76805
0x00c76807
0x00c76817
0x00000000
0x00000000
0x00c76820
0x00c76824
0x00c76824
0x00c76829
0x00c7682b
0x00c7682d
0x00c7682f
0x00c76835
0x00c7690f
0x00c7690f
0x00c76912
0x00000000
0x00c7683b
0x00c7683b
0x00c7683e
0x00c7684d
0x00c76852
0x00c76859
0x00c76865
0x00c76867
0x00c76867
0x00c7686a
0x00c7686b
0x00c76870
0x00c76875
0x00c7687d
0x00c7688e
0x00c76895
0x00c76898
0x00c7689a
0x00c7689f
0x00c768bc
0x00c768be
0x00c768be
0x00c768c0
0x00c768a1
0x00c768a1
0x00c768a7
0x00c768a9
0x00c768ac
0x00c768b1
0x00c768b3
0x00c768b3
0x00c768b7
0x00c768b7
0x00c768ce
0x00c768d3
0x00c768d6
0x00c768d8
0x00c768db
0x00c768db
0x00c768e0
0x00c768f9
0x00c76904
0x00c76909
0x00c7690c
0x00c7690c
0x00c768e0
0x00000000
0x00c76875
0x00c76835
0x00c76925
0x00c76925
0x00c7678e
0x00c76790
0x00c76793
0x00c76796
0x00c7679a
0x00c767a0
0x00000000
0x00000000
0x00c767a2
0x00c767a5
0x00c767a7
0x00c767aa
0x00c767ad
0x00c767b3
0x00c767c7
0x00c767ca
0x00c767cd
0x00c767cf
0x00c767d5
0x00c767d8
0x00c767d8
0x00c767d8
0x00c767d8
0x00c767b5
0x00c767b5
0x00c767bb
0x00c767be
0x00c767bf
0x00c767bf
0x00c767db
0x00c767dc
0x00c767df
0x00c767e4
0x00c767e7
0x00c767ea
0x00c767ea
0x00c767eb
0x00c767ee
0x00c767f1
0x00c767f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00c7670b
0x00c7670b
0x00c7670e
0x00c7671d
0x00c76740
0x00c76752
0x00c76754
0x00c76759
0x00c7675b
0x00c7675b
0x00c76760
0x00c76770
0x00c76773
0x00c76773
0x00c76776
0x00c76777
0x00000000

APIs

Part of subcall function 00C77DCA: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00C77DDD
Part of subcall function 00C77DCA: Concurrency::details::ResourceManager::PopulateCommonAllocationData.LIBCONCRT ref: 00C77E10
Part of subcall function 00C77DCA: Concurrency::details::HillClimbing::Update.LIBCONCRT ref: 00C77E64
Part of subcall function 00C77DCA: Concurrency::details::SchedulerProxy::AdjustAllocationIncrease.LIBCMT ref: 00C77E77

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00C76824
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00C76884
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00C76890
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00C768CE
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00C768EF
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00C768FB
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00C76904
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00C7691C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::$Manager::Resource$Allocation$Adjust$CoreCoresDataDistributeDynamicIncreasePrepareReceiversSchedulerTransfer$AllocationsBuffersClimbing::CommonExclusiveFullyGlobalHillIdleInitializeLoadedPopulateProxy::ResetUpdate
String ID:
API String ID: 1715847140-0
Opcode ID: cbb15fa978125a8ea21641e035fb4142c7d621169541360eb8b363f850fc5fa4
Instruction ID: 7122359585e9f407c0ed81e71d02777da6802d22896632601894548438c86aea
Opcode Fuzzy Hash: cbb15fa978125a8ea21641e035fb4142c7d621169541360eb8b363f850fc5fa4
Instruction Fuzzy Hash: 90816A71E00A15AFCB18CF69C580A6DB7F2FF88308F25C6ADD459AB641D730AD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4C5F0, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 342
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00C4C5F0(void* __ecx, void* __eflags, signed int _a4, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				signed int _t83;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t90;
				signed int _t93;
				intOrPtr* _t97;
				signed int _t98;
				signed int _t103;
				signed int _t112;
				signed int _t117;
				signed int _t119;
				intOrPtr _t121;
				signed int _t131;
				signed int _t134;

				_t97 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t97 = L00C8B857(__ecx,  *_t97);
				_t98 = _a8;
				_t6 = _t98 + 0x10; // 0x11
				_t131 = _t6;
				_push(_t131);
				_v20 = _t131;
				_v12 =  *(_t98 + 8) ^  *0xcdaf54;
				E00C4C5B0( *(_t98 + 8) ^  *0xcdaf54);
				L00C4E87C(_a12);
				_t121 =  *((intOrPtr*)(_t98 + 0xc));
				if(( *(_a4 + 4) & 0x00000066) != 0) {
					__eflags = _t121 - 0xfffffffe;
					if(_t121 != 0xfffffffe) {
						L00C4EA2C(_t98, 0xfffffffe, _t131, 0xcdaf54);
						goto L38;
					}
					goto L39;
				} else {
					_v32 = __eax;
					__eax = _a12;
					_v28 = _a12;
					__eax =  &_v32;
					 *((intOrPtr*)(__ebx - 4)) =  &_v32;
					__eflags = __edi - 0xfffffffe;
					if(__edi == 0xfffffffe) {
						L39:
						return _v16;
					} else {
						do {
							__ecx = _v12;
							__eax = __edi + 2;
							__eax = __edi + (__edi + 2) * 2;
							__ebx =  *(__ecx + __eax * 4);
							__eax = __ecx + __eax * 4;
							__ecx =  *(__eax + 4);
							_v24 = __eax;
							__eflags = __ecx;
							if(__ecx == 0) {
								__cl = _v5;
								goto L32;
							} else {
								__edx = __esi;
								__eax = L00C4E9DC(__ecx, __esi);
								__cl = 1;
								_v5 = 1;
								__eflags = __eax;
								if(__eflags < 0) {
									_v16 = 0;
									L38:
									_push(_t131);
									E00C4C5B0(_v12);
									goto L39;
								} else {
									if(__eflags > 0) {
										__eax = _a4;
										__eflags =  *__eax - 0xe06d7363;
										if( *__eax == 0xe06d7363) {
											__eflags =  *0xcbabfc;
											if(__eflags != 0) {
												__eax = L00C89AF0(__eflags, 0xcbabfc);
												__eflags = __eax;
												if(__eax != 0) {
													__esi =  *0xcbabfc; // 0xc4b3cb
													__ecx = __esi;
													_push(1);
													_push(_a4);
													 *0xc943b8() =  *__esi();
													__esi = _v20;
													__esp = __esp + 8;
												}
												__eax = _a4;
											}
										}
										__ecx = _a8;
										__edx = __eax;
										__eax = L00C4EA10(__eax, _a8, __eax);
										__eax = _a8;
										__eflags =  *(__eax + 0xc) - __edi;
										if( *(__eax + 0xc) != __edi) {
											__edx = __edi;
											__ecx = __eax;
											__eax = L00C4EA2C(__eax, __edi, __esi, 0xcdaf54);
											__eax = _a8;
										}
										_push(__esi);
										 *(__eax + 0xc) = __ebx;
										__eax = E00C4C5B0(_v12);
										__ecx = _v24;
										__edx = __esi;
										__ecx =  *(_v24 + 8);
										L00C4E9F4();
										asm("int3");
										asm("int3");
										asm("int3");
										__ecx = _v36;
										__eax = _v40;
										_push(__edi);
										_push(__ebx);
										_push(__esi);
										__eflags =  *0xce0674 - 1;
										if(__eflags < 0) {
											__dl =  *__ecx;
											__edi = __eax;
											__eflags = __dl;
											if(__dl == 0) {
												__eax = __edi;
												_pop(__esi);
												_pop(__ebx);
												_pop(__edi);
												return __edi;
											} else {
												__dh =  *(__ecx + 1);
												__eflags = __dh;
												if(__dh == 0) {
													__eax = 0;
													_pop(__esi);
													_pop(__ebx);
													_pop(__edi);
													__al = __dl;
													_push(_t98);
													_t119 = _v40;
													if((_t119 & 0x00000003) == 0) {
														L5:
														_push(_t121);
														_push(_t131);
														_t103 = 0xbadbad;
														while(1) {
															L6:
															_t112 =  *_t119;
															_t83 = _t112;
															_t134 = 0x7efefeff + _t83;
															_t85 = _t83 ^ 0xffffffff81010100;
															_t119 = _t119 + 4;
															if(((_t112 ^ _t103 ^ 0xffffffff ^ 0x7efefeff + (_t112 ^ _t103)) & 0x81010100) == 0) {
																break;
															}
															_t86 =  *(_t119 - 4);
															__eflags = _t86 - _t103;
															if(_t86 == _t103) {
																return _t119 - 4;
															} else {
																__eflags = _t86;
																if(_t86 == 0) {
																	L10:
																	goto L11;
																} else {
																	__eflags = _t86 - _t103;
																	if(_t86 == _t103) {
																		return _t119 - 3;
																	} else {
																		__eflags = _t86;
																		if(_t86 == 0) {
																			goto L10;
																		} else {
																			_t90 = _t86 >> 0x10;
																			__eflags = _t90 - _t103;
																			if(_t90 == _t103) {
																				return _t119 - 2;
																			} else {
																				__eflags = _t90;
																				if(_t90 == 0) {
																					goto L10;
																				} else {
																					__eflags = _t90 - _t103;
																					if(_t90 == _t103) {
																						return _t119 - 1;
																					} else {
																						__eflags = _t90;
																						if(_t90 == 0) {
																							goto L10;
																						} else {
																							continue;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L117;
														}
														_t93 = _t85 & 0x81010100;
														if(_t93 == 0 || (_t93 & 0x01010100) == 0 && (_t134 & 0x80000000) != 0) {
															goto L6;
														} else {
															goto L10;
														}
													} else {
														while(1) {
															_t117 =  *_t119;
															_t119 = _t119 + 1;
															if(_t117 == 0) {
																return _t119 - 1;
															}
															if(_t117 == 0) {
																L11:
																return 0;
															} else {
																if((_t119 & 0x00000003) != 0) {
																	continue;
																} else {
																	goto L5;
																}
															}
															goto L117;
														}
													}
												} else {
													while(1) {
														L101:
														__esi = __edi;
														__ecx = _v36;
														__al =  *__edi;
														__esi = __edi + 1;
														__eflags = __al - __dl;
														if(__al == __dl) {
															goto L107;
														}
														L102:
														__eflags = __al;
														if(__al == 0) {
															L106:
															_pop(__esi);
															_pop(__ebx);
															_pop(__edi);
															__eax = 0;
															__eflags = 0;
															return 0;
														} else {
															L103:
															__al =  *__esi;
															__esi = __esi + 1;
															__eflags = __esi;
															L104:
															__eflags = __al - __dl;
															if(__al == __dl) {
																goto L107;
															} else {
																__eflags = __al;
																if(__al != 0) {
																	goto L103;
																} else {
																	goto L106;
																}
															}
														}
														goto L117;
														L107:
														__al =  *__esi;
														__esi = __esi + 1;
														__eflags = __al - __dh;
														if(__al != __dh) {
															goto L104;
														} else {
															__edi = __esi - 1;
															while(1) {
																__ah =  *(__ecx + 2);
																__eflags = __ah;
																if(__ah == 0) {
																	break;
																}
																__al =  *__esi;
																__esi = __esi + 2;
																__eflags = __al - __ah;
																if(__al != __ah) {
																	goto L101;
																} else {
																	__al =  *((intOrPtr*)(__ecx + 3));
																	__eflags = __al;
																	if(__al == 0) {
																		break;
																	} else {
																		__ah =  *(__esi - 1);
																		__ecx = __ecx + 2;
																		__eflags = __al -  *(__esi - 1);
																		if(__al ==  *(__esi - 1)) {
																			continue;
																		} else {
																			while(1) {
																				L101:
																				__esi = __edi;
																				__ecx = _v36;
																				__al =  *__edi;
																				__esi = __edi + 1;
																				__eflags = __al - __dl;
																				if(__al == __dl) {
																					goto L107;
																				}
																				goto L102;
																			}
																		}
																	}
																}
																goto L117;
															}
															_t71 = __edi - 1; // -1
															__eax = _t71;
															_pop(__esi);
															_pop(__ebx);
															_pop(__edi);
															return _t71;
														}
														goto L117;
													}
												}
											}
										} else {
											if(__eflags > 0) {
												__eflags =  *__ecx;
												if( *__ecx != 0) {
													__edi = __ecx;
													0xfff = 0x00000fff & __ecx;
													__eflags = (0x00000fff & __ecx) - 0xff0;
													if((0x00000fff & __ecx) > 0xff0) {
														__ebx = 0xf;
														while(1) {
															L77:
															__esi =  *__ecx & 0x000000ff;
															__ecx = __ecx + 1;
															__eflags = __ecx;
															while(1) {
																asm("pinsrb xmm0, esi, 0xf");
																asm("psrldq xmm0, 0x1");
																__ebx = __ebx - 1;
																__eflags = __ebx;
																if(__ebx == 0) {
																	goto L82;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	continue;
																} else {
																	goto L77;
																}
																goto L83;
															}
															goto L82;
														}
													} else {
														asm("movdqu xmm0, [ecx]");
														while(1) {
															L82:
															asm("movd edx, xmm0");
															while(1) {
																L83:
																0xfff = 0x00000fff & __eax;
																__eflags = (0x00000fff & __eax) - 0xff0;
																if((0x00000fff & __eax) <= 0xff0) {
																	break;
																}
																__ebx =  *__eax & 0x000000ff;
																__eflags =  *__eax & 0x000000ff;
																if(( *__eax & 0x000000ff) == 0) {
																	goto L71;
																} else {
																	__eflags = __dl - __bl;
																	if(__dl == __bl) {
																		L90:
																		__edx = __edi;
																		__esi = __eax;
																		while(1) {
																			0xfff = 0x00000fff & __esi;
																			__eflags = (0x00000fff & __esi) - 0xff0;
																			if((0x00000fff & __esi) > 0xff0) {
																				goto L96;
																			}
																			L92:
																			0xfff = 0x00000fff & __edx;
																			__eflags = (0x00000fff & __edx) - 0xff0;
																			if((0x00000fff & __edx) > 0xff0) {
																				goto L96;
																			} else {
																				asm("movdqu xmm1, [edx]");
																				__esi = __esi + 0x10;
																				__edx = __edx + 0x10;
																				__eflags = __edx;
																				asm("pcmpistri xmm1, [esi-0x10], 0xc");
																				if(__eflags >= 0) {
																					L81:
																					__eax = __eax + 1;
																					__eflags = __eax;
																					goto L82;
																				} else {
																					if(__eflags >= 0) {
																						while(1) {
																							0xfff = 0x00000fff & __esi;
																							__eflags = (0x00000fff & __esi) - 0xff0;
																							if((0x00000fff & __esi) > 0xff0) {
																								goto L96;
																							}
																							goto L92;
																						}
																						goto L96;
																					} else {
																					}
																				}
																			}
																			goto L72;
																			L96:
																			__ebx =  *__edx & 0x000000ff;
																			__eflags =  *__edx & 0x000000ff;
																			if(( *__edx & 0x000000ff) != 0) {
																				__eflags = __bl -  *__esi;
																				if(__bl !=  *__esi) {
																					goto L81;
																				} else {
																					__esi = __esi + 1;
																					__edx = __edx + 1;
																					continue;
																				}
																			}
																			goto L72;
																		}
																	} else {
																		__eax = __eax + 1;
																		continue;
																	}
																}
																goto L72;
															}
															__eax = __eax + 0x10;
															__eflags = __eax;
															asm("pcmpistri xmm0, [eax-0x10], 0xc");
															if(__eflags > 0) {
																goto L83;
															} else {
																if(__eflags >= 0) {
																	goto L71;
																} else {
																	__eax = __eax - 0x10;
																	__eax = __eax + __ecx;
																	__eflags = __eax;
																	goto L90;
																}
															}
															goto L72;
														}
													}
													goto L82;
												}
												goto L72;
											} else {
												__edx =  *__ecx & 0x000000ff;
												__ebx = __edx;
												__edx = __edx << 8;
												__edx = __edx | __ebx;
												__eflags = __edx;
												if(__edx == 0) {
													L72:
													_pop(__esi);
													_pop(__ebx);
													_pop(__edi);
													return __eax;
												} else {
													asm("movd xmm3, edx");
													asm("pshuflw xmm3, xmm3, 0x0");
													asm("movlhps xmm3, xmm3");
													asm("pxor xmm0, xmm0");
													__esi = __ecx;
													__edi = __edi | 0xffffffff;
													__eflags = __edi;
													while(1) {
														__ebx =  *__ecx & 0x000000ff;
														__ecx = __ecx + 1;
														__eflags = __ebx;
														if(__ebx == 0) {
															goto L55;
														}
														__eflags = __ecx & 0x0000000f;
														if((__ecx & 0x0000000f) != 0) {
															continue;
														} else {
															asm("movdqa xmm2, [ecx]");
															asm("pcmpeqb xmm2, xmm0");
															asm("pmovmskb ebx, xmm2");
															__eflags = __ebx;
															if(__ebx == 0) {
																__edi = 0xf;
															}
															while(1) {
																L55:
																asm("movd edx, xmm3");
																goto L56;
																do {
																	while(1) {
																		L56:
																		__ebx = 0xfff;
																		__ebx = 0x00000fff & __eax;
																		__eflags = 0xfff - 0xff0;
																		if(0xfff > 0xff0) {
																			break;
																		}
																		asm("movdqu xmm1, [eax]");
																		asm("pxor xmm2, xmm2");
																		asm("pcmpeqb xmm2, xmm1");
																		asm("pcmpeqb xmm1, xmm3");
																		asm("por xmm1, xmm2");
																		asm("pmovmskb ebx, xmm1");
																		__eax = __eax + 0x10;
																		__eflags = 0xfff;
																		if(0xfff == 0) {
																			continue;
																		} else {
																			asm("bsf ebx, ebx");
																			__eax = __eax - 0x10;
																			__eax = __eax + __ebx;
																			__eflags = __eax;
																		}
																		break;
																	}
																	__ebx =  *__eax & 0x000000ff;
																	__eflags =  *__eax & 0x000000ff;
																	if(( *__eax & 0x000000ff) == 0) {
																		L71:
																		__eax = 0;
																		__eflags = 0;
																		goto L72;
																	} else {
																		goto L60;
																	}
																	goto L117;
																	L60:
																	__eax = __eax + 1;
																	__eflags = __dl - __bl;
																} while (__dl != __bl);
																__edx = __eax;
																__ecx = __esi + 1;
																while(1) {
																	__ebx = 0xfff;
																	__eflags = __edi & __ecx;
																	if((__edi & __ecx) != 0) {
																		goto L67;
																	}
																	L63:
																	__ebx = 0x00000fff & __edx;
																	__eflags = 0xfff - 0xff0;
																	if(0xfff <= 0xff0) {
																		asm("movdqu xmm1, [edx]");
																		asm("movdqa xmm2, [ecx]");
																		asm("pcmpeqb xmm1, xmm2");
																		asm("pcmpeqb xmm2, xmm0");
																		asm("pcmpeqb xmm1, xmm0");
																		asm("por xmm2, xmm1");
																		asm("pmovmskb ebx, xmm2");
																		__eflags = 0xfff;
																		if(0xfff != 0) {
																			asm("bsf ebx, ebx");
																			__edx = __edx + 0xfff;
																			__ecx = __ecx + __ebx;
																			__eflags = __ecx;
																		} else {
																			__edx = __edx + 0x10;
																			__ecx = __ecx + 0x10;
																			while(1) {
																				__ebx = 0xfff;
																				__eflags = __edi & __ecx;
																				if((__edi & __ecx) != 0) {
																					goto L67;
																				}
																				goto L63;
																			}
																		}
																	}
																	L67:
																	__ebx =  *__ecx & 0x000000ff;
																	__eflags =  *__ecx & 0x000000ff;
																	if(( *__ecx & 0x000000ff) == 0) {
																		__eax = __eax - 1;
																		__eflags = __eax;
																		_pop(__esi);
																		_pop(__ebx);
																		_pop(__edi);
																		return __eax;
																	} else {
																		__eflags = __bl -  *__edx;
																		if(__bl !=  *__edx) {
																			goto L55;
																		} else {
																			__edx = __edx + 1;
																			__ecx = __ecx + 1;
																			continue;
																		}
																	}
																	goto L117;
																}
															}
														}
														goto L55;
													}
													goto L55;
												}
											}
										}
									} else {
										goto L32;
									}
								}
							}
							goto L117;
							L32:
							__edi = __ebx;
							__eflags = __ebx - 0xfffffffe;
						} while (__ebx != 0xfffffffe);
						__eflags = __cl;
						if(__cl != 0) {
							goto L38;
						}
						goto L39;
					}
				}
				L117:
			}

0x00c4c5f7
0x00c4c5fc
0x00c4c602
0x00c4c60e
0x00c4c610
0x00c4c616
0x00c4c616
0x00c4c61f
0x00c4c621
0x00c4c624
0x00c4c627
0x00c4c62f
0x00c4c63a
0x00c4c641
0x00c4c69d
0x00c4c6a0
0x00c4c6af
0x00000000
0x00c4c6af
0x00000000
0x00c4c643
0x00c4c643
0x00c4c646
0x00c4c649
0x00c4c64c
0x00c4c64f
0x00c4c652
0x00c4c655
0x00c4c6c0
0x00c4c6c9
0x00c4c657
0x00c4c657
0x00c4c657
0x00c4c65a
0x00c4c65d
0x00c4c660
0x00c4c663
0x00c4c666
0x00c4c669
0x00c4c66c
0x00c4c66e
0x00c4c684
0x00000000
0x00c4c670
0x00c4c670
0x00c4c672
0x00c4c677
0x00c4c679
0x00c4c67c
0x00c4c67e
0x00c4c694
0x00c4c6b4
0x00c4c6b4
0x00c4c6b8
0x00000000
0x00c4c680
0x00c4c680
0x00c4c6ca
0x00c4c6cd
0x00c4c6d3
0x00c4c6d5
0x00c4c6dc
0x00c4c6e3
0x00c4c6eb
0x00c4c6ed
0x00c4c6ef
0x00c4c6f5
0x00c4c6f7
0x00c4c6f9
0x00c4c702
0x00c4c704
0x00c4c707
0x00c4c707
0x00c4c70a
0x00c4c70a
0x00c4c6dc
0x00c4c70d
0x00c4c710
0x00c4c712
0x00c4c717
0x00c4c71a
0x00c4c71d
0x00c4c725
0x00c4c727
0x00c4c729
0x00c4c72e
0x00c4c72e
0x00c4c731
0x00c4c735
0x00c4c738
0x00c4c73d
0x00c4c743
0x00c4c745
0x00c4c748
0x00c4c74d
0x00c4c74e
0x00c4c74f
0x00c4c750
0x00c4c754
0x00c4c758
0x00c4c759
0x00c4c75a
0x00c4c75b
0x00c4c762
0x00c4c936
0x00c4c938
0x00c4c93a
0x00c4c93c
0x00c4c9ad
0x00c4c9af
0x00c4c9b0
0x00c4c9b1
0x00c4c9b2
0x00c4c93e
0x00c4c93e
0x00c4c941
0x00c4c943
0x00c4c99a
0x00c4c99c
0x00c4c99d
0x00c4c99e
0x00c4c99f
0x00c4c2fe
0x00c4c304
0x00c4c30e
0x00c4c325
0x00c4c327
0x00c4c32d
0x00c4c32e
0x00c4c330
0x00c4c330
0x00c4c330
0x00c4c337
0x00c4c33d
0x00c4c349
0x00c4c34b
0x00c4c354
0x00000000
0x00000000
0x00c4c377
0x00c4c37a
0x00c4c37c
0x00c4c3ba
0x00c4c37e
0x00c4c37e
0x00c4c380
0x00c4c36c
0x00000000
0x00c4c382
0x00c4c382
0x00c4c384
0x00c4c3b3
0x00c4c386
0x00c4c386
0x00c4c388
0x00000000
0x00c4c38a
0x00c4c38a
0x00c4c38d
0x00c4c38f
0x00c4c3ac
0x00c4c391
0x00c4c391
0x00c4c393
0x00000000
0x00c4c395
0x00c4c395
0x00c4c397
0x00c4c3a5
0x00c4c399
0x00c4c399
0x00c4c39b
0x00000000
0x00c4c39d
0x00000000
0x00c4c39d
0x00c4c39b
0x00c4c397
0x00c4c393
0x00c4c38f
0x00c4c388
0x00c4c384
0x00c4c380
0x00000000
0x00c4c37c
0x00c4c356
0x00c4c35b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4c310
0x00c4c310
0x00c4c312
0x00c4c317
0x00c4c376
0x00c4c376
0x00c4c31b
0x00c4c36e
0x00c4c371
0x00c4c31d
0x00c4c323
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4c323
0x00000000
0x00c4c31b
0x00c4c310
0x00000000
0x00c4c945
0x00c4c945
0x00c4c945
0x00c4c947
0x00c4c94b
0x00c4c94d
0x00c4c950
0x00c4c952
0x00000000
0x00000000
0x00c4c954
0x00c4c954
0x00c4c956
0x00c4c965
0x00c4c965
0x00c4c966
0x00c4c967
0x00c4c968
0x00c4c968
0x00c4c96a
0x00c4c958
0x00c4c958
0x00c4c958
0x00c4c95a
0x00c4c95a
0x00c4c95d
0x00c4c95d
0x00c4c95f
0x00000000
0x00c4c961
0x00c4c961
0x00c4c963
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4c963
0x00c4c95f
0x00000000
0x00c4c96b
0x00c4c96b
0x00c4c96d
0x00c4c970
0x00c4c972
0x00000000
0x00c4c974
0x00c4c974
0x00c4c977
0x00c4c977
0x00c4c97a
0x00c4c97c
0x00000000
0x00000000
0x00c4c97e
0x00c4c980
0x00c4c983
0x00c4c985
0x00000000
0x00c4c987
0x00c4c987
0x00c4c98a
0x00c4c98c
0x00000000
0x00c4c98e
0x00c4c98e
0x00c4c991
0x00c4c994
0x00c4c996
0x00000000
0x00c4c998
0x00c4c945
0x00c4c945
0x00c4c945
0x00c4c947
0x00c4c94b
0x00c4c94d
0x00c4c950
0x00c4c952
0x00000000
0x00000000
0x00000000
0x00c4c952
0x00c4c945
0x00c4c996
0x00c4c98c
0x00000000
0x00c4c985
0x00c4c9a6
0x00c4c9a6
0x00c4c9a9
0x00c4c9aa
0x00c4c9ab
0x00c4c9ac
0x00c4c9ac
0x00000000
0x00c4c972
0x00c4c945
0x00c4c943
0x00c4c768
0x00c4c768
0x00c4c86b
0x00c4c86e
0x00c4c870
0x00c4c877
0x00c4c879
0x00c4c87f
0x00c4c887
0x00c4c88c
0x00c4c88c
0x00c4c88c
0x00c4c88f
0x00c4c88f
0x00c4c892
0x00c4c892
0x00c4c898
0x00c4c89d
0x00c4c89d
0x00c4c89e
0x00000000
0x00000000
0x00c4c8a0
0x00c4c8a2
0x00000000
0x00c4c8a4
0x00000000
0x00c4c8a4
0x00000000
0x00c4c8a2
0x00000000
0x00c4c892
0x00c4c881
0x00c4c881
0x00c4c8a9
0x00c4c8a9
0x00c4c8a9
0x00c4c8ad
0x00c4c8ad
0x00c4c8b2
0x00c4c8b4
0x00c4c8ba
0x00000000
0x00000000
0x00c4c8bc
0x00c4c8bf
0x00c4c8c1
0x00000000
0x00c4c8c3
0x00c4c8c3
0x00c4c8c5
0x00c4c8df
0x00c4c8df
0x00c4c8e1
0x00c4c8e3
0x00c4c8e8
0x00c4c8ea
0x00c4c8f0
0x00000000
0x00000000
0x00c4c8f2
0x00c4c8f7
0x00c4c8f9
0x00c4c8ff
0x00000000
0x00c4c901
0x00c4c901
0x00c4c905
0x00c4c908
0x00c4c908
0x00c4c90b
0x00c4c912
0x00c4c8a6
0x00c4c8a6
0x00c4c8a6
0x00000000
0x00c4c914
0x00c4c914
0x00c4c8e3
0x00c4c8e8
0x00c4c8ea
0x00c4c8f0
0x00000000
0x00000000
0x00000000
0x00c4c8f0
0x00000000
0x00000000
0x00c4c916
0x00c4c914
0x00c4c912
0x00000000
0x00c4c91b
0x00c4c91b
0x00c4c91e
0x00c4c920
0x00c4c926
0x00c4c928
0x00000000
0x00c4c92e
0x00c4c92e
0x00c4c931
0x00000000
0x00c4c931
0x00c4c928
0x00000000
0x00c4c920
0x00c4c8c7
0x00c4c8c7
0x00000000
0x00c4c8c7
0x00c4c8c5
0x00000000
0x00c4c8c1
0x00c4c8cc
0x00c4c8cc
0x00c4c8cf
0x00c4c8d6
0x00000000
0x00c4c8d8
0x00c4c8d8
0x00000000
0x00c4c8da
0x00c4c8da
0x00c4c8dd
0x00c4c8dd
0x00000000
0x00c4c8dd
0x00c4c8d8
0x00000000
0x00c4c8d6
0x00c4c8a9
0x00000000
0x00c4c87f
0x00000000
0x00c4c76e
0x00c4c76e
0x00c4c771
0x00c4c773
0x00c4c776
0x00c4c776
0x00c4c778
0x00c4c867
0x00c4c867
0x00c4c868
0x00c4c869
0x00c4c86a
0x00c4c77e
0x00c4c77e
0x00c4c782
0x00c4c787
0x00c4c78a
0x00c4c78e
0x00c4c790
0x00c4c790
0x00c4c793
0x00c4c793
0x00c4c796
0x00c4c799
0x00c4c79b
0x00000000
0x00000000
0x00c4c79d
0x00c4c7a3
0x00000000
0x00c4c7a5
0x00c4c7a5
0x00c4c7a9
0x00c4c7ad
0x00c4c7b1
0x00c4c7b3
0x00c4c7b5
0x00c4c7b5
0x00c4c7ba
0x00c4c7ba
0x00c4c7ba
0x00c4c7ba
0x00c4c7be
0x00c4c7be
0x00c4c7be
0x00c4c7be
0x00c4c7c3
0x00c4c7c5
0x00c4c7cb
0x00000000
0x00000000
0x00c4c7cd
0x00c4c7d1
0x00c4c7d5
0x00c4c7d9
0x00c4c7dd
0x00c4c7e1
0x00c4c7e5
0x00c4c7e8
0x00c4c7ea
0x00000000
0x00c4c7ec
0x00c4c7ec
0x00c4c7ef
0x00c4c7f2
0x00c4c7f2
0x00c4c7f2
0x00000000
0x00c4c7ea
0x00c4c7f4
0x00c4c7f7
0x00c4c7f9
0x00c4c865
0x00c4c865
0x00c4c865
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00c4c7fb
0x00c4c7fb
0x00c4c7fe
0x00c4c7fe
0x00c4c802
0x00c4c804
0x00c4c807
0x00c4c807
0x00c4c80c
0x00c4c80e
0x00000000
0x00000000
0x00c4c810
0x00c4c810
0x00c4c812
0x00c4c818
0x00c4c81a
0x00c4c81e
0x00c4c822
0x00c4c826
0x00c4c82a
0x00c4c82e
0x00c4c832
0x00c4c836
0x00c4c838
0x00c4c842
0x00c4c845
0x00c4c847
0x00c4c847
0x00c4c83a
0x00c4c83a
0x00c4c83d
0x00c4c807
0x00c4c807
0x00c4c80c
0x00c4c80e
0x00000000
0x00000000
0x00000000
0x00c4c80e
0x00c4c807
0x00c4c838
0x00c4c849
0x00c4c849
0x00c4c84c
0x00c4c84e
0x00c4c860
0x00c4c860
0x00c4c861
0x00c4c862
0x00c4c863
0x00c4c864
0x00c4c850
0x00c4c850
0x00c4c852
0x00000000
0x00c4c858
0x00c4c858
0x00c4c85b
0x00000000
0x00c4c85b
0x00c4c852
0x00000000
0x00c4c84e
0x00c4c807
0x00c4c7ba
0x00000000
0x00c4c7a3
0x00000000
0x00c4c793
0x00c4c778
0x00c4c768
0x00c4c682
0x00000000
0x00c4c682
0x00c4c680
0x00c4c67e
0x00000000
0x00c4c687
0x00c4c687
0x00c4c689
0x00c4c689
0x00c4c68e
0x00c4c690
0x00000000
0x00c4c692
0x00000000
0x00c4c690
0x00c4c655
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00C4C627
___except_validate_context_record.LIBVCRUNTIME ref: 00C4C62F
_ValidateLocalCookies.LIBCMT ref: 00C4C6B8
__IsNonwritableInCurrentImage.LIBCMT ref: 00C4C6E3
_ValidateLocalCookies.LIBCMT ref: 00C4C738

Strings

csm, xrefs: 00C4C6CD

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6c902233b6352129a8624c3de51bdae5ac149fa20c134890a63da8bfd1221b23
Instruction ID: 4efe3b9c02d0f7c34e34a90da73454f7cec658525feb736afc7360c3de682d23
Opcode Fuzzy Hash: 6c902233b6352129a8624c3de51bdae5ac149fa20c134890a63da8bfd1221b23
Instruction Fuzzy Hash: ADB16C35A063554BDBA08F79C8C03B9BBA1FFA5314F1C827AED645B3A2D7328A459740

Uniqueness

Uniqueness Score: -1.00%

Function 00BC06D4, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 221filenetworkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC06DE

Part of subcall function 00BAE71B: _Deallocate.LIBCONCRT ref: 00BAE730

URLDownloadToFileW.URLMON(00000000,00000000,?,00000000,00000000), ref: 00BC08B2
DeleteFileW.KERNEL32(?), ref: 00BC090B

Strings

qgel,qf_034, xrefs: 00BC080B
frrnq8--tcpwd_qr,q1,_k_xml_uq,amk-bmuljm_b-d_-, xrefs: 00BC06F4
-Qcrsn,cvc,qf_034, xrefs: 00BC071F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: File$DeallocateDeleteDownloadH_prolog3_
String ID: -Qcrsn,cvc,qf_034$frrnq8--tcpwd_qr,q1,_k_xml_uq,amk-bmuljm_b-d_-$qgel,qf_034
API String ID: 258939385-834601050
Opcode ID: e58c302e4916fddbf2316886bb53d1566d5fa3a98f14f74d020e643ce7b24582
Instruction ID: 113c8a3dd5e2a275b7ae02ab7bbc5e5b400e2acc81374ca0808367e0a3736460
Opcode Fuzzy Hash: e58c302e4916fddbf2316886bb53d1566d5fa3a98f14f74d020e643ce7b24582
Instruction Fuzzy Hash: E9916630D14218DEDF18EBA8C896BEDB7B5AF16304F5040D9E059A7292DB74AF48CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6160, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC6167
RegOpenKeyExW.ADVAPI32(80000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00CC9470), ref: 00BC61E8
RegQueryValueExW.ADVAPI32(?,00000000), ref: 00BC6237
RegCloseKey.ADVAPI32(?), ref: 00BC6259

Strings

Qmdru_pcZZNA?nnQrmpc, xrefs: 00BC617A
qr_rsq, xrefs: 00BC6195

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CloseH_prolog3_OpenQueryValue
String ID: Qmdru_pcZZNA?nnQrmpc$qr_rsq
API String ID: 3753948038-1501354543
Opcode ID: 885037f3098003c2fbdf5f3a49906667bd3acfb51d89bd72be56f987c6bb6f18
Instruction ID: 20bc5ddec5ba7081208951f81804431acbf7b073f403347e43a222e47dd14d6d
Opcode Fuzzy Hash: 885037f3098003c2fbdf5f3a49906667bd3acfb51d89bd72be56f987c6bb6f18
Instruction Fuzzy Hash: 2D515A71D042089FCF04EFE8D881AEDBBF9EF48314F60446EE515AB282DB35AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00C785AA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00C785DA
Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00C78613
SetEvent.KERNEL32(?), ref: 00C7866B
Concurrency::details::ResourceManager::~ResourceManager.LIBCONCRT ref: 00C7867F

Strings

pScheduler, xrefs: 00C785D2
version, xrefs: 00C785BF

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Resource$AcquireConcurrency::details::Concurrency::details::_EventLock::_ManagerManager::~Reentrantstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2984619831-3154422776
Opcode ID: 9922f629e846c832c4c910c4aa705ef0f7c981f1a43d8e90349c68ca95cde279
Instruction ID: 021990e81c3cb3166d0d5e8b0eb32e4abbdc709028cee3983502f602b485ede2
Opcode Fuzzy Hash: 9922f629e846c832c4c910c4aa705ef0f7c981f1a43d8e90349c68ca95cde279
Instruction Fuzzy Hash: 1821A470944648ABCF1CAFB4D84AA9CB760FF04720F14C32EF629565E1CF746A55EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00C66043, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 00C6608B
__fassign.LIBCMT ref: 00C6626A
__fassign.LIBCMT ref: 00C66287
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C662CF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C6630F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C663BB

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 0b5039937caf86675f91531010adf5d9836c62586d92036d714f8f7a1be3d11d
Instruction ID: d3ec9326051ed106c56782f20c0990a4c9c7c9e48936942799359d0f285274ee
Opcode Fuzzy Hash: 0b5039937caf86675f91531010adf5d9836c62586d92036d714f8f7a1be3d11d
Instruction Fuzzy Hash: 83D16A75D002589FCF25CFE8C9C0AEDBBB5BF49314F28016AE855BB352D631AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC392, Relevance: 9.2, APIs: 6, Instructions: 210COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,00001000,?,0000004C,00BCC617,00000024,00BBFC20), ref: 00BCC3C3
K32EnumProcesses.KERNEL32(00000000,00001000,?), ref: 00BCC437
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BCC46D
QueryFullProcessImageNameW.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 00BCC4A5
PathFindFileNameW.SHLWAPI(?,000000FF), ref: 00BCC4C0

Part of subcall function 00BCC23C: GetFileVersionInfoSizeW.VERSION(?,?,00000000,?,?), ref: 00BCC26D

Part of subcall function 00BBEAC6: __EH_prolog3_GS.LIBCMT ref: 00BBEAD0

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?), ref: 00BCC58C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: EnumFileNameProcessProcesses$CloseFindFullH_prolog3_HandleImageInfoOpenPathQuerySizeVersion
String ID:
API String ID: 2792025382-0
Opcode ID: 9aae582d7ccd39b10cdd23099421838a4b482c6dea678d96625ff8f5e3a9a065
Instruction ID: 5900abcb48763587e844ee7fb793803384fc581ae955baecd0bd742e6874a409
Opcode Fuzzy Hash: 9aae582d7ccd39b10cdd23099421838a4b482c6dea678d96625ff8f5e3a9a065
Instruction Fuzzy Hash: E8719271D042499FCB19EBA8D896FFEBBB8EF14310F14419DE116A7281DB34AA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BA94D3, Relevance: 9.1, APIs: 6, Instructions: 148commemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000000,00000018), ref: 00BA94EB
CoGetClassObject.OLE32(00CB6B84,00000003,00000000,00CB6B24,?), ref: 00BA9537
SetWindowLongW.USER32 ref: 00BA957E
GetClientRect.USER32 ref: 00BA95AD
OleSetContainedObject.OLE32(00000001,00000001), ref: 00BA95B9

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Object$AllocClassClientContainedGlobalLongRectWindow
String ID:
API String ID: 2332255021-0
Opcode ID: f6635d535a7083046c9bf58c0bd92d2f421f2761c7387ceebe702b20300a3070
Instruction ID: 2606f977820ae24633848580e726ccf249528c58c32295aaa29bd4af4c3898ec
Opcode Fuzzy Hash: f6635d535a7083046c9bf58c0bd92d2f421f2761c7387ceebe702b20300a3070
Instruction Fuzzy Hash: C7512F71208201AFC714DF69CC88E2BBBE8FF9A715B10495DF556CB2A0DB71D806DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C18A, Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32 ref: 00C7C200
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00C7C219
QueryDepthSList.KERNEL32(?), ref: 00C7C220
InterlockedFlushSList.KERNEL32(?), ref: 00C7C253
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00C7C268
InterlockedPushEntrySList.KERNEL32(?,?), ref: 00C7C270

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: af1f688145a0b07b9330985a492a1cb9bcafaca25d7acda28cf5d351338e3e82
Instruction ID: 263a38badb742bbd7d1836d50c38619abeec469d97021e9ed90cb63b1bbbcd51
Opcode Fuzzy Hash: af1f688145a0b07b9330985a492a1cb9bcafaca25d7acda28cf5d351338e3e82
Instruction Fuzzy Hash: C231BE35100612DFCB25CF69C9C4AAAB7F1FF8A311B10C51DE52A97651DB30FA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C7C283, Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,?,-00000001,?,?,?,00C7C451,-00000004,?,00000001,?,00C7B8AC,?,?,00C84996), ref: 00C7C2F9
InterlockedPushEntrySList.KERNEL32(00000000,-00000038,?,00C7C451,-00000004,?,00000001,?,00C7B8AC,?,?,00C84996,00000000,00000000,?,00C86313), ref: 00C7C312
QueryDepthSList.KERNEL32(00000000,?,00C7C451,-00000004,?,00000001,?,00C7B8AC,?,?,00C84996,00000000,00000000,?,00C86313,?), ref: 00C7C319
InterlockedFlushSList.KERNEL32(00000000,?,00C7C451,-00000004,?,00000001,?,00C7B8AC,?,?,00C84996,00000000,00000000,?,00C86313,?), ref: 00C7C34C
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00C7C361
InterlockedPushEntrySList.KERNEL32(?,-00000038,?,00C7C451,-00000004,?,00000001,?,00C7B8AC,?,?,00C84996,00000000,00000000,?,00C86313), ref: 00C7C369

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: 0e9b7a5770f6469e2433e3209e83563c7756e86d72ef8d21f7965607d932a489
Instruction ID: e697962fc66d18a12b55404cb944532882c15e0af7fb20d5202137dd7c15a8a7
Opcode Fuzzy Hash: 0e9b7a5770f6469e2433e3209e83563c7756e86d72ef8d21f7965607d932a489
Instruction Fuzzy Hash: D3316B35100A12AFC729CF29C9C4AAAB7F5BF89725B10C51DE45AD7660CB34FA42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C8632B, Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,?,00000000,?,?,?,00C864C2,00000000,00000000,00000000,00000000,?,?,00C86296,00000000), ref: 00C863A1
InterlockedPushEntrySList.KERNEL32(?,?,?,00C864C2,00000000,00000000,00000000,00000000,?,?,00C86296,00000000), ref: 00C863BA
QueryDepthSList.KERNEL32(?,?,00C864C2,00000000,00000000,00000000,00000000,?,?,00C86296,00000000), ref: 00C863C1
InterlockedFlushSList.KERNEL32(?,?,00C864C2,00000000,00000000,00000000,00000000,?,?,00C86296,00000000), ref: 00C863EC
Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCONCRT ref: 00C86401
InterlockedPushEntrySList.KERNEL32(?,?,?,00C864C2,00000000,00000000,00000000,00000000,?,?,00C86296,00000000), ref: 00C86409

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: List$Interlocked$DepthEntryPointPushQuerySafe$Concurrency::details::FlushInvocation::InvokeNext
String ID:
API String ID: 80210428-0
Opcode ID: 0826deba1a9a403aab8f958018712175acef46c82314b1e3ddf7f852f8abcd38
Instruction ID: 617c41748d353293a3a0961daa2f36aa93c59ec9cf1211838800cad547f1f370
Opcode Fuzzy Hash: 0826deba1a9a403aab8f958018712175acef46c82314b1e3ddf7f852f8abcd38
Instruction Fuzzy Hash: 6331C131100610EFC729EF19C9849AEB7F5FF89329710852DE95683650CB30FE42DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00BC0180, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 325filenetworkCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BC018A

Part of subcall function 00BBF083: __EH_prolog3_GS.LIBCMT ref: 00BBF08A

Part of subcall function 00BAE71B: _Deallocate.LIBCONCRT ref: 00BAE730

URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00BC0319

Part of subcall function 00BBF664: __EH_prolog3_catch.LIBCMT ref: 00BBF66B

Strings

J_qrTcpqgml, xrefs: 00BC0247
frrnq8--tcpwd_qr,q1,_k_xml_uq,amk-bmuljm_b-d_-d_,tcpqgml=lma_afc;, xrefs: 00BC01B0
.txt, xrefs: 00BC02D3

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: H_prolog3_$DeallocateDownloadFileH_prolog3_catch
String ID: .txt$J_qrTcpqgml$frrnq8--tcpwd_qr,q1,_k_xml_uq,amk-bmuljm_b-d_-d_,tcpqgml=lma_afc;
API String ID: 3074297094-1191257844
Opcode ID: 674a9b552982dac458be45d8138705637d23cce855e757fd4f6d5e7c9d5abedd
Instruction ID: e6ecb113e85ed98744c603e859bba8584569bdc6a6a524648dd24406befebe36
Opcode Fuzzy Hash: 674a9b552982dac458be45d8138705637d23cce855e757fd4f6d5e7c9d5abedd
Instruction Fuzzy Hash: E5D15970D14259CFDF28EBA8C891BECB7B5AF69304F1044EDE059A7291EB709A85DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00C85215, Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,?,?,00C852C7,00000000,00C7A3AD,?,?,?,00C79A78,8A028F78,?,?,?,00C8C1E7), ref: 00C8521B
_InternalDeleteHelper.LIBCONCRT ref: 00C8522E
InterlockedFlushSList.KERNEL32(?,?,?,?,00C852C7,00000000,00C7A3AD,?,?,?,00C79A78,8A028F78,?,?,?,00C8C1E7), ref: 00C8523C
_InternalDeleteHelper.LIBCONCRT ref: 00C8524F
_InternalDeleteHelper.LIBCONCRT ref: 00C85267
_InternalDeleteHelper.LIBCONCRT ref: 00C85284

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: DeleteHelperInternal$FlushInterlockedList
String ID:
API String ID: 3190206687-0
Opcode ID: 89b73d07d04f4930cbccbdab046bdd0be19fe2fc56a1bd11b7f33d60fb2f3402
Instruction ID: 5fbaa8266aa4ff70df4028e0e0d4283ebf4631e1a463e2be1978e311f7fa7593
Opcode Fuzzy Hash: 89b73d07d04f4930cbccbdab046bdd0be19fe2fc56a1bd11b7f33d60fb2f3402
Instruction Fuzzy Hash: 18112732900E32AFCB35BB60D445A56B3A4BF0876871206A9FC806B612DF60FC11DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00C83433, Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedFlushSList.KERNEL32(?,?,00000000,?,00C834E2,?,00000000,00C7A381,?,?,?,00C79A78,8A028F78), ref: 00C83439
_InternalDeleteHelper.LIBCONCRT ref: 00C8344C
InterlockedFlushSList.KERNEL32(?,?,00000000,?,00C834E2,?,00000000,00C7A381,?,?,?,00C79A78,8A028F78), ref: 00C8345A
_InternalDeleteHelper.LIBCONCRT ref: 00C8346D
_InternalDeleteHelper.LIBCONCRT ref: 00C83485
_InternalDeleteHelper.LIBCONCRT ref: 00C834A2

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: DeleteHelperInternal$FlushInterlockedList
String ID:
API String ID: 3190206687-0
Opcode ID: 4bcbb3c2b96cfcd286922d9f41a61cb15524beb5558103c2ad6e03a5f16c5e95
Instruction ID: 974b566473df69613deb38b1d3d4d02f3abd5365789a7208121eb12c37e7bd70
Opcode Fuzzy Hash: 4bcbb3c2b96cfcd286922d9f41a61cb15524beb5558103c2ad6e03a5f16c5e95
Instruction Fuzzy Hash: 64115732900672EBCB32BF50D445E1ABB64BF48B68702146AFC4067222D730EE01DBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A28F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A2A0
int.LIBCPMT ref: 00C3A2B7

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

codecvt.LIBCPMT ref: 00C3A2DA
std::_Facet_Register.LIBCPMT ref: 00C3A2F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A311
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A31E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 3595785899-0
Opcode ID: 7a670dfb3eb4670303dd01f073f7d1603a56e628db9e3346a57bef4f1d634528
Instruction ID: 73e75455bf2672a402a682fe96544ecc269d526f5a4fa59e5514ff7fbb4bc829
Opcode Fuzzy Hash: 7a670dfb3eb4670303dd01f073f7d1603a56e628db9e3346a57bef4f1d634528
Instruction Fuzzy Hash: 7B01D271D102599BCB09FF64C8167BE77B5AF44710F290449E425AB3D2DF70AE01DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C35389, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3539A
int.LIBCPMT ref: 00C353B1

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

numpunct.LIBCPMT ref: 00C353D4
std::_Facet_Register.LIBCPMT ref: 00C353EB
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3540B
Concurrency::cancel_current_task.LIBCPMT ref: 00C35418

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: 81691850097c33a7a9c313d37e61542f5deaa4bdfc5ab844bc3d017b5ce7e3da
Instruction ID: 6c6a914cb3da8df0f94a70a585cd0df7fd088b5cd1f805d3549d5f8d29a39cef
Opcode Fuzzy Hash: 81691850097c33a7a9c313d37e61542f5deaa4bdfc5ab844bc3d017b5ce7e3da
Instruction Fuzzy Hash: 880122319106199BCF08EB60C8057BDB7B1AF40320F290409F424AB2D1DF70AE41DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A3B9, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A3CA
int.LIBCPMT ref: 00C3A3E1

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

collate.LIBCPMT ref: 00C3A404
std::_Facet_Register.LIBCPMT ref: 00C3A41B
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A43B
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A448

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercollate
String ID:
API String ID: 3223962878-0
Opcode ID: 088dc0780d05acc77893ed7f3f6d65de313af735a8388258a7602c76aad781e3
Instruction ID: e2471b1184b14a78638c5705a75dae03c3784a0440c9d3b2c48e314be2ff277c
Opcode Fuzzy Hash: 088dc0780d05acc77893ed7f3f6d65de313af735a8388258a7602c76aad781e3
Instruction Fuzzy Hash: C90145719101599BCF09EF64C8097BDB7B0AF44310F290409F421AB3D2DF74AE01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A324, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A335
int.LIBCPMT ref: 00C3A34C

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

codecvt.LIBCPMT ref: 00C3A36F
std::_Facet_Register.LIBCPMT ref: 00C3A386
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A3A6
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A3B3

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 3595785899-0
Opcode ID: 68ff178c84a72b59b6b2d0f9e6ed7cb46aeb61fda4e645c23e7953bbef8afe84
Instruction ID: 3bb457627a8b7aa615a8ec6d0428a35ef4b932c541bcdf17074d35b390209d49
Opcode Fuzzy Hash: 68ff178c84a72b59b6b2d0f9e6ed7cb46aeb61fda4e645c23e7953bbef8afe84
Instruction Fuzzy Hash: D80122319102199BCB08EF60C8457BD77B1EF44320F290408E420AB3E1CF74AE41DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A4E3, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A4F4
int.LIBCPMT ref: 00C3A50B

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

ctype.LIBCPMT ref: 00C3A52E
std::_Facet_Register.LIBCPMT ref: 00C3A545
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A565
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A572

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registerctype
String ID:
API String ID: 3097546199-0
Opcode ID: 6f72f0303564626903d6dd98ea2a08a3b611132a5cb604f219daff0a27e32601
Instruction ID: 2f3ca4ebd5aae09b0261fb55a98a9f6be7791ad77a94d2d988795242dfa719a6
Opcode Fuzzy Hash: 6f72f0303564626903d6dd98ea2a08a3b611132a5cb604f219daff0a27e32601
Instruction Fuzzy Hash: F9012271D102199BCB08EF60C815BBD77B5AF84320F290409E421AB2E2CF70AE01DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A44E, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A45F
int.LIBCPMT ref: 00C3A476

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

collate.LIBCPMT ref: 00C3A499
std::_Facet_Register.LIBCPMT ref: 00C3A4B0
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A4D0
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A4DD

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercollate
String ID:
API String ID: 3223962878-0
Opcode ID: 5255f3aa8e32b667e9e6c5f30bdb756525225a58cea9f752ea61ca5bd893bd3a
Instruction ID: f2a3acd99c1c491d7f97ccbf8f74f991f7c4d459bfb7c4b79dae48869fc579d1
Opcode Fuzzy Hash: 5255f3aa8e32b667e9e6c5f30bdb756525225a58cea9f752ea61ca5bd893bd3a
Instruction Fuzzy Hash: 36012231910259ABCB09EF60D819BBD77B0AF44310F290548E429AB2D2DFB0AE019B91

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A578, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A589
int.LIBCPMT ref: 00C3A5A0

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

messages.LIBCPMT ref: 00C3A5C3
std::_Facet_Register.LIBCPMT ref: 00C3A5DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A5FA
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A607

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: e8f81ef157a5f89bb37ad0cda4505cacbed4da47b96481b11612dc04a29b33e8
Instruction ID: 117e795f25c05a27a67c4b7ef4d88b40a2579e6a6afce919a0b653a8c38e771b
Opcode Fuzzy Hash: e8f81ef157a5f89bb37ad0cda4505cacbed4da47b96481b11612dc04a29b33e8
Instruction Fuzzy Hash: FC0122719106199BCB08EFA0C8067BD77B4AF84314F290008F424AB3D2CF74AE41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A60D, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A61E
int.LIBCPMT ref: 00C3A635

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

messages.LIBCPMT ref: 00C3A658
std::_Facet_Register.LIBCPMT ref: 00C3A66F
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A68F
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A69C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: 18b3427378082ed11f69074b7c5758b1c76cef2f7fbe7d899f8f045e4bf17b78
Instruction ID: 57b2bc129ea718f212add8dd82700fa3d12ab7f0401c429fec7589a0023c1c85
Opcode Fuzzy Hash: 18b3427378082ed11f69074b7c5758b1c76cef2f7fbe7d899f8f045e4bf17b78
Instruction Fuzzy Hash: 980122B19101599BCB09EF60C81A7BD77B4AF80310F290409F824AB2D2CF70AE01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C81590, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 276threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::AddVirtualProcessorRoots.LIBCONCRT ref: 00C81837
Concurrency::details::SchedulerProxy::RemoveCore.LIBCONCRT ref: 00C8185E
Concurrency::details::SchedulerProxy::CreateExternalThreadResource.LIBCMT ref: 00C81885

Strings

4, xrefs: 00C817AE
4, xrefs: 00C81821

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::Proxy::Scheduler$CoreCreateExternalProcessorRemoveResourceRootsThreadVirtual
String ID: 4$4
API String ID: 584893117-209682765
Opcode ID: e6874261aac88d89e79909d30420a66eab32c93c997c0c42448c0dc1bc6d9c5c
Instruction ID: b17fde486b65b37b6db091ffd8e60d15dd571ff18b6aa4b132383ce5ece347c9
Opcode Fuzzy Hash: e6874261aac88d89e79909d30420a66eab32c93c997c0c42448c0dc1bc6d9c5c
Instruction Fuzzy Hash: 2FB14D74E042599FCF18DFA4C4906ADBBF9BF45318F18816ED865A7241D7309E42CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00BD04DD, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BD04E7
GetClassNameW.USER32 ref: 00BD05A9
GetWindowTextW.USER32 ref: 00BD069F

Strings

Uglbmuq,SG,Ampc,AmpcUglbmu, xrefs: 00BD05D9, 00BD05E7
BT0AmlrpmjFmqr, xrefs: 00BD05CD

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ClassH_prolog3_NameTextWindow
String ID: BT0AmlrpmjFmqr$Uglbmuq,SG,Ampc,AmpcUglbmu
API String ID: 2261779721-2564481283
Opcode ID: 7df8589234cd36717ecb0736d577a046d1e2a0bb5936a3fd366f23922824cde4
Instruction ID: 13e6d28ac0247dd8156f1abbbf75f38853e950c74a694e15216842c97a81c736
Opcode Fuzzy Hash: 7df8589234cd36717ecb0736d577a046d1e2a0bb5936a3fd366f23922824cde4
Instruction Fuzzy Hash: 2EB129B19102189FDB64EB24CC85BADB7F9EF94304F5004D9E60D9B252EB31AE84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00BD16A8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetPhysicalCursorPos.USER32(?), ref: 00BD16C0
MonitorFromPoint.USER32(?,?,00000002), ref: 00BD16CE
GetMonitorInfoA.USER32 ref: 00BD16E4
SetRect.USER32 ref: 00BD16FB

Strings

(, xrefs: 00BD16DB

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Monitor$CursorFromInfoPhysicalPointRect
String ID: (
API String ID: 2989421265-3887548279
Opcode ID: f5efe1f0050498563eaf2003feefc6b9bf831208c1c205c6436ad2b9d45c07ab
Instruction ID: 56c8cf8cc935438b0de2fd2b97a296d7a699ead3df66fbe321ad4946a35305ae
Opcode Fuzzy Hash: f5efe1f0050498563eaf2003feefc6b9bf831208c1c205c6436ad2b9d45c07ab
Instruction Fuzzy Hash: 7EF0F2B1A00208BBCF15AFE4EC49EEDBBB9FF08301F40005AF501A2160DB759955DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00C5A2B3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00C5A2A8,?,?,00C5A270,?,?,?), ref: 00C5A2C8
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C5A2DB
FreeLibrary.KERNEL32(00000000,?,?,00C5A2A8,?,?,00C5A270,?,?,?), ref: 00C5A2FE

Strings

mscoree.dll, xrefs: 00C5A2C1
CorExitProcess, xrefs: 00C5A2D3

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7aacdf5db3b852747a6e38d0af10edcaeb185f7f8b05314425fb2970b7bbb3f7
Instruction ID: ff968eefe0baa5a2bd922fb3b34de59db0760c920cc469208dbec67f1d6968ef
Opcode Fuzzy Hash: 7aacdf5db3b852747a6e38d0af10edcaeb185f7f8b05314425fb2970b7bbb3f7
Instruction Fuzzy Hash: 42F0A034A00219FBCB159B92DD0EFED7AB8EB0475AF000161F904A21A0CB748F82DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A757, Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00C4A7E2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C4A870
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4A8E2
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C4A8FC
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4A95F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: ad1c7b4bd573e4f476b63d9f69d8ac628ce8b8417a110d3b72f628f9a2b1cd80
Instruction ID: 230ee252d3cd1c735a1e11efdd053eafd1118e3357003cd634d472dfa2fe2750
Opcode Fuzzy Hash: ad1c7b4bd573e4f476b63d9f69d8ac628ce8b8417a110d3b72f628f9a2b1cd80
Instruction Fuzzy Hash: 2B71C072D40259AFDF219FA5CC45BEE7BB5FF19310F19001AE824A7291D7318E45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD02AF, Relevance: 7.6, APIs: 5, Instructions: 147sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD046E: SystemParametersInfoW.USER32 ref: 00BD048D
Part of subcall function 00BD046E: GetSystemMetrics.USER32 ref: 00BD0494
Part of subcall function 00BD046E: GetSystemMetrics.USER32 ref: 00BD049E

SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000002,?,?), ref: 00BD0305
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BD03E2
UpdateWindow.USER32(?), ref: 00BD03E9
Sleep.KERNEL32(00000001), ref: 00BD043C
SetLayeredWindowAttributes.USER32(?,00000000,000000FF,00000002), ref: 00BD045F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$AttributesLayeredSystem$Metrics$InfoParametersSleepUpdate
String ID:
API String ID: 1609260537-0
Opcode ID: c193817685fd13c846cb9abd9d2b6277015d46d7cd14807874ebc860228330b3
Instruction ID: 142cfdc164b11efc914bd95c24852f23c8660febcd0a2b4023535841672f15e0
Opcode Fuzzy Hash: c193817685fd13c846cb9abd9d2b6277015d46d7cd14807874ebc860228330b3
Instruction Fuzzy Hash: 4D41D031624B05AFD311EE38CC89F2EB7E8EF99394F00471AF145F6291E760E8828B15

Uniqueness

Uniqueness Score: -1.00%

Function 00C80058, Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00C8005F
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00C800AB
std::bad_exception::bad_exception.LIBCMT ref: 00C800CA
Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCMT ref: 00C80103
std::bad_exception::bad_exception.LIBCMT ref: 00C8012D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::PolicyPolicy::_Schedulerstd::bad_exception::bad_exception$H_prolog3_catchResolveValidValueValues
String ID:
API String ID: 921398678-0
Opcode ID: 6bf9c223737020051a8ece2669b0bac503b9dc4579b0290ec24eb06c44a7bd97
Instruction ID: b918fdb4d787982c0660bd57a50de7914cf66c5649267f2f392b1357cf0eaa61
Opcode Fuzzy Hash: 6bf9c223737020051a8ece2669b0bac503b9dc4579b0290ec24eb06c44a7bd97
Instruction Fuzzy Hash: F321F871900214EFDB45FF64D8869ADB7B0FF05328F24402AF005AB261DB716E06DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9666, Relevance: 7.6, APIs: 5, Instructions: 79windowtimeCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000010,00000000,00000000), ref: 00BA96A6
GetWindowLongW.USER32(?,000000EB), ref: 00BA96D2
KillTimer.USER32(?,00008FFF), ref: 00BA9726
PostQuitMessage.USER32(00000000), ref: 00BA972E

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: MessagePost$KillLongQuitTimerWindow
String ID:
API String ID: 1027558246-0
Opcode ID: a2f03bd1ef9c6fbd0b81d95bed19a5f8484a11fddaa3c823674172e8af0c3ab0
Instruction ID: 46cd478f0cb8f5deae653274949a04d85f33fbcbef90c16036de5cb665bb4236
Opcode Fuzzy Hash: a2f03bd1ef9c6fbd0b81d95bed19a5f8484a11fddaa3c823674172e8af0c3ab0
Instruction Fuzzy Hash: 42217831218205EFDB149F28DC88FA93BE5FF4A315F1042A4F51A8A1B1CB71ED51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C803ED, Relevance: 7.6, APIs: 5, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00C804A2

Part of subcall function 00C818E3: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 00C8192A

GetCurrentThread.KERNEL32 ref: 00C8043A
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00C80446

Part of subcall function 00C75440: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00C75452

Part of subcall function 00C758F6: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 00C758FD

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 00C80489

Part of subcall function 00C81895: SetEvent.KERNEL32(?,?,00C8048E,00C811AD,00000000,?,00000000,00C811AD,00000004,00C8188A,00000000,?,?,?,00000000), ref: 00C818D9

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00C80492

Part of subcall function 00C80E92: List.LIBCONCRT ref: 00C80EC8

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::$AffinityProxy::SchedulerThread$Concurrency::details::platform::__CurrentExecutionGroupHardware$Affinity::BorrowedCoreEventIncrementListResourceResource::StateSubscriptionToggle
String ID:
API String ID: 1519980394-0
Opcode ID: 105bd16a79e1fa55e0d1837574dd411510e18da6dfb01f28d265c58409e39346
Instruction ID: 4dee994e634aef77e602b466eb84c7f5741cba411840a5a5d38aae48b78ce713
Opcode Fuzzy Hash: 105bd16a79e1fa55e0d1837574dd411510e18da6dfb01f28d265c58409e39346
Instruction Fuzzy Hash: 7521E031500B109FCB24EF64D9518AFF3F5FF48304B004A1EE842A7651CB74B905CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00BB71D7, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00BB71E8
int.LIBCPMT ref: 00BB71FF

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::_Facet_Register.LIBCPMT ref: 00BB7239
std::_Lockit::~_Lockit.LIBCPMT ref: 00BB724F
Concurrency::cancel_current_task.LIBCPMT ref: 00BB725C

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b65cb3ef75dbf2adea3853f870cf40dee808dc526e4388f1c7bc4bae29ef8ec5
Instruction ID: 009ef28188cb409827df29ab27575d1701e81faaeadc8b4fbc0f9a79ce954dc6
Opcode Fuzzy Hash: b65cb3ef75dbf2adea3853f870cf40dee808dc526e4388f1c7bc4bae29ef8ec5
Instruction Fuzzy Hash: 1F1126729441259BCB15AB94C851BFDB3B4FF82720F250589F424AB2D1DFB0AD4187D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C352F4, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C35305
int.LIBCPMT ref: 00C3531C

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::_Facet_Register.LIBCPMT ref: 00C35356
std::_Lockit::~_Lockit.LIBCPMT ref: 00C35376
Concurrency::cancel_current_task.LIBCPMT ref: 00C35383

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 5932b6685cf116d83074b4704ed4c5511869123dcffd4933011d976496649277
Instruction ID: 1e32de53538cf27db31e82b0586a73ffa17d2c6c6712983a1b2a5be2464607b5
Opcode Fuzzy Hash: 5932b6685cf116d83074b4704ed4c5511869123dcffd4933011d976496649277
Instruction Fuzzy Hash: C301CC31D106199BCB09AB64C8567BD77A5AF84320F290449E425AB2E1DFB0AE419BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3525F, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C35270
int.LIBCPMT ref: 00C35287

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::_Facet_Register.LIBCPMT ref: 00C352C1
std::_Lockit::~_Lockit.LIBCPMT ref: 00C352E1
Concurrency::cancel_current_task.LIBCPMT ref: 00C352EE

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e03841fe530847d334888b0ff48f28d5ce5dd0f337f8db7c34f5d862c886eda1
Instruction ID: e7de3f11a6e98a09483a35f200d5e0afcbd572f52151707140f61e57dc67073d
Opcode Fuzzy Hash: e03841fe530847d334888b0ff48f28d5ce5dd0f337f8db7c34f5d862c886eda1
Instruction Fuzzy Hash: 36012E71D102199BCB08EBA0C806BBE77F1AF80310F290008E824AB2D0DF70AE01DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A6A2, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A6B3
int.LIBCPMT ref: 00C3A6CA

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::_Facet_Register.LIBCPMT ref: 00C3A704
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A724
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A731

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: adb25b4073a60433e55a26d7ed845095e210f5d4e663c1b744bf4562ff91f9aa
Instruction ID: b7a41dffbdb0a4d481dce29bcefb33bcf68a9ca882e33732a68abf808633a7f9
Opcode Fuzzy Hash: adb25b4073a60433e55a26d7ed845095e210f5d4e663c1b744bf4562ff91f9aa
Instruction Fuzzy Hash: 170122319101599BCF09EFA0C856BBD77B0AF84314F290408F425AB3D2DF70AE01DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C3A7CC, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C3A7DD
int.LIBCPMT ref: 00C3A7F4

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::_Facet_Register.LIBCPMT ref: 00C3A82E
std::_Lockit::~_Lockit.LIBCPMT ref: 00C3A84E
Concurrency::cancel_current_task.LIBCPMT ref: 00C3A85B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 0e7dcf8340cff78e4744a1faf13d70e05f5d3dd2085011b23f7ef71059f8cd92
Instruction ID: 2d87d7790ffee0e47d1b71e0956997613271ff4d99d769ba42e59a483867f648
Opcode Fuzzy Hash: 0e7dcf8340cff78e4744a1faf13d70e05f5d3dd2085011b23f7ef71059f8cd92
Instruction Fuzzy Hash: F0012231D102199BCB08EF64C8567BE77B4AF80324F29040CF425BB2D2DF70AE029782

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC331, Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00BBC342
int.LIBCPMT ref: 00BBC359

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::_Facet_Register.LIBCPMT ref: 00BBC393
std::_Lockit::~_Lockit.LIBCPMT ref: 00BBC3A9
Concurrency::cancel_current_task.LIBCPMT ref: 00BBC3B6

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 620dbbf51ebf1c04b3d41cfe685f51de08218a518b758f5c656bf2c4f6a5d282
Instruction ID: 8317d690e9b343d741104e4533d4b3a3171200535d95ca91ad5b7c43aeebee88
Opcode Fuzzy Hash: 620dbbf51ebf1c04b3d41cfe685f51de08218a518b758f5c656bf2c4f6a5d282
Instruction Fuzzy Hash: 5601F971D041249BCB15EB60C855BFD7BF4AF41310F654489F429AB2D1DFB09D00DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C6C247, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C6C25F

Part of subcall function 00C63981: HeapFree.KERNEL32(00000000,00000000,?,00C6084E), ref: 00C63997
Part of subcall function 00C63981: GetLastError.KERNEL32(?,?,00C6084E), ref: 00C639A9

_free.LIBCMT ref: 00C6C271
_free.LIBCMT ref: 00C6C283
_free.LIBCMT ref: 00C6C295
_free.LIBCMT ref: 00C6C2A7

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d66185c9f4a5df26a3f68e92fbd141c7ead5230971d397f50a1c8065f1cfacca
Instruction ID: 6325fc5f406caab61b6ba22a8806d12d1c828871c0b87b7919f0bbdde5b1d04f
Opcode Fuzzy Hash: d66185c9f4a5df26a3f68e92fbd141c7ead5230971d397f50a1c8065f1cfacca
Instruction Fuzzy Hash: 55F03632919254EBC630EBA5E4D6E2EB3E9AA517107650D0EFCA8D7501C770FD815A60

Uniqueness

Uniqueness Score: -1.00%

Function 00C5E5AC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\PcAppStore.exe, xrefs: 00C5E5EA, 00C5E5F1, 00C5E625

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\PcAppStore.exe
API String ID: 0-2837695400
Opcode ID: e6fdcb3cd3a8ac1328285bd17f30a5b26816c98f2fbb524b1b3f4961c3f23c4d
Instruction ID: d49c1655b5b5a1af6471691d164df94a5a30888195422712ce188243c9bb99a8
Opcode Fuzzy Hash: e6fdcb3cd3a8ac1328285bd17f30a5b26816c98f2fbb524b1b3f4961c3f23c4d
Instruction Fuzzy Hash: 2C31C675E00218AFCB29DF99CC85E9EBBB8EBA5341B140066FD14D7250EB708F84DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C4E0FF, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00C4E124
CatchIt.LIBVCRUNTIME ref: 00C4E20A

Strings

RCC, xrefs: 00C4E13E
MOC, xrefs: 00C4E136

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 0086393562cb032a90e02e60080cb6628fdce3a5d22a1c6bf0cba305a9f6494b
Instruction ID: db7a5b084ce41fab0480f1c606013bbd8bf0f3ec5a5f32e4af406437990b0d0b
Opcode Fuzzy Hash: 0086393562cb032a90e02e60080cb6628fdce3a5d22a1c6bf0cba305a9f6494b
Instruction Fuzzy Hash: 5A417C72900209EFCF25DF98DC81AEEBBB5FF48304F198099F914A7252D375AA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C7745D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 00C774DC
Concurrency::details::SchedulerProxy::RemoveCore.LIBCONCRT ref: 00C77537

Strings

$, xrefs: 00C77547
4, xrefs: 00C77542

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::Proxy::Scheduler$BorrowedCoreRemoveStateToggle
String ID: $$4
API String ID: 296243165-274276925
Opcode ID: 15176b50a9094f3a132910be0829fa68a4a7390d82021d73f5bf7f5f047c846a
Instruction ID: 01aeb69b2575892e843e7ae5c4e58a32212dcf29dc4640d29b1ccfbb4b2804b3
Opcode Fuzzy Hash: 15176b50a9094f3a132910be0829fa68a4a7390d82021d73f5bf7f5f047c846a
Instruction Fuzzy Hash: 73413971D0420AAFCB58DFA8C4809AEBBB5FF48314F148569D46AA7241D334EE91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C405D6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_Getvals.LIBCPMT ref: 00C4062F
_Mpunct.LIBCPMT ref: 00C4066A
_Mpunct.LIBCPMT ref: 00C40684

Strings

$+xv, xrefs: 00C4068F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Mpunct$Getvals
String ID: $+xv
API String ID: 455491934-1686923651
Opcode ID: 64ecded910f7191281d0263c558a774d450901efd7c378443217147ce0a031cf
Instruction ID: 6527c7a961c7072b8258ae307d93ce6c1feecd2a6c141c257b3df7b54353bbe7
Opcode Fuzzy Hash: 64ecded910f7191281d0263c558a774d450901efd7c378443217147ce0a031cf
Instruction Fuzzy Hash: 3621D1B0800B426EDB21DF75849067BBEE8BB0C300F14095EE999C7A41D730EA55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC814F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,RtlGetVersion,74B5F790), ref: 00BC8175
GetProcAddress.KERNEL32(00000000), ref: 00BC817C

Strings

ntdll, xrefs: 00BC8170
RtlGetVersion, xrefs: 00BC816B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll
API String ID: 1646373207-2582309562
Opcode ID: 051e8fa3b25496936d111331bb82b818f03edc68d29a0498687bcfc002b016a7
Instruction ID: 8691f52501039c162f2223c1e3fc4981605bcc5720adc781a6cc8ee5ec430fb4
Opcode Fuzzy Hash: 051e8fa3b25496936d111331bb82b818f03edc68d29a0498687bcfc002b016a7
Instruction Fuzzy Hash: 5A114871910348CADB34DFA4AC98FED7BE0EB1D319F18006FD501AA1A1EA744146CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00C6505F, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C650E6

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 98060c1c99bb40aac0737417966a95e141c0201f37ab6bf823e55b625779bb92
Instruction ID: a6554122907387cd5cbac8dc3dbd4cab8df02bb4cea09311eaa5ace1916b3df4
Opcode Fuzzy Hash: 98060c1c99bb40aac0737417966a95e141c0201f37ab6bf823e55b625779bb92
Instruction Fuzzy Hash: E0B13532900A859FDB31CF68C8D17AEBBE5EF55340F38816AE851DB392D2749E41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCE797, Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BCE79E
Concurrency::cancel_current_task.LIBCPMT ref: 00BCE87D
__EH_prolog3_catch.LIBCMT ref: 00BCE88F

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: H_prolog3_catch$Concurrency::cancel_current_task
String ID:
API String ID: 2852931406-0
Opcode ID: 492b649bd6d4eb39048f022a2aba74867a1f57de829b88ea8ed1ff3e88e9a13d
Instruction ID: f28e9f0b76254ff8a97a6113d90cc302bfa2affbce35acae1c9f442bae86284d
Opcode Fuzzy Hash: 492b649bd6d4eb39048f022a2aba74867a1f57de829b88ea8ed1ff3e88e9a13d
Instruction Fuzzy Hash: F0812E71A00209DFCB14EFA8C4959AEBBF1FF48310B2485AEF46AAB351D771DA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BC94D7, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00001000,00000000,?,?,?,?,00000000,00000000,00001000,00000000,?,?,00BC0430,00000003,?,?), ref: 00BC9532
GetLastError.KERNEL32(?,?,00BC0430,00000003,?,?,?,?,00000001), ref: 00BC953F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00BC0430,00000003,?,?,?,?), ref: 00BC955B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00BC0430,00000003,?,?,?,?), ref: 00BC957D

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 2f46c7ecebcc90da059ee2b07789b145ec80005d9491d20a546c3ac7c51ae3de
Instruction ID: 6f7d4c99283567b5c101ac085f47393aa50da1df5f4cb73d44338026be288663
Opcode Fuzzy Hash: 2f46c7ecebcc90da059ee2b07789b145ec80005d9491d20a546c3ac7c51ae3de
Instruction Fuzzy Hash: A731C5B2204216AFE7289F29DC85E7BB7DDFF95354714466EF806C3610DB21AC158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C5E014, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b8e3a9f35512ef3b0564d1d505068409e4e1896ba66efe4c67201509fea92d
Instruction ID: a83423b484dc8b7eece77570ddea2e01d18d9b5281a6a16e36fd8cad75c5ab17
Opcode Fuzzy Hash: f6b8e3a9f35512ef3b0564d1d505068409e4e1896ba66efe4c67201509fea92d
Instruction Fuzzy Hash: A221C27A600609AFDB28AF618C80E3B776DAF8036A7104525FD25975C1E770DEC4A7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB10C8, Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00BB10EA

Part of subcall function 00C3448A: std::_Lockit::_Lockit.LIBCPMT ref: 00C3449C
Part of subcall function 00C3448A: std::locale::_Setgloballocale.LIBCPMT ref: 00C344B7
Part of subcall function 00C3448A: std::_Lockit::~_Lockit.LIBCPMT ref: 00C3450D

Part of subcall function 00BBC643: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00BBC686

std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00BB1151

Part of subcall function 00C345EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00C34614

int.LIBCPMT ref: 00BB1161

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00BB1169

Part of subcall function 00C36F41: std::_Lockit::_Lockit.LIBCPMT ref: 00C36F52
Part of subcall function 00C36F41: std::_Lockit::~_Lockit.LIBCPMT ref: 00C36FF6

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$std::locale::_$Locimp::_Lockit::_Lockit::~_$Locimp$AddfacInitLocimp_LocinfoLocinfo::~_New_Setgloballocale
String ID:
API String ID: 295153432-0
Opcode ID: f030b3965fa2a7d9074536457f02b13827722a73f547fdb1084d0bc67489e287
Instruction ID: 711fc980d63048ad0ce1d711fe72b8bf56a03f3892ddbed32b2ad945ed9a7d8b
Opcode Fuzzy Hash: f030b3965fa2a7d9074536457f02b13827722a73f547fdb1084d0bc67489e287
Instruction Fuzzy Hash: E621B3B0814740DFDB21EF65C04176EBBF4EF44314F10495DE18A97A81DBB5AA04DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1598, Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00BB15BA

Part of subcall function 00C3448A: std::_Lockit::_Lockit.LIBCPMT ref: 00C3449C
Part of subcall function 00C3448A: std::locale::_Setgloballocale.LIBCPMT ref: 00C344B7
Part of subcall function 00C3448A: std::_Lockit::~_Lockit.LIBCPMT ref: 00C3450D

Part of subcall function 00BBC643: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00BBC686

std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00BB1621

Part of subcall function 00C345EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00C34614

int.LIBCPMT ref: 00BB1631

Part of subcall function 00BAD456: std::_Lockit::_Lockit.LIBCPMT ref: 00BAD467
Part of subcall function 00BAD456: std::_Lockit::~_Lockit.LIBCPMT ref: 00BAD481

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00BB1639

Part of subcall function 00C36F41: std::_Lockit::_Lockit.LIBCPMT ref: 00C36F52
Part of subcall function 00C36F41: std::_Lockit::~_Lockit.LIBCPMT ref: 00C36FF6

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Lockit$std::locale::_$Locimp::_Lockit::_Lockit::~_$Locimp$AddfacInitLocimp_LocinfoLocinfo::~_New_Setgloballocale
String ID:
API String ID: 295153432-0
Opcode ID: 2f22679778a17b5dd109b863cc1b07ebbcdd2c2365e4c8838a8bc4a39f2d85a5
Instruction ID: f3cd5bf38f39e0468d881b794da901b7e182c5ef1ec2b6809e92c44d2f98770f
Opcode Fuzzy Hash: 2f22679778a17b5dd109b863cc1b07ebbcdd2c2365e4c8838a8bc4a39f2d85a5
Instruction Fuzzy Hash: 7821B0B0818740DFDB21EF65C442BAEBBF0EF44314F10495DE18A9B681DBB5AA08DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9456, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00BA9462
VariantInit.OLEAUT32(?), ref: 00BA9480
SysAllocString.OLEAUT32 ref: 00BA948E
VariantClear.OLEAUT32(?), ref: 00BA94BA

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Variant$AllocClearInitLongStringWindow
String ID:
API String ID: 2306920582-0
Opcode ID: c8ece04b09ca017ae40a55a3d6c09df1d5107d83af7a03591897cfd070cd2bcb
Instruction ID: 9bd6fc170963091588c4b6f2ffabdb893a073380334990b3edaff8f23c2e94d8
Opcode Fuzzy Hash: c8ece04b09ca017ae40a55a3d6c09df1d5107d83af7a03591897cfd070cd2bcb
Instruction Fuzzy Hash: 8C118231504116AFCB14DBA8DC4CEAF7FBCFF8A324B100656B515D71A0DA309901D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C74145, Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00C74167

Part of subcall function 00C74328: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00C7A5C2

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00C74188

Part of subcall function 00C75146: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00C75162

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 00C741A4
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00C741AB

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 1f99d372d25fcb882f88df1c3e4854457d7d6cf573b7b5901e9227cbc4a91f40
Instruction ID: 4b1a44637bf27e5fa261f9200999abf20141e0970c496ead22b6355983482227
Opcode Fuzzy Hash: 1f99d372d25fcb882f88df1c3e4854457d7d6cf573b7b5901e9227cbc4a91f40
Instruction Fuzzy Hash: 4401D2B1500315ABC7247F69CC8299EBBACEF10354B50C93AF56DD21A1D7B09944E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD15E9, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00BD55F9: __alldvrm.LIBCMT ref: 00BD5615
Part of subcall function 00BD55F9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD5633

GetDesktopWindow.USER32 ref: 00BD1612
EnumChildWindows.USER32 ref: 00BD1619

Part of subcall function 00BD1CCF: __EH_prolog3_GS.LIBCMT ref: 00BD1CD9

Part of subcall function 00BBEC2D: __EH_prolog3_GS.LIBCMT ref: 00BBEC37
Part of subcall function 00BBEC2D: GetTickCount.KERNEL32 ref: 00BBEDAB

Part of subcall function 00BD29A4: __EH_prolog3_GS.LIBCMT ref: 00BD29AE

Part of subcall function 00BD2964: MoveWindow.USER32(?,FFFFB1E0,FFFFB1E0,?,?,00000001,00000000,00BCF949), ref: 00BD2990
Part of subcall function 00BD2964: UpdateWindow.USER32(?), ref: 00BD299C

ShowWindow.USER32(?,00000005,00000000,?,?,?,00BD1C64), ref: 00BD1689
UpdateWindow.USER32(?), ref: 00BD1695

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$H_prolog3_$Update$ChildCountDesktopEnumMoveShowTickUnothrow_t@std@@@Windows__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1520054041-0
Opcode ID: 5563499e95a814bc82083683bbbbd55a3a48470725a41c7eccea1384992da3d7
Instruction ID: 3c6870c9adbe1fb29de856f56260229b383710cf79fd1342c6bd3bcceeb43f89
Opcode Fuzzy Hash: 5563499e95a814bc82083683bbbbd55a3a48470725a41c7eccea1384992da3d7
Instruction Fuzzy Hash: 88112175510B04AFD718AB78D95AFEAB7E5AF45304F00085EF15A473A2EBB4A905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00C7A11D, Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C74EFA: TlsGetValue.KERNEL32(?,?,00C74344,00C75425,00000000,?,00C74322,?,?,?,00000000,?,00000000), ref: 00C74F00

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00C7A147

Part of subcall function 00C846C2: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00C846E9
Part of subcall function 00C846C2: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00C84702
Part of subcall function 00C846C2: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00C84778
Part of subcall function 00C846C2: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00C84780

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00C7A155
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00C7A15F
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00C7A169

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: c169d81d7476e69e1bcb1e3b7d1cd373834c0ce9dd8308df6a1653328ba682cf
Instruction ID: 552d57a21aab4c8cee28d20674fce84bf98e0dfffaa371175c2ee93a95c678bf
Opcode Fuzzy Hash: c169d81d7476e69e1bcb1e3b7d1cd373834c0ce9dd8308df6a1653328ba682cf
Instruction Fuzzy Hash: 0DF02B32A005196BCB25F725982296DF769AFD1720F00C129F92943762DF708E01E7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3359, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000001,?,?,00BD3DC1), ref: 00BD3385
ShowWindow.USER32(?,00000005), ref: 00BD3393
SetLayeredWindowAttributes.USER32(?,00000000,000000FF,00000002), ref: 00BD33B9
UpdateWindow.USER32(?), ref: 00BD33C5

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Window$AttributesLayeredMoveShowUpdate
String ID:
API String ID: 4004266041-0
Opcode ID: 14100e779b01f17a6069a075d709452b56939e1e6cf62b99a3127afc5e895b52
Instruction ID: e8f179ea814a381a191c6b35f7774e3e60f2fb912eb4543fb7810f8b6b6e1c44
Opcode Fuzzy Hash: 14100e779b01f17a6069a075d709452b56939e1e6cf62b99a3127afc5e895b52
Instruction Fuzzy Hash: FCF03C35341902BFD7188B38EC0DFEAFB69FB44711F004212F528D61A1CB7468318A90

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A6F6, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

ReadConsoleInputW.KERNEL32(?,?,?), ref: 00C6A70B
GetLastError.KERNEL32 ref: 00C6A717

Part of subcall function 00C6A78E: CloseHandle.KERNEL32(FFFFFFFE,00C6A6BC), ref: 00C6A79E

___initconin.LIBCMT ref: 00C6A727

Part of subcall function 00C6A672: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00C6A6C1), ref: 00C6A685

ReadConsoleInputW.KERNEL32(?,?,?), ref: 00C6A73B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 838051604-0
Opcode ID: 6c55bcc2dfde0e67f1247b9328a4120bf2551f09a16f13bcb50d9c0bb51ead8f
Instruction ID: f4b688240d708d6323341c018ed64de1036c3b8733fdade7668b63f7dfcd3127
Opcode Fuzzy Hash: 6c55bcc2dfde0e67f1247b9328a4120bf2551f09a16f13bcb50d9c0bb51ead8f
Instruction Fuzzy Hash: 0CF01536040019BF8F226FE0EC08A8D7F26FF193A0B058112FE1992220D732CD21AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C33146, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00C330E3,00000064), ref: 00C33169
LeaveCriticalSection.KERNEL32(00CE061C,?,?,00C330E3,00000064,?,00BAE1A8,00CE1AE0,?,00000014,00BAC12B,00000000,00BB7DC0,?,00000004,00BB0A13), ref: 00C33173
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00C330E3,00000064,?,00BAE1A8,00CE1AE0,?,00000014,00BAC12B,00000000,00BB7DC0,?,00000004,00BB0A13), ref: 00C33184
EnterCriticalSection.KERNEL32(00CE061C,?,00C330E3,00000064,?,00BAE1A8,00CE1AE0,?,00000014,00BAC12B,00000000,00BB7DC0,?,00000004,00BB0A13), ref: 00C3318B

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 48409f32c0ea4d3cc3f1087ab5e34166888a002691ba1ff36793f8f7e9ceb8fa
Instruction ID: 8669bcf2ce1402a155d33a379dd688a41cf9f128f190cda4aba6f3b4274f6de0
Opcode Fuzzy Hash: 48409f32c0ea4d3cc3f1087ab5e34166888a002691ba1ff36793f8f7e9ceb8fa
Instruction Fuzzy Hash: 41E012326419B8ABCB152B95EC0CF9E7F1CFB85B61B110021FD0966166C6B159A18BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A691, Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?), ref: 00C6A6A0
GetLastError.KERNEL32 ref: 00C6A6AC

Part of subcall function 00C6A78E: CloseHandle.KERNEL32(FFFFFFFE,00C6A6BC), ref: 00C6A79E

___initconin.LIBCMT ref: 00C6A6BC

Part of subcall function 00C6A672: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00C6A6C1), ref: 00C6A685

GetConsoleMode.KERNEL32(?), ref: 00C6A6CA

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: 614b736d65d72c4d190927002f9f0525d7c98e3b40070b68bb1a151b11f8f55e
Instruction ID: 6100dc25a6822199556816a5ed9be9edba28c24c4842e22cfecc799eaf1b9dd9
Opcode Fuzzy Hash: 614b736d65d72c4d190927002f9f0525d7c98e3b40070b68bb1a151b11f8f55e
Instruction Fuzzy Hash: DBE04F32450118AB8B352BF5EC59B4E7F65EF467A13494166FD09A2221DB32CC60AF92

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A748, Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

SetConsoleMode.KERNEL32(?), ref: 00C6A757
GetLastError.KERNEL32 ref: 00C6A763

Part of subcall function 00C6A78E: CloseHandle.KERNEL32(FFFFFFFE,00C6A6BC), ref: 00C6A79E

___initconin.LIBCMT ref: 00C6A773

Part of subcall function 00C6A672: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,00C6A6C1), ref: 00C6A685

SetConsoleMode.KERNEL32(?), ref: 00C6A781

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: c43d3734d7121bc91bc1a1f55ef560c30d13284056f67b05e1a150a81cbc7d82
Instruction ID: 7a257252c23a8a0294f97a9fbe8c35621f6259834b8804870247c9a04f6f8fb0
Opcode Fuzzy Hash: c43d3734d7121bc91bc1a1f55ef560c30d13284056f67b05e1a150a81cbc7d82
Instruction Fuzzy Hash: C4E04632450128AB8B3A2BE5EC4CB8D3F25FF557A53490922F919A2331CB21CC509B92

Uniqueness

Uniqueness Score: -1.00%

Function 00C3E410, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C3E41A

Part of subcall function 00C3AD09: std::_Lockit::_Lockit.LIBCPMT ref: 00C3AD1A
Part of subcall function 00C3AD09: int.LIBCPMT ref: 00C3AD31
Part of subcall function 00C3AD09: std::_Lockit::~_Lockit.LIBCPMT ref: 00C3AD8B

_Find_elem.LIBCPMT ref: 00C3E66A

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00C3E491

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: d7d257511489b629d12caa9f953347dfa565fa9a43c54383a89029bda80c9bf9
Instruction ID: 38a4733d8a8821f1fad95708eb1e16080774da8d7df3cdbfc79071ab03d68e74
Opcode Fuzzy Hash: d7d257511489b629d12caa9f953347dfa565fa9a43c54383a89029bda80c9bf9
Instruction Fuzzy Hash: 85D1D170D142688FDF25DFA8C8857ECBBB2BF15314F148099E89A6B2C2DB748D85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C6169D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C6172D

Strings

pow, xrefs: 00C61705, 00C61722

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 932a4e88f31df096557fd64562a3c6610d57cf36d2114393b099c589b61f83ad
Instruction ID: d1c46b4767e4bdc866515081f99ca6a808895a5a3bf243b233e6ba279822fe05
Opcode Fuzzy Hash: 932a4e88f31df096557fd64562a3c6610d57cf36d2114393b099c589b61f83ad
Instruction Fuzzy Hash: 9B515C6190850296CB317B54EDC137D2BE4EB41711F2C8D7CF8E1422FAEB358D93AA96

Uniqueness

Uniqueness Score: -1.00%

Function 00C4A0E8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00C4A249

Strings

-, xrefs: 00C4A277
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00C4A1A7, 00C4A1DE, 00C4A1E3

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: f83631047657c795f557a75068e8c0c6c2256fa1ae1c07c37749da9aa6982a58
Instruction ID: e777e5f43d115c3dbc4905bcb7791ee736e60f48fea8535cc3597ec955705c99
Opcode Fuzzy Hash: f83631047657c795f557a75068e8c0c6c2256fa1ae1c07c37749da9aa6982a58
Instruction Fuzzy Hash: A1513870B842899BDF398FAD84817BE7BF97F46310F14445AE4A5D7240C2B18E41EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00C48227, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 00C482BB
_Mpunct.LIBCPMT ref: 00C482D5

Strings

$+xv, xrefs: 00C482E0

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Mpunct
String ID: $+xv
API String ID: 4240859931-1686923651
Opcode ID: 691470e4be5e62406ba5be38747775756accc1532fad6ea9475c9570563c49c1
Instruction ID: b83220bff310940c6ea97dcb6c754248f96e5936363a84202eae8f27b86b3509
Opcode Fuzzy Hash: 691470e4be5e62406ba5be38747775756accc1532fad6ea9475c9570563c49c1
Instruction Fuzzy Hash: 8621DEB1904B826EDB21DF758890B7BBFE8BF0C300F08095AE499C7A41D770EA45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C4050B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00C39BA7: _Maklocstr.LIBCPMT ref: 00C39BC7
Part of subcall function 00C39BA7: _Maklocstr.LIBCPMT ref: 00C39BE4
Part of subcall function 00C39BA7: _Maklocstr.LIBCPMT ref: 00C39C01
Part of subcall function 00C39BA7: _Maklocchr.LIBCPMT ref: 00C39C13
Part of subcall function 00C39BA7: _Maklocchr.LIBCPMT ref: 00C39C26

_Mpunct.LIBCPMT ref: 00C4059F
_Mpunct.LIBCPMT ref: 00C405B9

Strings

$+xv, xrefs: 00C405C4

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct
String ID: $+xv
API String ID: 542472742-1686923651
Opcode ID: ad9e135db2098a47b8acb063f1ee72d8d311f30de51f9ea99af6ace23944eff0
Instruction ID: 078ec9ee260922fd7e9355a2790b6cb481892f66e7912f7b72499b8169ed3a62
Opcode Fuzzy Hash: ad9e135db2098a47b8acb063f1ee72d8d311f30de51f9ea99af6ace23944eff0
Instruction Fuzzy Hash: 0E21AEB1904B926FDB25DF758490B7BBEE8BB0C300F180A5AE599C7A41D730EA45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BD327F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00BD38E1: __EH_prolog3_GS.LIBCMT ref: 00BD38EB
Part of subcall function 00BD38E1: SetWindowsHookExW.USER32(0000000D,00BD0136,00000000,00000000), ref: 00BD3936
Part of subcall function 00BD38E1: PeekMessageW.USER32 ref: 00BD3978
Part of subcall function 00BD38E1: TranslateMessage.USER32(?), ref: 00BD3989
Part of subcall function 00BD38E1: DispatchMessageW.USER32 ref: 00BD3996
Part of subcall function 00BD38E1: GetAsyncKeyState.USER32(00000001), ref: 00BD399E
Part of subcall function 00BD38E1: GetPhysicalCursorPos.USER32(?), ref: 00BD39B7

Part of subcall function 00BD33CE: MoveWindow.USER32(00000000,FFFFB1E0,FFFFB1E0,?,?,00000001,?,00BD3A1D), ref: 00BD33FA
Part of subcall function 00BD33CE: UpdateWindow.USER32(00000000), ref: 00BD3406

UpdateWindow.USER32(00000000), ref: 00BD32D0

Part of subcall function 00BC7C63: __EH_prolog3_align.LIBCMT ref: 00BC7C6C
Part of subcall function 00BC7C63: __Mtx_unlock.LIBCPMT ref: 00BC7D5D

Strings

ajmqc, xrefs: 00BD32AE
kcls]qc_paf, xrefs: 00BD329A

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: MessageWindow$Update$AsyncCursorDispatchH_prolog3_H_prolog3_alignHookMoveMtx_unlockPeekPhysicalStateTranslateWindows
String ID: ajmqc$kcls]qc_paf
API String ID: 787037456-65769981
Opcode ID: 853c919589e08a28d720ddf4a607ea882439c808a0f5923f7235dda11793d799
Instruction ID: 5cc7a95f4e271594a8eabe42894e069ec4a974ae0d5580494854fd9eddc1c117
Opcode Fuzzy Hash: 853c919589e08a28d720ddf4a607ea882439c808a0f5923f7235dda11793d799
Instruction Fuzzy Hash: E021BE71914244DBCB08EBA8D856BEDBBF5BF65704F24048CE04667292DEB55A04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BBC7B1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00BBC7B8

Part of subcall function 00BADC00: _Deallocate.LIBCONCRT ref: 00BADC0F

Strings

at line , xrefs: 00BBC7E5
, column , xrefs: 00BBC7F9

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: DeallocateH_prolog3_
String ID: at line $, column
API String ID: 289593924-191570568
Opcode ID: 7df261acdb9fdbb781fc0953138cf294b2932ec7962c9e0385f454b1de50c44b
Instruction ID: 2c67a0226e7a40eb72bacb032075bff68da615e45b7264575407495ce0717bc8
Opcode Fuzzy Hash: 7df261acdb9fdbb781fc0953138cf294b2932ec7962c9e0385f454b1de50c44b
Instruction Fuzzy Hash: BE117070904108ABDB04EBB4C992AEDB7F4DF55304F6085ACE047A3282EEB45E04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD273, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00BAD287
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00BAD2C4

Strings

bad locale name, xrefs: 00BAD2D5

Memory Dump Source

Source File: 00000000.00000002.234612462.0000000000B91000.00000020.00020000.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.234607226.0000000000B90000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234720707.0000000000C94000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234755737.0000000000CDA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234761213.0000000000CDC000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234766300.0000000000CDE000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234769443.0000000000CE0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234773648.0000000000CEB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PcAppStore.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 8d1dca94150e858440660e64e8748410e0a1907f1320474541028cb461c751f7
Instruction ID: 733f86d1e5c1125822c3975dc2b66a9c35b6055270b8cde79c5f90174bea2352
Opcode Fuzzy Hash: 8d1dca94150e858440660e64e8748410e0a1907f1320474541028cb461c751f7
Instruction Fuzzy Hash: 98018671905B80CEC731DF7A848014AFFE0BF29300B548A6FE08ED3A01D730A544DB59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PcAppStore.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage