Edit tour

Windows Analysis Report
hfs.exe

Overview

General Information

Sample Name:	hfs.exe
Analysis ID:	561838
MD5:	6e491a7fecb845974f8f6f65b419c7b1
SHA1:	e16eac79f4bea4fe848bc5248a59765d1939a76b
SHA256:	93019ff4c7f345b6b03ada2c60efc51f0f199f5356d8bf1b85cd9649420fa84f
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

PE file contains strange resources

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w10x64

hfs.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\hfs.exe" MD5: 6E491A7FECB845974F8F6F65B419C7B1)

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.hfs.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: hfs.exe	Virustotal: Detection: 17%	Perma Link
Source: hfs.exe	Metadefender: Detection: 20%	Perma Link
Source: hfs.exe	ReversingLabs: Detection: 28%

Source: hfs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040A8F8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_0040A8F8
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00406950 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00406950
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040ABF0 FindFirstFileA,GetLastError,	0_2_0040ABF0

Source: hfs.exe, 00000000.00000002.928624815.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:Port
Source: hfs.exe, 00000000.00000002.928176412.0000000000199000.00000004.00000010.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928407961.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.4/
Source: hfs.exe, 00000000.00000002.928440545.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.4/D
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dynupdate.no-ip.com/dns?username=
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.cjb.net/cgi-bin/dynip.cgi?username=
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.dovedove.it/hfs/ip.php
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.melauto.it/public/rejetto/ip.php
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.myip.dk/
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/forum/
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/forum/U
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs-donate
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs-donateU
Source: hfs.exe, hfs.exe, 00000000.00000002.928645068.00000000024FE000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928599441.0000000002494000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, hfs.exe, 00000000.00000002.928676338.000000000252F000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928639803.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/U
Source: hfs.exe, 00000000.00000002.928859890.0000000002561000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928543835.0000000002432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/download
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/guide/
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/guide/U
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/guide/intro.html
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/guide/intro.htmlU
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/hfs.updateinfo.txt
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/ipservices.php
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/sw/?faq=hfs
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/sw/?faq=hfsU
Source: hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/sw/license.txt
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.rejetto.com/sw/license.txtU
Source: hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.whatismyip.org/
Source: hfs.exe, 00000000.00000002.929588216.00000000048CF000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928624815.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.929628030.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928639803.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928543835.0000000002432000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rejetto/hfs2/releases/download/v2.4-rc06/hfs.exe
Source: hfs.exe, 00000000.00000002.928548761.0000000002439000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs.exe/download
Source: hfs.exe, 00000000.00000002.928645068.00000000024FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs.exe/downloadn

Source: unknown

DNS traffic detected: queries for: www.rejetto.com

Source: global traffic	HTTP traffic detected: GET /hfs/hfs.updateinfo.txt HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /User-Agent: HFS/2.2fHost: www.rejetto.com
Source: global traffic	HTTP traffic detected: GET /hfs/download HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /User-Agent: HFS/2.2fHost: www.rejetto.com

Source: hfs.exe, 00000000.00000002.928407961.0000000000778000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: hfs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: hfs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00410890		0_2_00410890
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004021FC		0_2_004021FC

Source: hfs.exe

Static PE information: Section: UPX1 ZLIB complexity 0.992750613625

Source: hfs.exe	Virustotal: Detection: 17%
Source: hfs.exe	Metadefender: Detection: 20%
Source: hfs.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\hfs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Mutant created: \Sessions\1\BaseNamedObjects\HttpFileServer

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0041C908 FindResourceA,

0_2_0041C908

Source: C:\Users\user\Desktop\hfs.exe

File created: C:\Users\user\Desktop\test.tmp

Jump to behavior

Source: hfs.exe	String found in binary or memory: log-server-start
Source: hfs.exe	String found in binary or memory: log-server-stop
Source: hfs.exe	String found in binary or memory: %item-added%
Source: hfs.exe	String found in binary or memory: copy-url-on-start
Source: hfs.exe	String found in binary or memory: copy-url-on-addition
Source: hfs.exe	String found in binary or memory: reload-on-startup
Source: hfs.exe	String found in binary or memory: find-external-on-startup
Source: hfs.exe	String found in binary or memory: do-not-log-address
Source: hfs.exe	String found in binary or memory: last-external-address
Source: hfs.exe	String found in binary or memory: log-server-start=
Source: hfs.exe	String found in binary or memory: log-server-stop=
Source: hfs.exe	String found in binary or memory: reload-on-startup=
Source: hfs.exe	String found in binary or memory: find-external-on-startup=
Source: hfs.exe	String found in binary or memory: last-external-address=
Source: hfs.exe	String found in binary or memory: do-not-log-address=
Source: hfs.exe	String found in binary or memory: copy-url-on-start=
Source: hfs.exe	String found in binary or memory: copy-url-on-addition=
Source: hfs.exe	String found in binary or memory: %number-addresses-downloading%
Source: hfs.exe	String found in binary or memory: %number-addresses-ever%
Source: hfs.exe	String found in binary or memory: %number-addresses%

Source: classification engine

Classification label: mal48.winEXE@1/0@3/1

Source: Yara match	File source: 0.2.hfs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\hfs.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0040AEF0 GetDiskFreeSpaceA,

0_2_0040AEF0

Source: C:\Users\user\Desktop\hfs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Window found: window name: TButton

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040883C push 0040887Eh; ret	0_2_00408876
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004120DC push 00412108h; ret	0_2_00412100
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004199B4 push 00419A01h; ret	0_2_004199F9
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0042A214 push 0042A2BFh; ret	0_2_0042A2B7
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00407484 push 004074DFh; ret	0_2_004074D7
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0042BC88 push 0042BCC6h; ret	0_2_0042BCBE
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00411708 push 00411893h; ret	0_2_0041188B
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00418734 push 004187AAh; ret	0_2_004187A2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\hfs.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040A8F8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_0040A8F8
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00406950 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00406950
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040ABF0 FindFirstFileA,GetLastError,	0_2_0040ABF0

Source: hfs.exe, 00000000.00000002.928458861.00000000007E4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\hfs.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00406B14
Source: C:\Users\user\Desktop\hfs.exe	Code function: GetLocaleInfoA,	0_2_0040E3EC
Source: C:\Users\user\Desktop\hfs.exe	Code function: GetLocaleInfoA,	0_2_0040E448

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0040F63C GetVersionExA,

0_2_0040F63C

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0040CAF0 GetLocalTime,

0_2_0040CAF0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Obfuscated Files or Information	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Software Packing	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hfs.exe	18%	Virustotal		Browse
hfs.exe	21%	Metadefender		Browse
hfs.exe	29%	ReversingLabs	Win32.PUA.Presenoker

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.hfs.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

URLs

Source	Detection	Scanner	Label
http://192.168.2.4/	0%	Avira URL Cloud	safe
http://192.168.2.4/D	0%	Avira URL Cloud	safe
http://www.melauto.it/public/rejetto/ip.php	0%	Avira URL Cloud	safe
http://dynupdate.no-ip.com/dns?username=	0%	Avira URL Cloud	safe
http://www.dovedove.it/hfs/ip.php	0%	Avira URL Cloud	safe
http://127.0.0.1:Port	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sourceforge.net	204.68.111.105	true	false		high
www.rejetto.com	94.23.66.84	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rejetto.com/hfs/download	false		high
http://www.rejetto.com/hfs/hfs.updateinfo.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.rejetto.com/hfs/ipservices.php	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/hfs/guide/intro.html	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs.exe/downloadn	hfs.exe, 00000000.00000002.928645068.00000000024FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.168.2.4/	hfs.exe, 00000000.00000002.928176412.0000000000199000.00000004.00000010.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928407961.0000000000778000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.168.2.4/D	hfs.exe, 00000000.00000002.928440545.00000000007C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cjb.net/cgi-bin/dynip.cgi?username=	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/sw/?faq=hfsU	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/hfs/U	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.whatismyip.org/	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/hfs/guide/U	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/hfs/guide/intro.htmlU	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.melauto.it/public/rejetto/ip.php	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs-donateU	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/sw/license.txt	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/hfs/	hfs.exe, hfs.exe, 00000000.00000002.928645068.00000000024FE000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928599441.0000000002494000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, hfs.exe, 00000000.00000002.928676338.000000000252F000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928639803.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/sw/license.txtU	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://dynupdate.no-ip.com/dns?username=	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dovedove.it/hfs/ip.php	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:Port	hfs.exe, 00000000.00000002.928624815.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
http://www.rejetto.com/forum/	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://github.com/rejetto/hfs2/releases/download/v2.4-rc06/hfs.exe	hfs.exe, 00000000.00000002.929588216.00000000048CF000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928624815.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.929628030.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928639803.00000000024F7000.00000004.00000800.00020000.00000000.sdmp, hfs.exe, 00000000.00000002.928543835.0000000002432000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.rejetto.com/hfs-donate	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/hfs/guide/	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/forum/U	hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.myip.dk/	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.rejetto.com/sw/?faq=hfs	hfs.exe, hfs.exe, 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs.exe/download	hfs.exe, 00000000.00000002.928548761.0000000002439000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.23.66.84	www.rejetto.com	France		16276	OVHFR	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	561838
Start date:	27.01.2022
Start time:	22:17:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hfs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@1/0@3/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 98.6%) Quality average: 85% Quality standard deviation: 22.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.854733448431134
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	hfs.exe
File size:	572928
MD5:	6e491a7fecb845974f8f6f65b419c7b1
SHA1:	e16eac79f4bea4fe848bc5248a59765d1939a76b
SHA256:	93019ff4c7f345b6b03ada2c60efc51f0f199f5356d8bf1b85cd9649420fa84f
SHA512:	3c73a0cf881017bc22ba529e5a79b6f2466882656cd89d1e7e0d676654a3d80b5ef2b349e5f3b0ce37748dc49f78be4752bd3232b6b2d7c6aa54a1e9b6144357
SSDEEP:	12288:jWyRIHZ4IpOvxv/7zQlgGzEB9s5IMTyOIFlm2N72oelMc:KlOZ+LgXdF2FOc
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	78f8cab2b0e17b99

Static PE Info

General

Entrypoint:	0x5a5510
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c628ad0f4fe68a2b927a21735356a69f

Entrypoint Preview

Instruction
pushad
mov esi, 00523000h
lea edi, dword ptr [esi-00122000h]
mov dword ptr [edi+0013E7BCh], A4F49B1Bh
push edi
or ebp, FFFFFFFFh
jmp 00007F95C8CBBD40h
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F95C8CBBD1Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F95C8CBBD3Dh
jne 00007F95C8CBBD5Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F95C8CBBD51h
dec eax
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F95C8CBBD06h
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F95C8CBBD84h
xor ecx, ecx
sub eax, 03h
jc 00007F95C8CBBD43h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F95C8CBBDA7h
sar eax, 1
mov ebp, eax
jmp 00007F95C8CBBD3Dh
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F95C8CBBCFEh
inc ecx
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F95C8CBBCF0h
add ebx, ebx
jne 00007F95C8CBBD39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F95C8CBBD21h
jne 00007F95C8CBBD3Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F95C8CBBD16h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1aed54	0x2f8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a6000	0x8d54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x155018	0x27	UPX1
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a56d4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x122000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x123000	0x83000	0x82800	False	0.992750613625	data	7.93162576009	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1a6000	0xa000	0x9200	False	0.491411601027	data	5.02716466486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
TEXT	0x16947c	0x109	data	Italian	Italy
TEXT	0x169588	0x21ef	data	Italian	Italy
TEXT	0x16b778	0x236	data	Italian	Italy
TEXT	0x16b9b0	0x4f	data	Italian	Italy
TEXT	0x16ba00	0x1c9	data	Italian	Italy
TEXT	0x16bbcc	0xfed6	data	Italian	Italy
TEXT	0x17baa4	0xc1	data	Italian	Italy
TEXT	0x17bb68	0x10c	data	Italian	Italy
RT_CURSOR	0x17bc74	0x134	data	English	United States
RT_CURSOR	0x17bda8	0x134	data	English	United States
RT_CURSOR	0x17bedc	0x134	data	English	United States
RT_CURSOR	0x17c010	0x134	data	English	United States
RT_CURSOR	0x17c144	0x134	data	English	United States
RT_CURSOR	0x17c278	0x134	data	English	United States
RT_CURSOR	0x17c3ac	0x134	data	English	United States
RT_BITMAP	0x17c4e0	0x1d0	data	English	United States
RT_BITMAP	0x17c6b0	0x1e4	data	English	United States
RT_BITMAP	0x17c894	0x1d0	data	English	United States
RT_BITMAP	0x17ca64	0x1d0	data	English	United States
RT_BITMAP	0x17cc34	0x1d0	data	English	United States
RT_BITMAP	0x17ce04	0x1d0	data	English	United States
RT_BITMAP	0x17cfd4	0x1d0	data	English	United States
RT_BITMAP	0x17d1a4	0x1d0	data	English	United States
RT_BITMAP	0x17d374	0x1d0	data	English	United States
RT_BITMAP	0x17d544	0x1d0	data	English	United States
RT_BITMAP	0x17d714	0xc0	data	English	United States
RT_BITMAP	0x17d7d4	0xe0	data	English	United States
RT_BITMAP	0x17d8b4	0xe0	data	English	United States
RT_BITMAP	0x17d994	0xe0	data	English	United States
RT_BITMAP	0x17da74	0xc0	data	English	United States
RT_BITMAP	0x17db34	0xc0	data	English	United States
RT_BITMAP	0x17dbf4	0xe0	data	English	United States
RT_BITMAP	0x17dcd4	0xc0	data	English	United States
RT_BITMAP	0x17dd94	0xe0	data	English	United States
RT_BITMAP	0x17de74	0xe8	data	English	United States
RT_BITMAP	0x17df5c	0xc0	data	English	United States
RT_BITMAP	0x17e01c	0xe0	data	English	United States
RT_ICON	0x1a7480	0x25a8	dBase III DBT, version number 0, next free block index 40	Italian	Italy
RT_ICON	0x1a9a2c	0x4228	dBase III DBT, version number 0, next free block index 40	Italian	Italy
RT_ICON	0x1adc58	0x8a8	data	Italian	Italy
RT_ICON	0x1ae504	0x568	GLS_BINARY_LSB_FIRST	Italian	Italy
RT_DIALOG	0x1856dc	0x52	data
RT_DIALOG	0x185730	0x52	data
RT_STRING	0x185784	0x90	data
RT_STRING	0x185814	0x284	data
RT_STRING	0x185a98	0x438	data
RT_STRING	0x185ed0	0x44c	data
RT_STRING	0x18631c	0x310	data
RT_STRING	0x18662c	0x3d4	data
RT_STRING	0x186a00	0x2ac	data
RT_STRING	0x186cac	0xbc	data
RT_STRING	0x186d68	0x16c	data
RT_STRING	0x186ed4	0x204	data
RT_STRING	0x1870d8	0x3dc	PGP\011Secret Key -
RT_STRING	0x1874b4	0x390	data
RT_STRING	0x187844	0x3c0	data
RT_STRING	0x187c04	0x360	data
RT_STRING	0x187f64	0x460	data
RT_STRING	0x1883c4	0xd0	data
RT_STRING	0x188494	0xb8	data
RT_STRING	0x18854c	0x254	data
RT_STRING	0x1887a0	0x3a8	data
RT_STRING	0x188b48	0x38c	data
RT_STRING	0x188ed4	0x2b4	data
RT_RCDATA	0x189188	0x50	data
RT_RCDATA	0x1891d8	0x10	Non-ISO extended-ASCII text, with no line terminators
RT_RCDATA	0x1891e8	0x440	data
RT_RCDATA	0x189628	0x166	data
RT_RCDATA	0x189790	0xb50	data
RT_RCDATA	0x18a2e0	0xce2	data
RT_RCDATA	0x18afc4	0x370	data
RT_RCDATA	0x18b334	0x3d6	data
RT_RCDATA	0x18b70c	0x12526	data
RT_RCDATA	0x19dc34	0x42b	PGP\011Secret Sub-key -
RT_RCDATA	0x19e060	0x194f	data
RT_RCDATA	0x19f9b0	0x1a77	data
RT_GROUP_CURSOR	0x1a1428	0x14	data	English	United States
RT_GROUP_CURSOR	0x1a143c	0x14	data	English	United States
RT_GROUP_CURSOR	0x1a1450	0x14	data	English	United States
RT_GROUP_CURSOR	0x1a1464	0x14	data	English	United States
RT_GROUP_CURSOR	0x1a1478	0x14	data	English	United States
RT_GROUP_CURSOR	0x1a148c	0x14	data	English	United States
RT_GROUP_CURSOR	0x1a14a0	0x14	data	English	United States
RT_GROUP_ICON	0x1aea70	0x3e	data	Italian	Italy
RT_MANIFEST	0x1aeab4	0x29f	XML 1.0 document, ASCII text, with CRLF line terminators	Italian	Italy

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
advapi32.dll	RegFlushKey
comctl32.dll	ImageList_Add
comdlg32.dll	ChooseFontA
gdi32.dll	SaveDC
msimg32.dll	GradientFill
ole32.dll	CoInitialize
oleaut32.dll	VariantCopy
shell32.dll
user32.dll	GetDC
version.dll	VerQueryValueA
winmm.dll	timeGetTime
winspool.drv	OpenPrinterA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Italian	Italy
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2022 22:19:48.715641022 CET	49794	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:48.745749950 CET	80	49794	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:48.745910883 CET	49794	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:48.746411085 CET	49794	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:48.776153088 CET	80	49794	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:48.776192904 CET	80	49794	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:48.776660919 CET	49794	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:48.777753115 CET	49794	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:48.808176041 CET	80	49794	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:51.369972944 CET	49795	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:51.398603916 CET	80	49795	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:51.399435043 CET	49795	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:51.399816036 CET	49795	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:51.430329084 CET	80	49795	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:51.430378914 CET	80	49795	94.23.66.84	192.168.2.4
Jan 27, 2022 22:19:51.430457115 CET	49795	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:51.432272911 CET	49795	80	192.168.2.4	94.23.66.84
Jan 27, 2022 22:19:51.461033106 CET	80	49795	94.23.66.84	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2022 22:19:48.692218065 CET	56794	53	192.168.2.4	8.8.8.8
Jan 27, 2022 22:19:48.713362932 CET	53	56794	8.8.8.8	192.168.2.4
Jan 27, 2022 22:19:51.314939976 CET	56534	53	192.168.2.4	8.8.8.8
Jan 27, 2022 22:19:51.368402004 CET	53	56534	8.8.8.8	192.168.2.4
Jan 27, 2022 22:19:51.435800076 CET	56627	53	192.168.2.4	8.8.8.8
Jan 27, 2022 22:19:51.452701092 CET	53	56627	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2022 22:19:48.692218065 CET	192.168.2.4	8.8.8.8	0xece3	Standard query (0)	www.rejetto.com	A (IP address)	IN (0x0001)
Jan 27, 2022 22:19:51.314939976 CET	192.168.2.4	8.8.8.8	0xe719	Standard query (0)	www.rejetto.com	A (IP address)	IN (0x0001)
Jan 27, 2022 22:19:51.435800076 CET	192.168.2.4	8.8.8.8	0xc3e0	Standard query (0)	sourceforge.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 27, 2022 22:19:48.713362932 CET	8.8.8.8	192.168.2.4	0xece3	No error (0)	www.rejetto.com	94.23.66.84	A (IP address)	IN (0x0001)
Jan 27, 2022 22:19:51.368402004 CET	8.8.8.8	192.168.2.4	0xe719	No error (0)	www.rejetto.com	94.23.66.84	A (IP address)	IN (0x0001)
Jan 27, 2022 22:19:51.452701092 CET	8.8.8.8	192.168.2.4	0xc3e0	No error (0)	sourceforge.net	204.68.111.105	A (IP address)	IN (0x0001)

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49794	94.23.66.84	80	C:\Users\user\Desktop\hfs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2022 22:19:48.746411085 CET	1894	OUT	GET /hfs/hfs.updateinfo.txt HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / User-Agent: HFS/2.2f Host: www.rejetto.com
Jan 27, 2022 22:19:48.776153088 CET	1899	IN	HTTP/1.1 200 OK date: Thu, 27 Jan 2022 21:19:48 GMT content-type: text/plain content-length: 273 server: Apache last-modified: Sun, 15 Aug 2021 16:02:23 GMT accept-ranges: bytes vary: Accept-Encoding x-frame-options: SAMEORIGIN x-iplb-request-id: 54113410:C282_5E174254:0050_61F30C74_2349:21829 x-iplb-instance: 41930 connection: close Data Raw: 48 46 53 20 75 70 64 61 74 65 20 69 6e 66 6f 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 5d 0d 0a 32 2e 33 6d 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 20 62 75 69 6c 64 5d 0d 0a 33 30 30 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 20 75 72 6c 5d 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 72 65 6a 65 74 74 6f 2e 63 6f 6d 2f 68 66 73 2f 64 6f 77 6e 6c 6f 61 64 0d 0a 5b 6c 61 73 74 20 75 6e 74 65 73 74 65 64 5d 0d 0a 32 2e 34 2e 30 20 52 43 36 0d 0a 5b 6c 61 73 74 20 75 6e 74 65 73 74 65 64 20 62 75 69 6c 64 5d 0d 0a 33 31 38 0d 0a 5b 6c 61 73 74 20 75 6e 74 65 73 74 65 64 20 75 72 6c 5d 0d 0a 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 72 65 6a 65 74 74 6f 2f 68 66 73 32 2f 72 65 6c 65 61 73 65 73 2f 64 6f 77 6e 6c 6f 61 64 2f 76 32 2e 34 2d 72 63 30 36 2f 68 66 73 2e 65 78 65 0d 0a 5b 45 4f 46 5d 0d 0a Data Ascii: HFS update info[last stable]2.3m[last stable build]300[last stable url]http://www.rejetto.com/hfs/download[last untested]2.4.0 RC6[last untested build]318[last untested url]https://github.com/rejetto/hfs2/releases/download/v2.4-rc06/hfs.exe[EOF]

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49795	94.23.66.84	80	C:\Users\user\Desktop\hfs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2022 22:19:51.399816036 CET	9657	OUT	GET /hfs/download HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / User-Agent: HFS/2.2f Host: www.rejetto.com
Jan 27, 2022 22:19:51.430329084 CET	9657	IN	HTTP/1.1 302 Found date: Thu, 27 Jan 2022 21:19:51 GMT content-type: text/html; charset=iso-8859-1 content-length: 252 server: Apache location: https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs.exe/download x-iplb-request-id: 54113410:C283_5E174254:0050_61F30C77_0C2A:2A56B x-iplb-instance: 41927 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 2f 70 72 6f 6a 65 63 74 73 2f 68 66 73 2f 66 69 6c 65 73 2f 48 46 53 2f 32 2e 33 6d 2f 68 66 73 2e 65 78 65 2f 64 6f 77 6e 6c 6f 61 64 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://sourceforge.net/projects/hfs/files/HFS/2.3m/hfs.exe/download">here</a>.</p></body></html>

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: hfs.exePID: 6872, Parent PID: 4792COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	77

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00406B14(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x406c19);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00406950( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, 0x406d80, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(0x406c20);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L0040133C();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401344();
								_t94 = _t70 +  &_v289;
								L12:
								if( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
									goto L12;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L0040133C();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L0040133C();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L0040133C();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

0x00406b15
0x00406b17
0x00406b1f
0x00406b30
0x00406b35
0x00406b4e
0x00406b55
0x00406b97
0x00406b99
0x00406b9a
0x00406b9f
0x00406ba2
0x00406ba5
0x00406bb7
0x00406bda
0x00406bfa
0x00406bfa
0x00406bfe
0x00406c04
0x00406c07
0x00406c0a
0x00406c18
0x00406b57
0x00406b6c
0x00406b73
0x00000000
0x00406b75
0x00406b8a
0x00406b91
0x00406c20
0x00406c28
0x00406c2f
0x00406c30
0x00406c43
0x00406c48
0x00406c51
0x00406c67
0x00406c6d
0x00406c6e
0x00406c7b
0x00406c80
0x00406c83
0x00406c7f
0x00000000
0x00406c7f
0x00406c8f
0x00406c97
0x00406c9d
0x00406ca2
0x00406caf
0x00406cb3
0x00406cb4
0x00406cb5
0x00406cca
0x00406cca
0x00406cce
0x00406ce7
0x00406ceb
0x00406cec
0x00406ced
0x00406cfd
0x00406d02
0x00406d06
0x00406d08
0x00406d1d
0x00406d21
0x00406d22
0x00406d23
0x00406d33
0x00406d38
0x00406d38
0x00406d06
0x00406cce
0x00406c97
0x00406d41
0x00000000
0x00000000
0x00000000
0x00406b91
0x00406b73

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406B30
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406B4E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406B6C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406B8A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406C19,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406BD3
RegQueryValueExA.ADVAPI32(?,00406D80,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406C19,?,80000001), ref: 00406BF1
RegCloseKey.ADVAPI32(?,00406C20,00000000,00000000,00000005,00000000,00406C19,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406C13
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406C30
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406C3D
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406C43
lstrlen.KERNEL32(00000000), ref: 00406C6E
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406CB5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406CC5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 00406CED
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406CFD
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406D23
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406D33

Strings

Software\Borland\Locales, xrefs: 00406B44, 00406B62
., xrefs: 00406C80
Software\Borland\Delphi\Locales, xrefs: 00406B80

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 0322781acfe7ec647851ffb278adbcbf83bf983b549960131dd97ecb288a8be9
Instruction ID: 0efc30cac94d760dbbb8f5afe41ac39298795521c1508d2ba45e491299e27add
Opcode Fuzzy Hash: 0322781acfe7ec647851ffb278adbcbf83bf983b549960131dd97ecb288a8be9
Instruction Fuzzy Hash: FA516275A0021C7EFB21D6A48C46FEF7AAC9B04748F4500B7BA45F61C2DA7C9E548B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8F8 Relevance: 6.0, APIs: 4, Instructions: 37
timefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A8F8(intOrPtr __eax) {
				short _v6;
				short _v8;
				intOrPtr _v12;
				void* _v16;
				struct _FILETIME _v24;
				struct _WIN32_FIND_DATAA _v344;
				void* _t21;

				_v12 = __eax;
				_t21 = FindFirstFileA(E00405600(_v12),  &_v344); // executed
				_v16 = _t21;
				if(_v16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_v16);
					if((_v344.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v344.ftLastWriteTime),  &_v24);
						if(FileTimeToDosDateTime( &_v24,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}

0x0040a901
0x0040a914
0x0040a919
0x0040a920
0x0040a959
0x0040a959
0x0040a922
0x0040a926
0x0040a932
0x00000000
0x0040a934
0x0040a93f
0x0040a957
0x00000000
0x00000000
0x0040a957
0x0040a932
0x0040a966

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 0040A914
FindClose.KERNEL32(?,00000000,?), ref: 0040A926
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040A93F
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040A950

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 473b02b013cc6da7207c9d6e6df9feb09d1305e7f93e60be154c4eba51bd1595
Instruction ID: cef2ea2e6fb3872c5577bce7081694a5a1ae716881f3c4c007ab0c5fa4b60107
Opcode Fuzzy Hash: 473b02b013cc6da7207c9d6e6df9feb09d1305e7f93e60be154c4eba51bd1595
Instruction Fuzzy Hash: 9F01BFB1D0420DAACB10EAE5CD45ADFB7BC9F04314F1046A6A564F72C1E638AB548F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041C908 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0041C908(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, struct HINSTANCE__* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				intOrPtr* _v16;
				char _v17;
				struct HRSRC__* _v24;
				intOrPtr _v28;
				void* __ebp;
				intOrPtr _t31;
				struct HINSTANCE__* _t35;
				void* _t36;
				intOrPtr _t46;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t48 = __esi;
				_t47 = __edi;
				_t36 = __ebx;
				_t50 = _t52;
				_t53 = _t52 + 0xffffffe8;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if(_v12 == 0) {
					_t35 =  *0x5487f8; // 0x400000
					_v12 = _t35;
				}
				_v24 = FindResourceA(_v12, E00405600(_v8), 0xa);
				_v17 = _v24 != 0;
				_t57 = _v17;
				if(_v17 == 0) {
					return _v17;
				} else {
					_v28 = E00421CEC(_t36, _v12, 1, 0xa, _v8);
					_push(_t50);
					_push(0x41c998);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t31 = E004212F0(_v28, _t36,  *_v16, _t47, _t48, _t57); // executed
					 *_v16 = _t31;
					_pop(_t46);
					 *[fs:eax] = _t46;
					_push(0x41c99f);
					return E004041FC(_v28);
				}
			}

0x0041c908
0x0041c908
0x0041c908
0x0041c909
0x0041c90b
0x0041c90e
0x0041c911
0x0041c914
0x0041c91b
0x0041c91d
0x0041c922
0x0041c922
0x0041c939
0x0041c940
0x0041c944
0x0041c948
0x0041c9a9
0x0041c94a
0x0041c95f
0x0041c964
0x0041c965
0x0041c96a
0x0041c96d
0x0041c978
0x0041c980
0x0041c984
0x0041c987
0x0041c98a
0x0041c997
0x0041c997

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0041C934

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: f0a064dc321d52336a762147f923e1e75226b6e6343adbd1687d51d2cae46f4d
Instruction ID: 005daf0927d28557e7557d708162feab147a6a218482eb76b74b623d6e5c6414
Opcode Fuzzy Hash: f0a064dc321d52336a762147f923e1e75226b6e6343adbd1687d51d2cae46f4d
Instruction Fuzzy Hash: EB114274E14208EFDB01DFA5D881AEEFBB4EB49314F5080A6E504A7390D7355E81DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041032C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 204
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0041032C(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				void* _t122;
				void* _t129;
				void* _t151;
				intOrPtr _t201;
				intOrPtr _t210;
				intOrPtr _t211;

				_t210 = _t211;
				_t151 = 8;
				do {
					_push(0);
					_push(0);
					_t151 = _t151 - 1;
				} while (_t151 != 0);
				_push(_t151);
				_push(_t210);
				_push(0x410615);
				_push( *[fs:eax]);
				 *[fs:eax] = _t211; // executed
				E00410240(); // executed
				E0040E4C8();
				_t213 =  *0x5488d4;
				if( *0x5488d4 != 0) {
					E0040E6D4(_t213);
				}
				_v20 = GetThreadLocale();
				E0040E3EC(_v20, 0, 0x14,  &_v24);
				E00405190(0x548808, _v24);
				E0040E3EC(_v20, 0x410628, 0x1b,  &_v28);
				 *0x54880c = E0040A460(_v28, 0, _t213);
				E0040E3EC(_v20, 0x410628, 0x1c,  &_v32);
				 *0x54880d = E0040A460(_v32, 0, _t213);
				 *0x54880e = E0040E448(_v20, 0x2c, 0xf);
				 *0x54880f = E0040E448(_v20, 0x2e, 0xe);
				E0040E3EC(_v20, 0x410628, 0x19,  &_v36);
				 *0x548810 = E0040A460(_v36, 0, _t213);
				 *0x548811 = E0040E448(_v20, 0x2f, 0x1d);
				E0040E3EC(_v20, "m/d/yy", 0x1f,  &_v44);
				E0040E798(_v44,  &_v40, _t213);
				E00405190(0x548814, _v40);
				E0040E3EC(_v20, "mmmm d, yyyy", 0x20,  &_v52);
				E0040E798(_v52,  &_v48, _t213);
				E00405190(0x548818, _v48);
				 *0x54881c = E0040E448(_v20, 0x3a, 0x1e);
				E0040E3EC(_v20, 0x41065c, 0x28,  &_v56);
				E00405190(0x548820, _v56);
				E0040E3EC(_v20, 0x410668, 0x29,  &_v60);
				E00405190(0x548824, _v60);
				E0040513C( &_v12);
				E0040513C( &_v16);
				E0040E3EC(_v20, 0x410628, 0x25,  &_v64);
				_t122 = E0040A460(_v64, 0, _t213);
				_t214 = _t122;
				if(_t122 != 0) {
					E004051D4( &_v8, 0x410680);
				} else {
					E004051D4( &_v8, 0x410674);
				}
				E0040E3EC(_v20, 0x410628, 0x23,  &_v68);
				_t129 = E0040A460(_v68, 0, _t214);
				_t215 = _t129;
				if(_t129 == 0) {
					E0040E3EC(_v20, 0x410628, 0x1005,  &_v72);
					if(E0040A460(_v72, 0, _t215) != 0) {
						E004051D4( &_v12, 0x41069c);
					} else {
						E004051D4( &_v16, 0x41068c);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004054C0();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E004054C0();
				 *0x5488d6 = E0040E448(_v20, 0x2c, 0xc);
				_pop(_t201);
				 *[fs:eax] = _t201;
				_push(0x41061c);
				E00405160( &_v72, 0xd);
				return E00405160( &_v16, 3);
			}

0x0041032d
0x0041032f
0x00410334
0x00410334
0x00410336
0x00410338
0x00410338
0x0041033b
0x0041033e
0x0041033f
0x00410344
0x00410347
0x0041034a
0x0041034f
0x00410354
0x0041035b
0x0041035d
0x0041035d
0x00410367
0x00410378
0x00410385
0x0041039b
0x004103aa
0x004103c0
0x004103cf
0x004103e3
0x004103f7
0x0041040d
0x0041041c
0x00410430
0x00410446
0x00410451
0x0041045e
0x00410474
0x0041047f
0x0041048c
0x004104a0
0x004104b6
0x004104c3
0x004104d9
0x004104e6
0x004104ee
0x004104f6
0x0041050c
0x00410516
0x0041051b
0x0041051d
0x00410536
0x0041051f
0x00410527
0x00410527
0x0041054c
0x00410556
0x0041055b
0x0041055d
0x00410570
0x00410581
0x0041059a
0x00410583
0x0041058b
0x0041058b
0x00410581
0x0041059f
0x004105a2
0x004105a5
0x004105aa
0x004105b7
0x004105bc
0x004105bf
0x004105c2
0x004105c7
0x004105d4
0x004105e8
0x004105ef
0x004105f2
0x004105f5
0x00410602
0x00410614

APIs

GetThreadLocale.KERNEL32(00000000,00410615,?,00000007,00000000,00000000), ref: 00410362

Part of subcall function 0040E3EC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040E412

Strings

mmmm d, yyyy, xrefs: 00410467
:mm:ss, xrefs: 004105C2
AMPM, xrefs: 00410586
AMPM , xrefs: 00410595
m/d/yy, xrefs: 00410439
:mm, xrefs: 004105A5

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 1bacc98fca8a702ced52612b21cd763a2aa783e5d6a7b13fcc628f343cd4916a
Instruction ID: 59b5c9ea0a2e6c621ec9f1b7fcbd97a7d84c5fd516a4d4220b9d7447275cfd60
Opcode Fuzzy Hash: 1bacc98fca8a702ced52612b21cd763a2aa783e5d6a7b13fcc628f343cd4916a
Instruction Fuzzy Hash: 38716534A001489FDB00E7A6D841BEFB7B6EF99308F508837B500BB3C5CA789D959B59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A120 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0042A120(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct HWND__* _v8;
				char _v9;
				struct _WNDCLASSA _v49;
				struct HINSTANCE__* _t12;
				CHAR* _t14;
				struct HINSTANCE__* _t15;
				int _t16;
				struct HINSTANCE__* _t19;
				struct HWND__* _t21;
				long _t23;
				struct HINSTANCE__* _t26;
				CHAR* _t27;
				CHAR* _t31;

				_t12 =  *0x5487f8; // 0x400000
				 *0x53fbf0 = _t12;
				_t14 =  *0x53fc04; // 0x42a110
				_t15 =  *0x5487f8; // 0x400000
				_t16 = GetClassInfoA(_t15, _t14,  &_v49);
				asm("sbb eax, eax");
				_v9 = _t16 + 1;
				if(_v9 == 0 || L0040807C != _v49.lpfnWndProc) {
					if(_v9 != 0) {
						_t26 =  *0x5487f8; // 0x400000
						_t27 =  *0x53fc04; // 0x42a110
						UnregisterClassA(_t27, _t26);
					}
					RegisterClassA(0x53fbe0);
				}
				_t19 =  *0x5487f8; // 0x400000
				_t31 =  *0x53fc04; // 0x42a110
				_t21 = E00408664(0x80, 0x42a1d8, _t31, 0, _t19, 0, 0, 0, 0, 0, 0, 0x80000000); // executed
				_v8 = _t21;
				if(_a6 != 0) {
					_t23 = E0042A00C(_a4, _a8); // executed
					SetWindowLongA(_v8, 0xfffffffc, _t23);
				}
				return _v8;
			}

0x0042a126
0x0042a12b
0x0042a134
0x0042a13a
0x0042a140
0x0042a148
0x0042a14b
0x0042a152
0x0042a162
0x0042a164
0x0042a16a
0x0042a170
0x0042a170
0x0042a17a
0x0042a17a
0x0042a190
0x0042a19d
0x0042a1a8
0x0042a1ad
0x0042a1b5
0x0042a1bd
0x0042a1c9
0x0042a1c9
0x0042a1d4

APIs

GetClassInfoA.USER32(00400000,0042A110,?), ref: 0042A140
UnregisterClassA.USER32(0042A110,00400000), ref: 0042A170
RegisterClassA.USER32(0053FBE0), ref: 0042A17A
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0042A1C9

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 413542ac07b6b9087f815be767b9771d881f63b5fe481aa234609b339472cdf2
Instruction ID: 6d71c9ed00fab6253a19a5d5b0faac6bc4d31e232323400ffa472a7da07fc743
Opcode Fuzzy Hash: 413542ac07b6b9087f815be767b9771d881f63b5fe481aa234609b339472cdf2
Instruction Fuzzy Hash: 7811BF71A00108BBCB10EBA8DD41FAE37E8EB15314F10412AF940E73A1CA399964DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042156C Relevance: 4.6, APIs: 3, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0042156C(void* __ebx, intOrPtr __ecx, char __edx, signed short _a8) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _t41;
				void* _t65;
				intOrPtr _t80;
				intOrPtr _t84;
				intOrPtr _t86;
				char _t87;
				intOrPtr _t91;
				void* _t101;
				void* _t102;
				intOrPtr _t103;

				_t87 = __edx;
				_t80 = __ecx;
				_t101 = _t102;
				_t103 = _t102 + 0xffffffd4;
				_v44 = 0;
				_v48 = 0;
				_v36 = 0;
				_v40 = 0;
				if(__edx != 0) {
					_t103 = _t103 + 0xfffffff0;
					_t41 = E00404560(_t41, _t101);
				}
				_v16 = _t80;
				_v9 = _t87;
				_v8 = _t41;
				_push(_t101);
				_push(0x4216c7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t103;
				if(_a8 != 0xffff) {
					E004213D8(E0040A7C4(_v16, _a8 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_v8 + 4)) < 0) {
						E0040AEAC(_v16,  &_v44);
						_v32 = _v44;
						_v28 = 0xb;
						E0040E388(GetLastError(),  &_v48);
						_v24 = _v48;
						_v20 = 0xb;
						_t84 =  *0x544e5c; // 0x418814
						E0040EE00(0, _t84, 1, 1,  &_v32);
						E00404AB0();
					}
				} else {
					_t65 = CreateFileA(E00405600(_v16), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
					E004213D8(_t65, 0);
					if( *((intOrPtr*)(_v8 + 4)) < 0) {
						E0040AEAC(_v16,  &_v36);
						_v32 = _v36;
						_v28 = 0xb;
						E0040E388(GetLastError(),  &_v40);
						_v24 = _v40;
						_v20 = 0xb;
						_t86 =  *0x545458; // 0x4187fc
						E0040EE00(0, _t86, 1, 1,  &_v32);
						E00404AB0();
					}
				}
				E00405190(_v8 + 8, _v16);
				_pop(_t91);
				 *[fs:eax] = _t91;
				_push(0x4216ce);
				return E00405160( &_v48, 4);
			}

0x0042156c
0x0042156c
0x0042156d
0x0042156f
0x00421575
0x00421578
0x0042157b
0x0042157e
0x00421583
0x00421585
0x00421588
0x00421588
0x0042158d
0x00421590
0x00421593
0x00421598
0x00421599
0x0042159e
0x004215a1
0x004215aa
0x00421647
0x00421653
0x0042165b
0x00421663
0x00421666
0x00421672
0x0042167a
0x0042167d
0x00421687
0x00421694
0x00421699
0x00421699
0x004215b0
0x004215cb
0x004215d7
0x004215e3
0x004215ef
0x004215f7
0x004215fa
0x00421606
0x0042160e
0x00421611
0x0042161b
0x00421628
0x0042162d
0x0042162d
0x004215e3
0x004216a7
0x004216ae
0x004216b1
0x004216b4
0x004216c6

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,004216C7), ref: 004215CB
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,004216C7), ref: 004215FE

Part of subcall function 0040A7C4: CreateFileA.KERNEL32(00000000,?,?,00000000,00000003,00000080,00000000), ref: 0040A824

Part of subcall function 0040AEAC: GetFullPathNameA.KERNEL32(00000000,00000104,?,?), ref: 0040AED4

GetLastError.KERNEL32(00000000,004216C7), ref: 0042166A

Part of subcall function 0040E388: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000), ref: 0040E3B2

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: f15d19a7f35697e7a0ca1fd2360126169f641f58b8a64ca022a09159ee109aca
Instruction ID: 53aa65a296cc912a2b81d0337fdb4f2c065db63d08ec8428dab7bf70fc3bf7f5
Opcode Fuzzy Hash: f15d19a7f35697e7a0ca1fd2360126169f641f58b8a64ca022a09159ee109aca
Instruction Fuzzy Hash: 93415330E042089FDB00DFA6D941BDDB7F1AF58308F94847AE514B7291D7796E048F59

Uniqueness

Uniqueness Score: -1.00%

Function 00410240 Relevance: 4.6, APIs: 3, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00410240() {
				signed short _v28;
				signed short _v30;
				signed int _t19;
				signed int _t20;
				void* _t35;

				 *0x5488c8 = 0x409;
				 *0x5488cc = 9;
				 *0x5488d0 = 1;
				_v28 = GetThreadLocale();
				if(_v28 != 0) {
					 *0x5488c8 = _v28;
				}
				_v30 = _v28;
				if(_v30 != 0) {
					 *0x5488cc = _v30 & 0x3ff;
					 *0x5488d0 = (_v30 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x53f83c, 0x41030c, 8 << 2);
				if( *0x53f7f8 <= 4 ||  *0x53f7f4 != 2) {
					 *0x5488d5 = GetSystemMetrics(0x4a) & 0xffffff00 | _t17 != 0x00000000;
				} else {
					 *0x5488d5 = 1;
				}
				_t19 = GetSystemMetrics(0x2a); // executed
				_t20 = _t19 & 0xffffff00 | _t19 != 0x00000000;
				 *0x5488d4 = _t20;
				if( *0x5488d4 != 0) {
					return E004101C8(_t35);
				}
				return _t20;
			}

0x00410248
0x00410252
0x0041025c
0x0041026b
0x00410272
0x00410277
0x00410277
0x00410280
0x00410289
0x00410296
0x004102a2
0x004102a2
0x004102b6
0x004102bf
0x004102df
0x004102ca
0x004102ca
0x004102ca
0x004102e6
0x004102ed
0x004102f0
0x004102fc
0x00000000
0x00410304
0x0041030a

APIs

GetThreadLocale.KERNEL32 ref: 00410266
GetSystemMetrics.USER32(0000004A), ref: 004102D5
GetSystemMetrics.USER32(0000002A), ref: 004102E6

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: MetricsSystem$LocaleThread
String ID:
API String ID: 2159509485-0
Opcode ID: 4af353e81d10835f76d1946beccc96b116700289cd3d2542973eb5dd9f3c8596
Instruction ID: f4d8c5b0d61c5acda59fc868e78c2aa10e21cd1ea064b4df8f915399ee62e291
Opcode Fuzzy Hash: 4af353e81d10835f76d1946beccc96b116700289cd3d2542973eb5dd9f3c8596
Instruction Fuzzy Hash: 87119378D0424ACAD700AFA5E8097FF3BF4E722318F54006BD944962E1EAB848C9D75D

Uniqueness

Uniqueness Score: -1.00%

Function 0040367C Relevance: 3.1, APIs: 2, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040367C(void** __eax, void* __edx, intOrPtr _a4, void* _a8, signed int _a12, intOrPtr* _a16) {
				long _v8;
				void** _t47;
				signed int _t48;
				signed int _t58;

				_t58 = _t48;
				_t47 = __eax;
				if(_a12 != (__eax[1] & 0x0000ffff & _a12)) {
					E00402EC4(0x67);
					_v8 = 0;
				} else {
					if(WriteFile( *__eax, __edx, __eax[2] * _t58,  &_v8, 0) != 0) {
						_v8 = _v8 /  *(_t47 + 8);
						if(_a16 == 0) {
							if(_t58 != _v8) {
								E00402EC4(_a4);
								_v8 = 0;
							}
						} else {
							 *_a16 = _v8;
						}
					} else {
						E00402EC4(GetLastError());
						_v8 = 0;
					}
				}
				return _v8;
			}

0x00403683
0x00403687
0x00403694
0x004036f5
0x004036fc
0x00403696
0x004036ab
0x004036c8
0x004036d0
0x004036df
0x004036e4
0x004036eb
0x004036eb
0x004036d2
0x004036d8
0x004036d8
0x004036ad
0x004036b2
0x004036b9
0x004036b9
0x004036ab
0x00403707

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004036A6
GetLastError.KERNEL32(?,?,?,00000000), ref: 004036AD

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b4f23b1275daa853f3906a0d39ed3c0e08608640a3fa61e3738a48a3cd5a2207
Instruction ID: 46910bb7aa0d95e02ba3f280ae3863d1b63ca95fc6e224389530ecec13cc5a66
Opcode Fuzzy Hash: b4f23b1275daa853f3906a0d39ed3c0e08608640a3fa61e3738a48a3cd5a2207
Instruction Fuzzy Hash: 72113371A00108FFCB14DFA9D541A9ABBE9EF58311F204476B408EB380D675DE11DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8A4 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A8A4(void* __eax, long __edx, long _a4, long _a8) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _t23;

				_v20 = __edx;
				_v16 = __eax;
				_v12 = _a4;
				_v8 = _a8;
				_t23 = SetFilePointer(_v16, _v12,  &_v8, _v20); // executed
				_v12 = _t23;
				if(_v12 == 0xffffffff && GetLastError() != 0) {
					_v8 = 0xffffffff;
				}
				return _v12;
			}

0x0040a8aa
0x0040a8ad
0x0040a8b3
0x0040a8b9
0x0040a8cc
0x0040a8d1
0x0040a8d8
0x0040a8e3
0x0040a8e3
0x0040a8f3

APIs

SetFilePointer.KERNEL32(?,?,?,?), ref: 0040A8CC
GetLastError.KERNEL32(?,?,?,?), ref: 0040A8DA

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 608dce54ad6e87d31869a5252adedff75554b7211142dc1f9744cbb4be2f0ca9
Instruction ID: af29bc60c34d4974b729aa7902c5d2e6c650eed7a36b283042dc2ff0054558a3
Opcode Fuzzy Hash: 608dce54ad6e87d31869a5252adedff75554b7211142dc1f9744cbb4be2f0ca9
Instruction Fuzzy Hash: B3F09775D00209EFCB50DFE9C88099EBBF8AB08324F1082A6A964E7380D734AB519B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB00 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040AB00(intOrPtr __eax, long __edx) {
				intOrPtr _v8;
				long _v12;
				long _v16;
				int _t13;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t13 = SetFileAttributesA(E00405600(_v8), _v12); // executed
				if(_t13 == 0) {
					_v16 = GetLastError();
				}
				return _v16;
			}

0x0040ab06
0x0040ab09
0x0040ab0e
0x0040ab1e
0x0040ab25
0x0040ab2c
0x0040ab2c
0x0040ab35

APIs

SetFileAttributesA.KERNEL32(00000000,?), ref: 0040AB1E
GetLastError.KERNEL32(00000000,?), ref: 0040AB27

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: bcd059d98e3fa46b432746cca36db2f5cd9948f796b353f9e8c76f7fb1c5cdb6
Instruction ID: 8528623b16b0c91e4aced9044fc199eadf44a025c2efd74beb98a7f3c5066ac5
Opcode Fuzzy Hash: bcd059d98e3fa46b432746cca36db2f5cd9948f796b353f9e8c76f7fb1c5cdb6
Instruction Fuzzy Hash: 4EE09A70D04248ABCB50DFAA884169EB7F89B08214F5085BAA818E3291E635AA108F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6F8 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E0040F6F8(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _t33;
				void* _t44;
				intOrPtr _t50;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t62;
				void* _t63;
				intOrPtr _t64;

				_t62 = _t63;
				_t64 = _t63 + 0xffffffe0;
				_v16 = 0;
				_v8 = __eax;
				_push(_t62);
				_push(0x40f7d6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				_v12 = 0xffffffff;
				E004051D4( &_v16, _v8);
				E00405650( &_v16);
				_push( &_v24);
				_t33 = E00405600(_v16);
				_push(_t33); // executed
				L00407CF4(); // executed
				_v20 = _t33;
				if(_v20 == 0) {
					_pop(_t59);
					 *[fs:eax] = _t59;
					_push(0x40f7dd);
					return E0040513C( &_v16);
				} else {
					_v28 = E00402D48(_v20);
					_push(_t62);
					_push(0x40f7b9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t64;
					_push(_v28);
					_push(_v20);
					_push(_v24);
					_t44 = E00405600(_v16);
					_push(_t44); // executed
					L00407CEC(); // executed
					if(_t44 != 0) {
						_push( &_v36);
						_push( &_v32);
						_push(0x40f7e4);
						_t50 = _v28;
						_push(_t50);
						L00407CFC();
						if(_t50 != 0) {
							_v12 =  *((intOrPtr*)(_v32 + 8));
						}
					}
					_pop(_t60);
					 *[fs:eax] = _t60;
					_push(0x40f7c0);
					return E00402D64(_v28);
				}
			}

0x0040f6f9
0x0040f6fb
0x0040f700
0x0040f703
0x0040f708
0x0040f709
0x0040f70e
0x0040f711
0x0040f714
0x0040f721
0x0040f729
0x0040f731
0x0040f735
0x0040f73a
0x0040f73b
0x0040f740
0x0040f747
0x0040f7c2
0x0040f7c5
0x0040f7c8
0x0040f7d5
0x0040f749
0x0040f751
0x0040f756
0x0040f757
0x0040f75c
0x0040f75f
0x0040f765
0x0040f769
0x0040f76d
0x0040f771
0x0040f776
0x0040f777
0x0040f77e
0x0040f783
0x0040f787
0x0040f788
0x0040f78d
0x0040f790
0x0040f791
0x0040f798
0x0040f7a0
0x0040f7a0
0x0040f798
0x0040f7a5
0x0040f7a8
0x0040f7ab
0x0040f7b8
0x0040f7b8

APIs

73941500.VERSION(?,0040F7E4,?,?,00000000,?,00000000,?,00000000,0040F7B9,?,00000000,?,00000000,0040F7D6), ref: 0040F791

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: 73941500
String ID:
API String ID: 2547895297-0
Opcode ID: 3a2ac149fc5f3489987ec86dcb0beccec3a1d307f3dc81a3ff721cd00c103cc1
Instruction ID: d3e683fee891f5d08990ad178a079df522128d144b04fe21552956678c520ee8
Opcode Fuzzy Hash: 3a2ac149fc5f3489987ec86dcb0beccec3a1d307f3dc81a3ff721cd00c103cc1
Instruction Fuzzy Hash: AA213D75D04608AFDB10DFA5CC42AAFB7F8EB48714BA14577A510F36D0E738AA04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004040F0 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E004040F0(void* __eax, void* __ebx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				char _v264;
				int _t17;
				char* _t19;
				int _t21;
				intOrPtr _t37;
				void* _t39;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_v8 = 0;
				_t39 = __edx;
				_push(_t42);
				_push(0x404177);
				_push( *[fs:eax]);
				 *[fs:eax] = _t42 + 0xfffffefc;
				E004040DC(__eax,  &_v264);
				E004053A0( &_v8,  &_v264, _t44);
				_t17 = E004053FC(_t39);
				_t19 = E00405600(_t39);
				_t21 = E004053FC(_v8);
				CompareStringA(0x800, 1, E00405600(_v8), _t21, _t19, _t17); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x40417e);
				return E0040513C( &_v8);
			}

0x004040f0
0x004040fd
0x00404100
0x00404106
0x00404107
0x0040410c
0x0040410f
0x0040411a
0x00404128
0x0040412f
0x00404137
0x00404140
0x00404156
0x00404163
0x00404166
0x00404169
0x00404176

APIs

CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,00404177), ref: 00404156

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 89be2e2d0e71c15b96307a4ff542f88d08831f37d25b739b453025d9cf52b759
Instruction ID: 57609e5071b49dcbe23c79c0ae09416e48c2d61bd289a485730933c489f3df40
Opcode Fuzzy Hash: 89be2e2d0e71c15b96307a4ff542f88d08831f37d25b739b453025d9cf52b759
Instruction Fuzzy Hash: CE01A270608608AFD710FA698C43A9F72ACDB44704FA104BAB508F22D2DAB85F008A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408664 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408664(long __eax, CHAR* __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				long _v8;
				CHAR* _v12;
				CHAR* _v16;
				struct HWND__* _v20;
				short _v22;
				struct HWND__* _t34;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v22 = E00403304();
				_t34 = CreateWindowExA(_v8, _v12, _v16, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				_v20 = _t34;
				E004032F4(_v22);
				return _v20;
			}

0x0040866a
0x0040866d
0x00408670
0x00408678
0x004086ac
0x004086b1
0x004086b8
0x004086c3

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004086AC

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 56ffa545afe96f182dd22faa93a54eb6e5c183dd7f6f43041ae9ea3cf2cb87c0
Instruction ID: ef77c3e23e4889390f21dbdefa0ee62bd5fefc08f88c09e070102f2ae93be432
Opcode Fuzzy Hash: 56ffa545afe96f182dd22faa93a54eb6e5c183dd7f6f43041ae9ea3cf2cb87c0
Instruction Fuzzy Hash: 160100B6A00149AFCB80DFDDC981EDFB7FCAF1C214B004559BA18E7240D634EA509B65

Uniqueness

Uniqueness Score: -1.00%

Function 004086C8 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004086C8(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				CHAR* _v8;
				CHAR* _v12;
				long _v16;
				struct HWND__* _v20;
				short _v22;
				struct HWND__* _t32;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v22 = E00403304();
				_t32 = CreateWindowExA(0, _v8, _v12, _v16, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				_v20 = _t32;
				E004032F4(_v22);
				return _v20;
			}

0x004086ce
0x004086d1
0x004086d4
0x004086dc
0x0040870e
0x00408713
0x0040871a
0x00408725

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040870E

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 99d4607e28706265fd1ec8a73ce789dc8a61ad07482f4ccc90a38d36116305e0
Instruction ID: 01884f88156fd036ad9a9ecc185013141a2cb1c7a8cc1880eec624be7002e9a6
Opcode Fuzzy Hash: 99d4607e28706265fd1ec8a73ce789dc8a61ad07482f4ccc90a38d36116305e0
Instruction Fuzzy Hash: 4A010DB6A00249AFCB80DFDDC981EDFB7FCAF1C214F004559BA18E7241D634AA509B65

Uniqueness

Uniqueness Score: -1.00%

Function 004050C0 Relevance: 1.5, APIs: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004050C0(struct _SECURITY_ATTRIBUTES* __eax, long __edx, DWORD* _a4, long _a8, intOrPtr _a12) {
				long _v8;
				void* _t9;
				void* _t12;
				void _t14;
				void _t15;
				struct _SECURITY_ATTRIBUTES* _t20;
				intOrPtr _t21;

				_t14 = _t15;
				_v8 = __edx;
				_t20 = __eax;
				_t21 = _a12;
				if( *0x53f03c == 0) {
					_t9 = E00402D48(8);
					 *_t9 = _t14;
					 *((intOrPtr*)(_t9 + 4)) = _t21;
				} else {
					_t9 =  *0x53f03c();
				}
				 *0x54604d = 1;
				_t12 = CreateThread(_t20, _v8, E00405088, _t9, _a8, _a4); // executed
				return _t12;
			}

0x004050c7
0x004050c9
0x004050cc
0x004050ce
0x004050d8
0x004050eb
0x004050f0
0x004050f2
0x004050da
0x004050de
0x004050de
0x004050f5
0x00405110
0x0040511a

APIs

CreateThread.KERNEL32(?,?,Function_00005088,00000000,?,?), ref: 00405110

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2ffaecdfe59f40da7a0fe3d6101bbbf9019642ff1fcaeea904017bb3baf72e68
Instruction ID: 6ddddc5b6ec4b1b9889bb0b5121400689712d88c89306a2261ae54eea39f5c64
Opcode Fuzzy Hash: 2ffaecdfe59f40da7a0fe3d6101bbbf9019642ff1fcaeea904017bb3baf72e68
Instruction Fuzzy Hash: 0BF04971604104AFD304CF8DAC48AABB7ECEB99354F10C03BF408E72A1C6799C059BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7C4 Relevance: 1.5, APIs: 1, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A7C4(intOrPtr __eax, signed int __edx) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				void* _t30;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0xffffffff;
				if((_v12 & 0x00000003) <= 2 && (_v12 & 0x000000f0) <= 0x40) {
					_t30 = CreateFileA(E00405600(_v8),  *(0x53f870 + (_v12 & 0x00000003) * 4),  *(0x53f87c + ((_v12 & 0x000000f0) >> 4) * 4), 0, 3, 0x80, 0); // executed
					_v16 = _t30;
				}
				return _v16;
			}

0x0040a7ca
0x0040a7cd
0x0040a7d0
0x0040a7e0
0x0040a824
0x0040a829
0x0040a829
0x0040a832

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,00000003,00000080,00000000), ref: 0040A824

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c93093f9f743f92d3b2128978d1339554be34914d4aaa0f8c1171f20fe9f4f4e
Instruction ID: d840e695fdd279554aabb912d91766aec5fe3d9fd2850b8e6fcba039705dbb55
Opcode Fuzzy Hash: c93093f9f743f92d3b2128978d1339554be34914d4aaa0f8c1171f20fe9f4f4e
Instruction Fuzzy Hash: 9BF03171D0060CABEB20DF98DC42B5DB7B4E705314F104161F424FB3C0C274EA108B49

Uniqueness

Uniqueness Score: -1.00%

Function 004068B0 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068B0(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00406B14(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x004068b8
0x004068be
0x004068ca
0x004068ce
0x004068d7
0x004068dc
0x004068de
0x004068e3
0x004068e5
0x004068e8
0x004068e8
0x004068e3
0x004068eb
0x004068f6

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 004068CE

Part of subcall function 00406B14: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00406B30
Part of subcall function 00406B14: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406B4E
Part of subcall function 00406B14: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406B6C
Part of subcall function 00406B14: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406B8A
Part of subcall function 00406B14: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406C19,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406BD3
Part of subcall function 00406B14: RegQueryValueExA.ADVAPI32(?,00406D80,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406C19,?,80000001), ref: 00406BF1
Part of subcall function 00406B14: RegCloseKey.ADVAPI32(?,00406C20,00000000,00000000,00000005,00000000,00406C19,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406C13

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: bd73a884a51a76832caf19f36af562269bf6ab3cafd736ae95eed22693b14f30
Instruction ID: ff99e94fa7a1a8bbbb08af3283f269d2f9daf0731ebbd118f99a4f9862ca32b8
Opcode Fuzzy Hash: bd73a884a51a76832caf19f36af562269bf6ab3cafd736ae95eed22693b14f30
Instruction Fuzzy Hash: 19E06DB2A012109BCB10EE58C9C1A8733D8AB08754F014966ED55EF38AD374DD208BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A86C Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A86C(void* __eax, long __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				int _t15;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t15 = WriteFile(_v8, _v12, _v16,  &_v20, 0); // executed
				if(_t15 == 0) {
					_v20 = 0xffffffff;
				}
				return _v20;
			}

0x0040a872
0x0040a875
0x0040a878
0x0040a88d
0x0040a894
0x0040a896
0x0040a896
0x0040a8a3

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040A88D

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 47105535e39db6e2a8c6652342e48387bde9aa520a5bb5a4c63971d60e747bad
Instruction ID: 70c13436aeffba1abede8ff934b0dd85d9ff5efe38f4a9ee565786793499c987
Opcode Fuzzy Hash: 47105535e39db6e2a8c6652342e48387bde9aa520a5bb5a4c63971d60e747bad
Instruction Fuzzy Hash: 8BE07DB5D0420DABDB50DFDDCC45AAEB7FCAB08314F1046A5B928E7381E7349A108B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040A968 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A968(intOrPtr __eax) {
				intOrPtr _v8;
				char _v9;
				signed char _v16;
				long _t13;
				char _t14;

				_v8 = __eax;
				_t13 = GetFileAttributesA(E00405600(_v8)); // executed
				_v16 = _t13;
				if(_v16 == 0xffffffff || (_v16 & 0x00000010) != 0) {
					_t14 = 0;
				} else {
					_t14 = 1;
				}
				_v9 = _t14;
				return _v9;
			}

0x0040a96e
0x0040a97a
0x0040a97f
0x0040a986
0x0040a98e
0x0040a992
0x0040a992
0x0040a992
0x0040a994
0x0040a99d

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 0040A97A

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a180e3c767e94e32f35773393b4f07b43473f15eac1deb300c6a32d26a90f5bc
Instruction ID: b903c329bd2b0ae0e64c26863e51c103e7f5726abff07f71c98c7ff858168530
Opcode Fuzzy Hash: a180e3c767e94e32f35773393b4f07b43473f15eac1deb300c6a32d26a90f5bc
Instruction Fuzzy Hash: 30E09270D0438CA9CB11DAB948066DEB7B44A01324F148AF69C74722C1E2791A11DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A1DC Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042A1DC(struct HWND__* __eax) {
				struct HWND__* _v8;
				long _v12;
				void* _t11;

				_v8 = __eax;
				_v12 = GetWindowLongA(_v8, 0xfffffffc);
				_push(_v8); // executed
				L004080AC(); // executed
				_t11 = L0040807C;
				if(L0040807C != _v12) {
					_t11 = E0042A0EC(_v12);
				}
				return _t11;
			}

0x0042a1e2
0x0042a1f0
0x0042a1f6
0x0042a1f7
0x0042a1fc
0x0042a204
0x0042a209
0x0042a209
0x0042a211

APIs

GetWindowLongA.USER32(?,000000FC), ref: 0042A1EB

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e88a2ff604e52a5a30ad69b8737e097b9b3432ac127d71ba74130d1000bca249
Instruction ID: f75d91e934eb1e3b0dd8b28a13395d354504b644220f7a1d9813e40bcab005f5
Opcode Fuzzy Hash: e88a2ff604e52a5a30ad69b8737e097b9b3432ac127d71ba74130d1000bca249
Instruction Fuzzy Hash: 83E04F31D04208EBDF10EBE8994284D77B89B00320F2002AAB424E72D1DA39AA40D71D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9A0 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A9A0(intOrPtr __eax) {
				intOrPtr _v8;
				char _v9;
				signed char _v16;
				long _t13;
				char _t14;

				_v8 = __eax;
				_t13 = GetFileAttributesA(E00405600(_v8)); // executed
				_v16 = _t13;
				if(_v16 == 0xffffffff || (_v16 & 0x00000010) == 0) {
					_t14 = 0;
				} else {
					_t14 = 1;
				}
				_v9 = _t14;
				return _v9;
			}

0x0040a9a6
0x0040a9b2
0x0040a9b7
0x0040a9be
0x0040a9c6
0x0040a9ca
0x0040a9ca
0x0040a9ca
0x0040a9cc
0x0040a9d5

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 0040A9B2

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5ee650b5c3f53726f1428438c9939fd4aed90467a31f775f780152548ed4e7e7
Instruction ID: 43e1bbaa2902149119fad10930a7127993089deb4b109a41148ee46763e37e19
Opcode Fuzzy Hash: 5ee650b5c3f53726f1428438c9939fd4aed90467a31f775f780152548ed4e7e7
Instruction Fuzzy Hash: B9E0D8B0D0478CA9CF10DAF948052DEBBB44A01324F109AF6DC78733C1D27917119F5A

Uniqueness

Uniqueness Score: -1.00%

Function 004079EC Relevance: 1.5, APIs: 1, Instructions: 18
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004079EC(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _v8;
				void* _t10;

				_t6 = _a12;
				asm("sbb eax, eax");
				_t10 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t6); // executed
				_v8 = _t10;
				return _v8;
			}

0x004079f0
0x004079f8
0x00407a03
0x00407a08
0x00407a10

APIs

CreateMutexA.KERNEL32(?,?,?), ref: 00407A03

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
Instruction ID: 03fc26dac7d8ef7234733420fb857a482efca44afefd75095d3ad33adfaa0b55
Opcode Fuzzy Hash: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
Instruction Fuzzy Hash: 2AD09EB3954248FFCB04DFA9D846D9F77ECEB18215B10846AF518D7100D639EA50DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004214EC Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004214EC(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				int _t13;

				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_a4, _a8);
				_t13 = SetEndOfFile( *(_v8 + 4)); // executed
				return E00410BA0(_t13);
			}

0x004214f0
0x00421500
0x0042150a
0x00421516

APIs

SetEndOfFile.KERNEL32(?), ref: 0042150A

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: e5fac8cf909703790000f96ab9b7707265ebb95977d3791ec6e04dc5629aa9c7
Instruction ID: e076de826161e5197c2a49b19a2ed35f3d80311b86e89b0d08d608a5b811d2e0
Opcode Fuzzy Hash: e5fac8cf909703790000f96ab9b7707265ebb95977d3791ec6e04dc5629aa9c7
Instruction Fuzzy Hash: 00E0EC75908208EF9B08EFA5D585C5DBBF9EF58314B108099F8089B211DA31EE50EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACC4 Relevance: 1.5, APIs: 1, Instructions: 17
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040ACC4(intOrPtr __eax) {
				intOrPtr _v8;
				char _v9;
				int _t8;

				_v8 = __eax;
				_t8 = DeleteFileA(E00405600(_v8)); // executed
				asm("sbb eax, eax");
				_v9 = _t8 + 1;
				return _v9;
			}

0x0040acca
0x0040acd6
0x0040acde
0x0040ace1
0x0040acea

APIs

DeleteFileA.KERNEL32(00000000), ref: 0040ACD6

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 17574e2f7d159db6b040e2e0bbaa158a7a274f5e2ac1a2b0ee1066c2bbdb9284
Instruction ID: 882a68ad727863243aeb4988ae09fde99ccbf7fb5a359fab2679da9120ae5193
Opcode Fuzzy Hash: 17574e2f7d159db6b040e2e0bbaa158a7a274f5e2ac1a2b0ee1066c2bbdb9284
Instruction Fuzzy Hash: 74D05E32C1D2889ECB00AABC580799E77E88805124B6005BAE4A8E22C2E9336700975E

Uniqueness

Uniqueness Score: -1.00%

Function 00428158 Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00428158(void* __ebx, char __ecx, char __edx) {
				intOrPtr _v8;
				char _v9;
				char _v10;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t24;
				intOrPtr _t35;
				char _t48;
				intOrPtr _t52;
				char _t53;
				intOrPtr _t59;
				void* _t63;
				void* _t64;
				intOrPtr _t65;

				_t53 = __edx;
				_t48 = __ecx;
				_t63 = _t64;
				_t65 = _t64 + 0xffffffec;
				_v24 = 0;
				if(__edx != 0) {
					_t65 = _t65 + 0xfffffff0;
					_t24 = E00404560(_t24, _t63);
				}
				_v10 = _t48;
				_v9 = _t53;
				_v8 = _t24;
				_push(_t63);
				_push(0x42821c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t65;
				E004041CC(0);
				E00427EA8();
				 *((char*)(_v8 + 0xe)) = _v10;
				 *((char*)(_v8 + 0xc)) = _v10;
				_t35 = E004050C0(0, 0, _v8 + 8, 4, _v8); // executed
				 *((intOrPtr*)(_v8 + 4)) = _t35;
				if( *((intOrPtr*)(_v8 + 4)) == 0) {
					E0040E388(GetLastError(),  &_v24);
					_v20 = _v24;
					_v16 = 0xb;
					_t52 =  *0x5453b0; // 0x4188e4
					E0040EE00(0, _t52, 1, 0,  &_v20);
					E00404AB0();
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x428223);
				return E0040513C( &_v24);
			}

0x00428158
0x00428158
0x00428159
0x0042815b
0x00428161
0x00428166
0x00428168
0x0042816b
0x0042816b
0x00428170
0x00428173
0x00428176
0x0042817b
0x0042817c
0x00428181
0x00428184
0x0042818c
0x00428191
0x0042819c
0x004281a5
0x004281be
0x004281c6
0x004281d0
0x004281da
0x004281e2
0x004281e5
0x004281ef
0x004281fc
0x00428201
0x00428201
0x00428208
0x0042820b
0x0042820e
0x0042821b

APIs

GetLastError.KERNEL32(00000000,0042821C), ref: 004281D2

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 45773ada0ceeee0fc961fca94713de567d6141beba42907ed40d5f08222f2c65
Instruction ID: 10eda3d495981d6819e536035786e5b9eae44bee2daf832d5a9eb768d69ec4ca
Opcode Fuzzy Hash: 45773ada0ceeee0fc961fca94713de567d6141beba42907ed40d5f08222f2c65
Instruction Fuzzy Hash: 2521F574A04248DFC700DFA5C982A9EBBF5EF45304F9484B9E400B7382D7385E04CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0042A00C Relevance: 1.3, APIs: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042A00C(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				char* _v16;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				void _t41;
				intOrPtr _t54;

				if( *0x549308 == 0) {
					_t40 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_v12 = _t40;
					_t41 =  *0x549304; // 0x25a0000
					 *_v12 = _t41;
					E00402FE8(0x53fbdc, 2, _v12 + 4);
					 *((intOrPtr*)(_v12 + 6)) = E00429FE8(_v12 + 5, E00429FC8);
					_v16 = _v12 + 0xa;
					do {
						 *_v16 = 0xe8;
						 *((intOrPtr*)(_v16 + 1)) = E00429FE8(_v16, _v12 + 4);
						_t54 =  *0x549308; // 0x25a0adb
						 *((intOrPtr*)(_v16 + 5)) = _t54;
						 *0x549308 = _v16;
						_v16 = _v16 + 0xd;
					} while (_v16 - _v12 < 0xffc);
					 *0x549304 = _v12;
				}
				_t34 =  *0x549308; // 0x25a0adb
				_v8 = _t34;
				_t35 =  *0x549308; // 0x25a0adb
				_v16 = _t35;
				 *0x549308 =  *((intOrPtr*)(_v16 + 5));
				_t38 = _v16;
				 *((intOrPtr*)(_t38 + 5)) = _a4;
				 *((intOrPtr*)(_t38 + 9)) = _a8;
				return _v8;
			}

0x0042a019
0x0042a02d
0x0042a032
0x0042a035
0x0042a03d
0x0042a04f
0x0042a067
0x0042a070
0x0042a073
0x0042a076
0x0042a08a
0x0042a08d
0x0042a095
0x0042a09b
0x0042a0a0
0x0042a0aa
0x0042a0b4
0x0042a0b4
0x0042a0b9
0x0042a0be
0x0042a0c1
0x0042a0c6
0x0042a0cf
0x0042a0d4
0x0042a0da
0x0042a0e0
0x0042a0e9

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042A02D

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7c3c8d2abe6422652065d7354489aaf2fb7faea5e72b037387d7e5638f116c0a
Instruction ID: bbc26a8e29ea31e6454c5e32eebcb0faa1f60b9113789c1ff2ecd6dcb71ff7ab
Opcode Fuzzy Hash: 7c3c8d2abe6422652065d7354489aaf2fb7faea5e72b037387d7e5638f116c0a
Instruction Fuzzy Hash: 0731B678E00209AFCB40DF99D485A8DFBF1EB5A314F10C1A6E858EB396D374AA44CB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406950 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00406950(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAA _v338;
				char _v599;
				char* _t65;
				char* _t75;
				void* _t95;
				intOrPtr* _t96;
				char* _t99;
				char* _t101;
				char* _t102;
				void* _t103;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleA("kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t101 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t102 = E00406930(_v8 + 2);
							if( *_t102 != 0) {
								_t17 = _t102 + 1; // 0x1
								_t101 = E00406930(_t17);
								if( *_t101 != 0) {
									L10:
									_t95 = _t101 - _v8;
									_push(_t95 + 1);
									_push(_v8);
									_push( &_v599);
									L0040133C();
									while( *_t101 != 0) {
										_t99 = E00406930(_t101 + 1);
										if(_t99 - _t101 + _t95 + 1 <= 0x105) {
											_push(_t99 - _t101 + 1);
											_push(_t101);
											_push( &(( &_v599)[_t95]));
											L0040133C();
											_v20 = FindFirstFileA( &_v599,  &_v338);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												_t65 =  &(_v338.cFileName);
												_push(_t65);
												L00401344();
												if(_t65 + _t95 + 1 + 1 <= 0x105) {
													 *((char*)(_t103 + _t95 - 0x253)) = 0x5c;
													_push(0x105 - _t95 - 1);
													_push( &(_v338.cFileName));
													_push( &(( &(( &_v599)[_t95]))[1]));
													L0040133C();
													_t75 =  &(_v338.cFileName);
													_push(_t75);
													L00401344();
													_t95 = _t95 + _t75 + 1;
													_t101 = _t99;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v599);
									_push(_v8);
									L0040133C();
								}
							}
						}
					}
				} else {
					_t96 = GetProcAddress(_v20, "GetLongPathNameA");
					if(_t96 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v599);
						_push(_v8);
						if( *_t96() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v599);
							_push(_v8);
							L0040133C();
						}
					}
				}
				L17:
				return _v16;
			}

0x0040695c
0x0040695f
0x00406965
0x00406972
0x00406979
0x004069be
0x004069c4
0x00406a01
0x00000000
0x004069c6
0x004069cd
0x004069de
0x004069e3
0x004069e9
0x004069f1
0x004069f6
0x00406a04
0x00406a06
0x00406a0c
0x00406a10
0x00406a17
0x00406a18
0x00406ac9
0x00406a2a
0x00406a38
0x00406a43
0x00406a44
0x00406a4d
0x00406a4e
0x00406a66
0x00406a6d
0x00406a73
0x00406a78
0x00406a7e
0x00406a7f
0x00406a8f
0x00406a91
0x00406aa1
0x00406aa8
0x00406ab2
0x00406ab3
0x00406ab8
0x00406abe
0x00406abf
0x00406ac5
0x00406ac7
0x00000000
0x00406ac7
0x00406a8f
0x00406a6d
0x00000000
0x00406a38
0x00406ad5
0x00406adc
0x00406ae0
0x00406ae1
0x00406ae1
0x004069f6
0x004069e3
0x004069cd
0x0040697b
0x00406989
0x0040698d
0x00000000
0x0040698f
0x0040698f
0x0040699a
0x0040699e
0x004069a3
0x00000000
0x004069a5
0x004069a8
0x004069af
0x004069b3
0x004069b4
0x004069b4
0x004069a3
0x0040698d
0x00406ae6
0x00406aef

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040696D
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00406984
lstrcpyn.KERNEL32(?,?,?), ref: 004069B4
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 00406A18
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00406A4E
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406A61
FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406A73
lstrlen.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406A7F
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 00406AB3
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 00406ABF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 00406AE1

Strings

\, xrefs: 00406A91
GetLongPathNameA, xrefs: 0040697B
kernel32.dll, xrefs: 00406968

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: fa5b0f0609b32c7c4bf7a2f019b63777cbb3f451d748f4b8d5ada01125531b95
Instruction ID: fd77ab0a94ac31af01cef75624f6a4dd4820ffb1bdba64a10f73f0ec70486921
Opcode Fuzzy Hash: fa5b0f0609b32c7c4bf7a2f019b63777cbb3f451d748f4b8d5ada01125531b95
Instruction Fuzzy Hash: 6F419F71E00258AFDB10EAE8CD88ADFB3ACAB08304F0545BBA545F7291D638DE508B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABF0 Relevance: 3.0, APIs: 2, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ABF0(intOrPtr __eax, WORD* __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v12;
				WORD* _v16;
				long _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				 *(_v16 + 0x18) =  !_v12 & 0x00000016;
				 *((intOrPtr*)(_v16 + 0x1c)) = FindFirstFileA(E00405600(_v8), _v16 + 0x20);
				if( *((intOrPtr*)(_v16 + 0x1c)) == 0xffffffff) {
					_v20 = GetLastError();
				} else {
					_v20 = E0040AB38(_v16);
					if(_v20 != 0) {
						E0040AC98(_v16);
					}
				}
				return _v20;
			}

0x0040abf6
0x0040abf9
0x0040abfc
0x0040ac0a
0x0040ac25
0x0040ac2f
0x0040ac51
0x0040ac31
0x0040ac39
0x0040ac40
0x0040ac45
0x0040ac45
0x0040ac40
0x0040ac5a

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 0040AC1D
GetLastError.KERNEL32(00000000,?), ref: 0040AC4C

Part of subcall function 0040AB38: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040AB80
Part of subcall function 0040AB38: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040AB94

Part of subcall function 0040AC98: FindClose.KERNEL32(000000FF,?,?,0040AC4A,00000000,?), ref: 0040ACAF

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: cd08cfad777c98010ed51b3188c06aca4b9430f299cc106d61c2ba08afc194b0
Instruction ID: 152c2722d40d7723c0751c34fe8c80bff1eef7629bec4066b49d50a0ba77c5d6
Opcode Fuzzy Hash: cd08cfad777c98010ed51b3188c06aca4b9430f299cc106d61c2ba08afc194b0
Instruction Fuzzy Hash: 6B01E170D042099FDB44DFA9C84569DB7B4FF04314F5086AAA424F7391D738AA91CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AEF0(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				int _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v32;
				signed int _v36;
				CHAR* _v40;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr _t53;
				intOrPtr _t55;

				if(_a4 == 0) {
					_v40 = 0;
				} else {
					_v40 = _a4;
				}
				_v8 = GetDiskFreeSpaceA(_v40,  &_v12,  &_v16,  &_v20,  &_v24);
				_v36 = _v12 * _v16;
				_v32 = 0;
				_t53 = _v32;
				_t42 = E00406208(_v36, _t53, _v20, 0);
				_t48 = _a8;
				 *_t48 = _t42;
				 *((intOrPtr*)(_t48 + 4)) = _t53;
				_t55 = _v32;
				_t45 = E00406208(_v36, _t55, _v24, 0);
				_t49 = _a12;
				 *_t49 = _t45;
				 *((intOrPtr*)(_t49 + 4)) = _t55;
				return _v8;
			}

0x0040aefa
0x0040af06
0x0040aefc
0x0040aeff
0x0040aeff
0x0040af22
0x0040af2d
0x0040af30
0x0040af3d
0x0040af40
0x0040af45
0x0040af48
0x0040af4a
0x0040af57
0x0040af5a
0x0040af5f
0x0040af62
0x0040af64
0x0040af6d

APIs

GetDiskFreeSpaceA.KERNEL32(?,00000000,?,?,?), ref: 0040AF1D

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 9aa9dd936c65c87a6b1c3a3a70423b76233959d61e52cc934aa47b8de69361fb
Instruction ID: c86282eaeb75e48026320f48d479e3abcce0a845df0134828d22e3c01220ba14
Opcode Fuzzy Hash: 9aa9dd936c65c87a6b1c3a3a70423b76233959d61e52cc934aa47b8de69361fb
Instruction Fuzzy Hash: 9611A4B1E0020DAFDB44CF99C9809EEB7F9EF8C300F10816AE419E7251E635AA11CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040F63C Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F63C() {
				struct _OSVERSIONINFOA _v152;
				int _t10;

				_v152.dwOSVersionInfoSize = 0x94;
				_t10 = GetVersionExA( &_v152);
				if(_t10 != 0) {
					 *0x53f7f4 = _v152.dwPlatformId;
					 *0x53f7f8 = _v152.dwMajorVersion;
					 *0x53f7fc = _v152.dwMinorVersion;
					if( *0x53f7f4 != 1) {
						 *0x53f800 = _v152.dwBuildNumber;
					} else {
						 *0x53f800 = _v152.dwBuildNumber & 0x0000ffff;
					}
					return E004053AC(0x53f804, 0x80,  &(_v152.szCSDVersion));
				}
				return _t10;
			}

0x0040f645
0x0040f656
0x0040f65d
0x0040f665
0x0040f670
0x0040f67b
0x0040f687
0x0040f6a1
0x0040f689
0x0040f694
0x0040f694
0x00000000
0x0040f6b3
0x0040f6bb

APIs

GetVersionExA.KERNEL32(00000094), ref: 0040F656

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1f5e8116be8adab305cb1a710eb602a227724cf1e00fb905249afb3332303dd6
Instruction ID: 23209f27b4d838ac75a6022b92d66fa33238fe838a4c3073513beea63c02c478
Opcode Fuzzy Hash: 1f5e8116be8adab305cb1a710eb602a227724cf1e00fb905249afb3332303dd6
Instruction Fuzzy Hash: 9FF01970D002199BD760DF28DD41B59B7F4FB04304F4045B6E818E73A1EB39994A9F64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3EC Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E3EC(int __eax, intOrPtr __ecx, int __edx, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				char _v276;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = GetLocaleInfoA(_v8, _v12,  &_v276, 0x100);
				_t29 = _v20;
				if(_v20 <= 0) {
					return E00405190(_a4, _v16);
				}
				return E0040522C(_a4, _v20 - 1,  &_v276, _t29);
			}

0x0040e3f5
0x0040e3f8
0x0040e3fb
0x0040e417
0x0040e41a
0x0040e41e
0x00000000
0x0040e43a
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040E412

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1b9d4cd5e448d5d74995e37f6c5583a8dca125b08e1002bf191cbb26531e7631
Instruction ID: ab18375dbbfeda980b039e214e73cf7745ed26f3b1838791c784a7ef62503ab4
Opcode Fuzzy Hash: 1b9d4cd5e448d5d74995e37f6c5583a8dca125b08e1002bf191cbb26531e7631
Instruction Fuzzy Hash: 86F01D70D0021CABCB00DF99D841ADEB7B8EF08300F5089AAA914A7281D774AA40CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E448 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E448(int __eax, char __ecx, int __edx) {
				int _v8;
				int _v12;
				char _v13;
				char _v14;
				char _v16;

				_v13 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if(GetLocaleInfoA(_v8, _v12,  &_v16, 2) <= 0) {
					_v14 = _v13;
				} else {
					_v14 = _v16;
				}
				return _v14;
			}

0x0040e44e
0x0040e451
0x0040e454
0x0040e46c
0x0040e479
0x0040e46e
0x0040e471
0x0040e471
0x0040e482

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000002), ref: 0040E465

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4f5612c90302d21e786cfb424c0d06061d86db11406767c96d60919910dcfe7b
Instruction ID: 9bda721b887f511471ccf884cfa753e75a8f95628043fc0667781260ee8ae329
Opcode Fuzzy Hash: 4f5612c90302d21e786cfb424c0d06061d86db11406767c96d60919910dcfe7b
Instruction Fuzzy Hash: 2DF03065D092CCBFCF01CAE944419EDFFB84F09100F0495D6A994E3342E1315B12D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAF0 Relevance: 1.5, APIs: 1, Instructions: 18
timeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040CAF0(long long __fp0) {
				long long _v12;
				struct _SYSTEMTIME _v28;
				void* _t11;
				void* _t14;
				long long _t15;

				_t15 = __fp0;
				GetLocalTime( &_v28);
				_t11 = E0040C658(_v28.wHour, _v28.wSecond, _v28.wMinute, _t14, __fp0, _v28.wMilliseconds);
				_v12 = _t15;
				asm("wait");
				return _t11;
			}

0x0040caf0
0x0040cafa
0x0040cb10
0x0040cb15
0x0040cb18
0x0040cb1f

APIs

GetLocalTime.KERNEL32(?), ref: 0040CAFA

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: d8f6023cfd8783c9d882fc3febd9acf367d553c90825b0b2a29103531c20334f
Instruction ID: 36372baf12ccfc44667472d8d36df8c549e568254b40ede0ec8cc87a07b28539
Opcode Fuzzy Hash: d8f6023cfd8783c9d882fc3febd9acf367d553c90825b0b2a29103531c20334f
Instruction Fuzzy Hash: 94D01218C0110DA1CB007BD1CC414EEF738EE48714F4009D5AD54737C0EA325691C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00410890 Relevance: .2, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00410890(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char* _v16;
				signed int _v20;
				char _v21;
				intOrPtr* _v28;
				char _v32;
				intOrPtr* _v36;
				signed char* _v40;
				signed char _v41;
				signed int _v45;
				signed int _v46;
				signed int _v47;
				unsigned int _v48;
				void* __ebp;
				intOrPtr* _t158;
				intOrPtr _t160;
				void* _t166;
				intOrPtr _t169;

				_v8 = __eax;
				_t158 =  *0x545358; // 0x53f044
				_v36 =  *_t158;
				if(_v36 == 0) {
					L3:
					_t160 = _v36;
					_v12 = _t160;
					if(_v12 == 0) {
						L25:
						return _t160;
					}
					_t160 = _v12;
					if( *((intOrPtr*)(_t160 + 0x14)) == 0) {
						goto L25;
					}
					_v16 =  *((intOrPtr*)(_v12 + 0x14));
					if( *_v16 == 0) {
						_v28 = 0x548e24;
					} else {
						_v28 = 0x548a24;
					}
					_t166 = E0040655C();
					if(_t166 < 0) {
						L24:
						E00406168(_v16);
						_t169 = _v12;
						 *((intOrPtr*)(_t169 + 0x14)) = 0;
						return _t169;
					} else {
						_v32 = _t166 + 1;
						_v20 = 0;
						do {
							if( *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + 4 + (_v20 + _v20 * 4) * 4)) == 0) {
								if( *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + 0xc + (_v20 + _v20 * 4) * 4)) == 0) {
									goto L21;
								}
								_v40 =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + 0xc + (_v20 + _v20 * 4) * 4));
								_v48 = 0;
								while( *_v40 != 0) {
									_v48 = (_v48 << 0x00000002 | _v48 >> 0x0000001e) ^  *(( *_v40 & 0x000000ff) + 0x548924) & 0x000000ff;
									if(_v40[1] == 0) {
										break;
									}
									_t78 = (_v40[1] & 0x000000ff) + 0x548924; // 0x0
									_v48 = (_v48 << 0x00000002 | _v48 >> 0x0000001e) ^  *_t78 & 0x000000ff;
									if(_v40[2] == 0) {
										break;
									}
									_t86 = (_v40[2] & 0x000000ff) + 0x548924; // 0x0
									_v48 = (_v48 << 0x00000002 | _v48 >> 0x0000001e) ^  *_t86 & 0x000000ff;
									if(_v40[3] == 0) {
										break;
									}
									_t94 = (_v40[3] & 0x000000ff) + 0x548924; // 0x0
									_v48 = (_v48 << 0x00000002 | _v48 >> 0x0000001e) ^  *_t94 & 0x000000ff;
									_v40 =  &(_v40[4]);
								}
								_v41 = _v48 ^ _v47 ^ _v46 ^ _v45;
								_v21 = _v41;
								if( *_v28 ==  *((intOrPtr*)(_v16 + 4)) + (_v20 + _v20 * 4) * 4) {
									 *_v28 =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + (_v20 + _v20 * 4) * 4));
								}
								goto L21;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + 4 + (_v20 + _v20 * 4) * 4)))) =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + (_v20 + _v20 * 4) * 4));
							L21:
							if( *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + (_v20 + _v20 * 4) * 4)) != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + (_v20 + _v20 * 4) * 4)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + 4 + (_v20 + _v20 * 4) * 4));
							}
							_v20 = _v20 + 1;
							_t152 =  &_v32;
							 *_t152 = _v32 - 1;
						} while ( *_t152 != 0);
						goto L24;
					}
				}
				while( *((intOrPtr*)(_v36 + 4)) != _v8) {
					_v36 =  *_v36;
					if(_v36 != 0) {
						continue;
					}
					goto L3;
				}
				goto L3;
			}

0x00410896
0x00410899
0x004108a0
0x004108a7
0x004108c2
0x004108c2
0x004108c5
0x004108cc
0x00410adf
0x00410adf
0x00410adf
0x004108d2
0x004108d9
0x00000000
0x00000000
0x004108e5
0x004108ee
0x004108f9
0x004108f0
0x004108f0
0x004108f0
0x00410906
0x0041090d
0x00410ac6
0x00410acf
0x00410ad4
0x00410ad9
0x00000000
0x00410913
0x00410914
0x00410917
0x0041091e
0x0041092f
0x00410968
0x00000000
0x00000000
0x0041097e
0x00410983
0x00410986
0x004109af
0x004109b9
0x00000000
0x00000000
0x004109d0
0x004109d9
0x004109e3
0x00000000
0x00000000
0x004109fa
0x00410a03
0x00410a0d
0x00000000
0x00000000
0x00410a24
0x00410a2d
0x00410a30
0x00410a30
0x00410a45
0x00410a4b
0x00410a6a
0x00410a83
0x00410a83
0x00000000
0x00410a6a
0x00410950
0x00410a86
0x00410a96
0x00410ab7
0x00410ab7
0x00410aba
0x00410abd
0x00410abd
0x00410abd
0x00000000
0x0041091e
0x0041090d
0x004108a9
0x004108b9
0x004108c0
0x00000000
0x00000000
0x00000000
0x004108c0
0x00000000

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6029043cde6edcb44a2c67fea8365a394fd74714bb713adc1d69949d70d077f3
Instruction ID: 872ac45843e083119c0cd125d7bf44a9b0b0f2a5955b072a9c202397237a20be
Opcode Fuzzy Hash: 6029043cde6edcb44a2c67fea8365a394fd74714bb713adc1d69949d70d077f3
Instruction Fuzzy Hash: 0E91E574E0415A8FCB14CF99C580AEEFBF2BF49304F18C296D454AB356D375AA82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004021FC Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E004021FC(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x004021fd
0x004021ff
0x00402221
0x00402228
0x00402239
0x00402244
0x00402255
0x00402260
0x00402271
0x0040227c
0x0040228d
0x00402298
0x004022a9
0x004022b4
0x004022c5
0x004022d0
0x004022e1
0x004022ec
0x004022fd
0x00402305
0x0040230e
0x00402310
0x00402314

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 00411DD0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411DD0() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x549228 = E00411D8C("VariantChangeTypeEx", E004118B8, _t91);
				 *0x54922c = E00411D8C("VarNeg", E004118F0, _t91);
				 *0x549230 = E00411D8C("VarNot", E004118F0, _t91);
				 *0x549234 = E00411D8C("VarAdd", E00411904, _t91);
				 *0x549238 = E00411D8C("VarSub", E00411904, _t91);
				 *0x54923c = E00411D8C("VarMul", E00411904, _t91);
				 *0x549240 = E00411D8C("VarDiv", E00411904, _t91);
				 *0x549244 = E00411D8C("VarIdiv", E00411904, _t91);
				 *0x549248 = E00411D8C("VarMod", E00411904, _t91);
				 *0x54924c = E00411D8C("VarAnd", E00411904, _t91);
				 *0x549250 = E00411D8C("VarOr", E00411904, _t91);
				 *0x549254 = E00411D8C("VarXor", E00411904, _t91);
				 *0x549258 = E00411D8C("VarCmp", E00411918, _t91);
				 *0x54925c = E00411D8C("VarI4FromStr", E0041192C, _t91);
				 *0x549260 = E00411D8C("VarR4FromStr", E004119A0, _t91);
				 *0x549264 = E00411D8C("VarR8FromStr", E00411A14, _t91);
				 *0x549268 = E00411D8C("VarDateFromStr", E00411A88, _t91);
				 *0x54926c = E00411D8C("VarCyFromStr", E00411AFC, _t91);
				 *0x549270 = E00411D8C("VarBoolFromStr", E00411B70, _t91);
				 *0x549274 = E00411D8C("VarBstrFromCy", E00411BF4, _t91);
				 *0x549278 = E00411D8C("VarBstrFromDate", E00411C70, _t91);
				_t46 = E00411D8C("VarBstrFromBool", E00411CEC, _t91);
				 *0x54927c = _t46;
				return _t46;
			}

0x00411dde
0x00411df2
0x00411e08
0x00411e1e
0x00411e34
0x00411e4a
0x00411e60
0x00411e76
0x00411e8c
0x00411ea2
0x00411eb8
0x00411ece
0x00411ee4
0x00411efa
0x00411f10
0x00411f26
0x00411f3c
0x00411f52
0x00411f68
0x00411f7e
0x00411f94
0x00411faa
0x00411fba
0x00411fc0
0x00411fc7

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 00411DD9

Part of subcall function 00411D8C: GetProcAddress.KERNEL32(00000000,00000000), ref: 00411DB2

Strings

VarMul, xrefs: 00411E55
VarNeg, xrefs: 00411DFD
VarBstrFromBool, xrefs: 00411FB5
VarR4FromStr, xrefs: 00411F1B
VarBoolFromStr, xrefs: 00411F73
VarDiv, xrefs: 00411E6B
VarOr, xrefs: 00411EC3
VarCmp, xrefs: 00411EEF
VarIdiv, xrefs: 00411E81
VarR8FromStr, xrefs: 00411F31
VarDateFromStr, xrefs: 00411F47
VarBstrFromDate, xrefs: 00411F9F
VarSub, xrefs: 00411E3F
VarBstrFromCy, xrefs: 00411F89
VariantChangeTypeEx, xrefs: 00411DE7
VarXor, xrefs: 00411ED9
VarMod, xrefs: 00411E97
VarI4FromStr, xrefs: 00411F05
VarAnd, xrefs: 00411EAD
VarCyFromStr, xrefs: 00411F5D
VarNot, xrefs: 00411E13
oleaut32.dll, xrefs: 00411DD4
VarAdd, xrefs: 00411E29

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: f48ff0a5c97fc1d2cf27ac3289cc4074a582cd412975790c561f0a532f97bd56
Instruction ID: 7b63864c2588ed4b7e4835c33fa9253e17bc2b17a3b0625b285005d3789cf746
Opcode Fuzzy Hash: f48ff0a5c97fc1d2cf27ac3289cc4074a582cd412975790c561f0a532f97bd56
Instruction Fuzzy Hash: 45413CBD648284AB17046B6E79024E77BE9D649319360C22BF704CB671DBBCBCC1D62D

Uniqueness

Uniqueness Score: -1.00%

Function 004030E8 Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030E8(CHAR* __eax, void* __ecx, intOrPtr* __edx) {
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t29;
				CHAR* _t30;
				CHAR* _t31;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t36;
				CHAR** _t37;

				_t33 = __edx;
				_t23 = __eax;
				L2:
				while(1) {
					if( *_t23 != 0 &&  *_t23 <= 0x20) {
						_t23 = CharNextA(_t23);
						continue;
					}
					if( *_t23 != 0x22 || _t23[1] != 0x22) {
						_t35 = 0;
						 *_t37 = _t23;
						while( *_t23 > 0x20) {
							if( *_t23 != 0x22) {
								_t29 = CharNextA(_t23);
								_t35 = _t35 + _t29 - _t23;
								_t23 = _t29;
								continue;
							}
							_t23 = CharNextA(_t23);
							while( *_t23 != 0 &&  *_t23 != 0x22) {
								_t32 = CharNextA(_t23);
								_t35 = _t35 + _t32 - _t23;
								_t23 = _t32;
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						E00405888(_t33, _t35);
						_t24 =  *_t37;
						_t36 =  *_t33;
						_t34 = 0;
						while( *_t24 > 0x20) {
							if( *_t24 != 0x22) {
								_t30 = CharNextA(_t24);
								if(_t30 <= _t24) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t36 + _t34)) =  *_t24 & 0x000000ff;
									_t24 =  &(_t24[1]);
									_t34 = _t34 + 1;
								} while (_t30 > _t24);
								continue;
							}
							_t24 = CharNextA(_t24);
							while( *_t24 != 0 &&  *_t24 != 0x22) {
								_t31 = CharNextA(_t24);
								if(_t31 <= _t24) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t36 + _t34)) =  *_t24 & 0x000000ff;
									_t24 =  &(_t24[1]);
									_t34 = _t34 + 1;
								} while (_t31 > _t24);
							}
							if( *_t24 != 0) {
								_t24 = CharNextA(_t24);
							}
						}
						return _t24;
					} else {
						_t23 =  &(_t23[2]);
						continue;
					}
				}
			}

0x004030ed
0x004030ef
0x00000000
0x004030fb
0x004030fe
0x004030f9
0x00000000
0x004030f9
0x00403108
0x00403115
0x00403117
0x00403164
0x0040311f
0x0040315a
0x00403160
0x00403162
0x00000000
0x00403162
0x00403127
0x0040313b
0x00403131
0x00403137
0x00403139
0x00403139
0x00403148
0x00403150
0x00403150
0x00403148
0x0040316d
0x00403172
0x00403175
0x00403177
0x004031d5
0x0040317e
0x004031c2
0x004031c6
0x00000000
0x00000000
0x00000000
0x00000000
0x004031c8
0x004031c8
0x004031cb
0x004031cf
0x004031d0
0x004031d1
0x00000000
0x004031c8
0x00403186
0x004031a3
0x00403190
0x00403194
0x00000000
0x00000000
0x00000000
0x00000000
0x00403196
0x00403196
0x00403199
0x0040319d
0x0040319e
0x0040319f
0x00403196
0x004031b0
0x004031b8
0x004031b8
0x004031b0
0x004031e1
0x00403110
0x00403110
0x00000000
0x00403110
0x00403108

APIs

CharNextA.USER32(00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 00403122
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 0040312C
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 0040314B
CharNextA.USER32(00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 00403155
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 00403181
CharNextA.USER32(00000000,00000000,00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 0040318B
CharNextA.USER32(00000000,00000000,00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 004031B3
CharNextA.USER32(00000000,00000000,?,?,?,00000000,?,00403208,00000000,00403235,?,?,?,00000000), ref: 004031BD

Strings

", xrefs: 0040310A
", xrefs: 00403105
, xrefs: 00403164
, xrefs: 004031D5
", xrefs: 004031A8
", xrefs: 0040317B
", xrefs: 00403140
, xrefs: 00403100
", xrefs: 0040311C

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: $ $ $"$"$"$"$"$"
API String ID: 3213498283-3597982963
Opcode ID: 4d8d628609b9978527cfe6e44517dc509876a023bfcca29455d75bde45a221c4
Instruction ID: 47fa99236964fb5fc3f078d4dcfc038bece7b7211f726b35d0a0bdc805941e04
Opcode Fuzzy Hash: 4d8d628609b9978527cfe6e44517dc509876a023bfcca29455d75bde45a221c4
Instruction Fuzzy Hash: F93144A56083902AFB322EB99CC432A7FCD4B4F356F1809BB9542BE2D7D57C4941931E

Uniqueness

Uniqueness Score: -1.00%

Function 00408728 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408728(intOrPtr* __eax, int* __ecx, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				int* _v12;
				int* _v16;
				struct HWND__* _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_v12 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_v16 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_v12 == 0 || _v20 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_v20,  *_v12, 0, 0);
				}
				if( *_v16 == 0 || _v20 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_v20,  *_v16, 0, 0);
				}
				return _v20;
			}

0x0040872e
0x00408731
0x00408734
0x00408746
0x00408756
0x00408765
0x00408774
0x0040877c
0x004087a3
0x00408784
0x0040879a
0x0040879a
0x004087ab
0x004087d0
0x004087b3
0x004087c9
0x004087c9
0x004087dc

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 00408741
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 0040874E
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 0040875D
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 0040876C
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00408792
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004087C1

Strings

MSH_SCROLL_LINES_MSG, xrefs: 00408767
MSWHEEL_ROLLMSG, xrefs: 00408749
MouseZ, xrefs: 0040873C
Magellan MSWHEEL, xrefs: 00408737
MSH_WHEELSUPPORT_MSG, xrefs: 00408758

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 2706d78ae917449932928bf2a8a85f2fe00c43dbee7186997bc1676a12144a2d
Instruction ID: a1f49e5aa3d8dda57108c06887a8a1a19de0daffcf7ffc8870bf148452c3b0c5
Opcode Fuzzy Hash: 2706d78ae917449932928bf2a8a85f2fe00c43dbee7186997bc1676a12144a2d
Instruction Fuzzy Hash: C721EC70A00209AFDB51DF99C981B9EB7B4FF49700F20856AA894AB3D5DB785940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402668 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00402668(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t197;
				void* _t198;
				void* _t211;

				_push(__eax);
				_t73 = 0x27;
				goto L1;
				L12:
				while(_t180 != 0x546708) {
					_t79 = E00402180(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L11:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E004024C4(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E0040251C(_t131, __eflags, _t197);
							}
						}
						_t79 = E0040215C(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L11;
				}
				_t132 =  *0x5487b0; // 0x5487ac
				while(_t132 != 0x5487ac && _v112652 < 0x1000) {
					_t79 = E004024C4(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t22 = _t132 + 0xc; // 0x0
						_t79 = _v112652;
						 *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *_t22 & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t29 = _t132 + 4; // 0x5487ac
					_t132 =  *_t29;
				}
				if(_v112645 != 0) {
					L48:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E00402318(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x53f052;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E00402318(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E004021FC(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E00402318(8, E004021FC(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t211 = _t182 - 1;
							if(_t211 < 0) {
								_t141 = E00402318(7, _t140);
							} else {
								if(_t211 == 0) {
									_t141 = E00402318(6, _t140);
								} else {
									E004040DC( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E00402318(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E004021FC( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L37;
						}
					}
					L37:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L47:
					E00402318(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L48;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E00402318(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L43:
					L43:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E004021FC( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L47;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L43;
					}
				}
				L1:
				_t198 = _t198 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L1;
				} else {
					E0040393C( &_v112644, 0x1b800);
					E0040393C( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x54670c; // 0x47e0000
					goto L12;
				}
			}

0x0040266b
0x0040266c
0x0040266c
0x00000000
0x00402747
0x004026c7
0x004026cc
0x004026ce
0x004026d0
0x00402744
0x00402744
0x00000000
0x00000000
0x00000000
0x00000000
0x004026d2
0x004026d2
0x004026d7
0x004026d9
0x004026df
0x004026e1
0x004026e7
0x004026f4
0x004026fe
0x00402706
0x0040270e
0x00402713
0x00402715
0x00402717
0x0040272a
0x00402731
0x00402731
0x00402731
0x00402731
0x00402715
0x004026e9
0x004026ec
0x004026f1
0x004026e7
0x00402739
0x0040273e
0x00402740
0x00402740
0x00000000
0x004026d2
0x00402753
0x00402792
0x00402760
0x00402765
0x00402767
0x00402769
0x00402770
0x0040277c
0x00402782
0x00402789
0x00402789
0x00402789
0x00402789
0x0040278f
0x0040278f
0x0040278f
0x004027ad
0x00402a0b
0x00402a11
0x00402a11
0x004027b3
0x004027bc
0x004027d7
0x004027d9
0x004027e3
0x004027f3
0x004027f9
0x00402805
0x0040280b
0x00402812
0x0040281d
0x0040281f
0x00402830
0x0040283d
0x00402850
0x00402852
0x00402852
0x00402860
0x004028b1
0x004028b4
0x004028b5
0x004028b8
0x004028b8
0x00402862
0x00402862
0x00402866
0x00402878
0x0040287a
0x0040287d
0x0040287e
0x00402882
0x004028a6
0x004028a8
0x004028a8
0x004028bb
0x004028be
0x004028d5
0x004028c0
0x004028c0
0x004028ea
0x004028c2
0x004028f7
0x00402910
0x00402910
0x004028c0
0x00402912
0x00402915
0x00402916
0x0040291a
0x00402927
0x00402927
0x00402929
0x0040292a
0x00402930
0x00000000
0x00000000
0x00000000
0x00000000
0x00402930
0x00402936
0x0040293c
0x00402942
0x0040294c
0x00402953
0x00402953
0x00402953
0x00402966
0x004029e2
0x004029ee
0x00402a06
0x00000000
0x00402a06
0x0040296f
0x00402971
0x00402974
0x00402975
0x00402978
0x00402979
0x0040297c
0x0040297d
0x00402980
0x00402980
0x00402992
0x0040299a
0x0040299d
0x0040299f
0x004029a0
0x004029aa
0x00000000
0x004029b0
0x004029b7
0x004029b9
0x004029bc
0x004029bd
0x004029c0
0x004029c0
0x004029ca
0x004029d4
0x00000000
0x00000000
0x004029d6
0x004029dc
0x004029df
0x004029e0
0x00000000
0x00000000
0x004029e0
0x00402671
0x00402671
0x00402677
0x00402678
0x00402679
0x00000000
0x0040267b
0x00402694
0x004026a6
0x004026ab
0x004026ad
0x004026b3
0x004026ba
0x00000000
0x004026ba

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 00402A06

Strings

String, xrefs: 004028D9
Unexpected Memory Leak, xrefs: 004029F8
bytes: , xrefs: 00402895
Unknown, xrefs: 004028C4
7, xrefs: 004027D9
, xrefs: 0040294C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402981
The unexpected small block leaks are:, xrefs: 0040283F
An unexpected memory leak has occurred. , xrefs: 004027C8

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 4bb36be64cb10289154c14053a1d3ae27c48ea47c765b31d99ff31cd4d079e43
Instruction ID: d506c5175a58075e8cd8b49f4596b8e72b1a96779b3a747b8db81e58cb87d5fa
Opcode Fuzzy Hash: 4bb36be64cb10289154c14053a1d3ae27c48ea47c765b31d99ff31cd4d079e43
Instruction Fuzzy Hash: 93A1DA70B043548BDF21AA2CCD88BD976E4EB49314F1441F6E949BB3C2CBBD8985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00428518 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00428518(intOrPtr __eax, char __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v13;
				intOrPtr* _v20;
				char _v32;
				void* __ebp;
				long _t27;
				intOrPtr _t34;
				void* _t53;
				intOrPtr* _t63;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t74;
				void* _t76;
				intOrPtr _t77;

				_t74 = _t76;
				_t77 = _t76 + 0xffffffe4;
				_v13 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t27 = GetCurrentThreadId();
				_t63 =  *0x54545c; // 0x546034
				if(_t27 !=  *_t63) {
					if(_v13 == 0) {
						_v20 =  &_v32;
					} else {
						_v20 = E00402D48(0xc);
					}
					if(_v13 != 0) {
						 *(_v20 + 8) = 0;
					} else {
						 *(_v20 + 8) = CreateEventA(0, 0xffffffff, 0, 0);
					}
					_push(_t74);
					_push(0x42868d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t77;
					_push(0x5492e8);
					L00407A3C();
					_push(_t74);
					_push(0x428666);
					_push( *[fs:eax]);
					 *[fs:eax] = _t77;
					 *((char*)(_v20 + 4)) = _v13;
					if( *0x53fbbc == 0) {
						 *0x53fbbc = E004041CC(1);
					}
					 *_v20 = _v12;
					_t34 =  *0x53fbbc; // 0x0
					E0041D088(_t34, _v20);
					E00427E98();
					if( *0x53fbaa != 0) {
						 *0x53fba8();
					}
					if(_v13 != 0) {
						_pop(_t68);
						 *[fs:eax] = _t68;
						_push(0x42866d);
						_push(0x5492e8);
						L00407BEC();
						return 0;
					} else {
						_push(0x5492e8);
						L00407BEC();
						_push(_t74);
						_push(0x428647);
						_push( *[fs:eax]);
						 *[fs:eax] = _t77;
						WaitForSingleObject( *(_v20 + 8), 0xffffffff);
						_pop(_t69);
						 *[fs:eax] = _t69;
						_push(0x42864e);
						_push(0x5492e8);
						L00407A3C();
						return 0;
					}
				} else {
					_t53 =  *((intOrPtr*)(_v12 + 8))();
					return _t53;
				}
			}

0x00428519
0x0042851b
0x0042851f
0x00428522
0x00428525
0x00428528
0x0042852d
0x00428535
0x00428549
0x0042855d
0x0042854b
0x00428555
0x00428555
0x00428564
0x00428580
0x00428566
0x00428576
0x00428576
0x00428585
0x00428586
0x0042858b
0x0042858e
0x00428591
0x00428596
0x0042859d
0x0042859e
0x004285a3
0x004285a6
0x004285af
0x004285b9
0x004285c7
0x004285c7
0x004285d2
0x004285d7
0x004285dc
0x004285e1
0x004285ee
0x004285fd
0x004285fd
0x00428607
0x00428650
0x00428653
0x00428656
0x0042865b
0x00428660
0x00428665
0x00428609
0x00428609
0x0042860e
0x00428615
0x00428616
0x0042861b
0x0042861e
0x0042862a
0x00428631
0x00428634
0x00428637
0x0042863c
0x00428641
0x00428646
0x00428646
0x00428537
0x0042853d
0x004286b2
0x004286b2

APIs

GetCurrentThreadId.KERNEL32 ref: 00428528
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0042856E
RtlEnterCriticalSection.NTDLL(005492E8), ref: 00428596
RtlLeaveCriticalSection.NTDLL(005492E8), ref: 0042860E
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00428647,?,005492E8,00000000,00428666,?,005492E8,00000000,0042868D), ref: 0042862A
RtlEnterCriticalSection.NTDLL(005492E8), ref: 00428641

Strings

4`T, xrefs: 0042852D

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID: 4`T
API String ID: 1504017990-3587729940
Opcode ID: 69b9b544e5171bbe74fa1385ae96ce8eac8c29459c000690257a91c5b5c99ee5
Instruction ID: 60ecffbe563cc4d6c5bfeca256a96d477ee57a987d7013b754fd6c2877845226
Opcode Fuzzy Hash: 69b9b544e5171bbe74fa1385ae96ce8eac8c29459c000690257a91c5b5c99ee5
Instruction Fuzzy Hash: 3D410370B08214AFCB11DF65EC91A5EBBB0FB49314F5085AAE404A73A0DA78A840CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC04 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EC04(intOrPtr __eax, intOrPtr __edx, void* __edi, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				char _v80;
				void _v1104;
				char* _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t29;
				long _t37;

				_v12 = __edx;
				_v8 = __eax;
				E0040EA4C(_v8,  &_v1104, _v12, __edi, __fp0, 0x400);
				_t19 =  *0x5452c4; // 0x54604c
				if( *_t19 == 0) {
					_t21 =  *0x544f8c; // 0x4089d4
					_t13 = _t21 + 4; // 0xffec
					_t23 =  *0x5487f8; // 0x400000
					LoadStringA(E004068F8(_t23),  *_t13,  &_v80, 0x40);
					return MessageBoxA(0,  &_v1104,  &_v80, 0x2010);
				}
				_t29 =  *0x544ffc; // 0x54621c
				E00402EA4(E00403660(_t29));
				CharToOemA( &_v1104,  &_v1104);
				_t37 = E0040B088( &_v1104, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1104, _t37,  &_v16, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40ecdc, 2,  &_v16, 0);
			}

0x0040ec0d
0x0040ec10
0x0040ec24
0x0040ec29
0x0040ec31
0x0040ec9d
0x0040eca2
0x0040eca6
0x0040ecb1
0x00000000
0x0040ecc8
0x0040ec33
0x0040ec3d
0x0040ec50
0x0040ec61
0x0040ec76
0x00000000

APIs

Part of subcall function 0040EA4C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040EA6B
Part of subcall function 0040EA4C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040EA8F
Part of subcall function 0040EA4C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040EAAA
Part of subcall function 0040EA4C: LoadStringA.USER32(00000000,0000FFEB,?,00000100), ref: 0040EB60

CharToOemA.USER32(?,?), ref: 0040EC50
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0040EC70
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 0040EC76
GetStdHandle.KERNEL32(000000F4,0040ECDC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040EC8A
WriteFile.KERNEL32(00000000,000000F4,0040ECDC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040EC90
LoadStringA.USER32(00000000,0000FFEC,?,00000040), ref: 0040ECB1
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040ECC8

Strings

L`T, xrefs: 0040EC29

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: L`T
API String ID: 185507032-2402964476
Opcode ID: af4247556c3554efac8a2f168cd2df581db2d9db48e12ab85942e4f868752c2f
Instruction ID: 186611576ec095721c9cff83b5b05a1aee56bb6aec86a3af7b71aa0610dab0ec
Opcode Fuzzy Hash: af4247556c3554efac8a2f168cd2df581db2d9db48e12ab85942e4f868752c2f
Instruction Fuzzy Hash: F91145B1945108BAD750EB95CC82FDEB7BCAB04308F1041B7B714F71D2DB78AA489B69

Uniqueness

Uniqueness Score: -1.00%

Function 00413080 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00413080(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00412C28(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L004118A8();
					return E00412C28(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L00411D6C();
						_t113 = _t54;
						if(_t113 == 0) {
							E00412980(_t100);
						}
						E00412FD8(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E00412FF4(_v788 - 1, _t115) != 0) {
								L00411D84();
								E00412C28(_v792);
								L00411D84();
								E00412C28( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E00413024(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L00411D74();
							E00412C28(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L00411D7C();
							E00412C28(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x00413080
0x0041308c
0x00413092
0x00413094
0x0041309e
0x004130a5
0x004130a5
0x004130aa
0x004130b8
0x00413231
0x00413238
0x00413239
0x00000000
0x004130be
0x004130c1
0x004130d3
0x004130c3
0x004130c8
0x004130c8
0x004130e2
0x004130ee
0x004130f1
0x0041315e
0x00413164
0x00413165
0x0041316b
0x0041316c
0x0041316e
0x00413173
0x00413177
0x00413179
0x00413179
0x00413184
0x0041318f
0x0041319a
0x004131a3
0x004131a6
0x004131c2
0x004131c9
0x004131d4
0x004131eb
0x004131f0
0x00413204
0x00413209
0x0041321c
0x0041321c
0x00413225
0x004131a8
0x004131a8
0x004131a9
0x004131af
0x004131b5
0x004131b7
0x004131b9
0x004131bc
0x004131bf
0x004131bf
0x004131c2
0x00000000
0x00000000
0x00000000
0x004131c2
0x004130f3
0x004130f3
0x004130f4
0x004130f6
0x004130fc
0x004130fe
0x0041310d
0x0041310e
0x00413118
0x00413119
0x0041311e
0x00413129
0x0041312a
0x00413134
0x00413135
0x0041313a
0x00413155
0x00413157
0x00413158
0x0041315b
0x0041315b
0x00000000
0x004130fc
0x004130f1

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00413119
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00413135
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041316E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004131EB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00413204
VariantCopy.OLEAUT32(?), ref: 00413239

Strings

, xrefs: 0041309A

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 753ceae152a67bda7e532aff0be679e7c06468d35bf0508a8103650b4329f628
Instruction ID: b6f296ad8df9ecd380073d3870616247f9f73ad47ecd532c2e80dbba49b2d342
Opcode Fuzzy Hash: 753ceae152a67bda7e532aff0be679e7c06468d35bf0508a8103650b4329f628
Instruction Fuzzy Hash: 69510C7590021D9BCB22EF59D981ADAB3FCAF0C305F0045DAF608E7211D674AFC58B65

Uniqueness

Uniqueness Score: -1.00%

Function 00427EC8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00427EC8(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				long _v20;
				char _v24;
				char _v28;
				long _t25;
				char _t32;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xffffffe8;
				_push(__ebx);
				_v8 = __eax;
				_t25 = GetCurrentThreadId();
				_t64 =  *0x54545c; // 0x546034
				if(_t25 !=  *_t64) {
					_v28 = GetCurrentThreadId();
					_v24 = 0;
					_t63 =  *0x545224; // 0x4187cc
					E0040EE00(__ebx, _t63, 1, 0,  &_v28);
					E00404AB0();
				}
				if(_v8 <= 0) {
					E00427E64();
				} else {
					E00427E74(_v8);
				}
				_v20 = 0;
				_push(0x5492e8);
				L00407A3C();
				_push(_t74);
				_push(0x428091);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_v20 = InterlockedExchange(0x53fbbc, _v20);
				_push(_t74);
				_push(0x428072);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if(_v20 == 0 ||  *((intOrPtr*)(_v20 + 8)) <= 0) {
					_t32 = 0;
				} else {
					_t32 = 1;
				}
				_v9 = _t32;
				if(_v9 == 0) {
					L14:
					_pop(_t65);
					 *[fs:eax] = _t65;
					_push(0x428079);
					return E004041FC(_v20);
				} else {
					if( *((intOrPtr*)(_v20 + 8)) > 0) {
						_v16 = E0041D288(_v20, 0);
						E0041D100(_v20, 0);
						L00407BEC();
						 *[fs:eax] = _t76;
						 *[fs:eax] = _t76;
						 *((intOrPtr*)( *_v16 + 8))( *[fs:eax], _t74,  *[fs:eax], 0x428015, _t74, 0x5492e8);
						_pop(_t68);
						 *[fs:eax] = _t68;
						_t69 = 0x427fd6;
						 *[fs:eax] = _t69;
						_push(0x42801c);
						_push(0x5492e8);
						L00407A3C();
						return 0;
					} else {
						goto L14;
					}
				}
			}

0x00427ec9
0x00427ecb
0x00427ece
0x00427ed1
0x00427ed4
0x00427ed9
0x00427ee1
0x00427ee8
0x00427eeb
0x00427ef5
0x00427f02
0x00427f07
0x00427f07
0x00427f10
0x00427f1c
0x00427f12
0x00427f15
0x00427f15
0x00427f23
0x00427f26
0x00427f2b
0x00427f32
0x00427f33
0x00427f38
0x00427f3b
0x00427f4c
0x00427f51
0x00427f52
0x00427f57
0x00427f5a
0x00427f61
0x00427f6c
0x00427f70
0x00427f70
0x00427f70
0x00427f72
0x00427f79
0x0042805c
0x0042805e
0x00428061
0x00428064
0x00428071
0x00427f7f
0x00428056
0x00427f8e
0x00427f96
0x00427fa0
0x00427fb0
0x00427fbe
0x00427fc9
0x00427fce
0x00427fd1
0x00427fff
0x00428002
0x00428005
0x0042800a
0x0042800f
0x00428014
0x00000000
0x00000000
0x00000000
0x00428056

APIs

GetCurrentThreadId.KERNEL32 ref: 00427ED4
GetCurrentThreadId.KERNEL32 ref: 00427EE3

Part of subcall function 00427E64: ResetEvent.KERNEL32(00000274), ref: 00427E6D

RtlEnterCriticalSection.NTDLL(005492E8), ref: 00427F2B
InterlockedExchange.KERNEL32(0053FBBC,?), ref: 00427F47
RtlLeaveCriticalSection.NTDLL(005492E8), ref: 00427FA0
RtlEnterCriticalSection.NTDLL(005492E8), ref: 0042800F

Strings

4`T, xrefs: 00427ED9

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: 4`T
API String ID: 2189153385-3587729940
Opcode ID: c4f6abb1812d0709735f6e9a39ca258efe0891f712ba7762f936203b14cd7bc5
Instruction ID: 2601b9af82f39f57c66b9692c8c06f3bc1ee9f92cb39a4534f733dca0d2d1952
Opcode Fuzzy Hash: c4f6abb1812d0709735f6e9a39ca258efe0891f712ba7762f936203b14cd7bc5
Instruction Fuzzy Hash: 3A41D430B0C214AFD701DF65DC52AAEBBF4FB49704F9288BAF40092691D7785C40DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00404EE8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404EE8(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x54604c == 0) {
					if( *0x53f034 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x546220 == 0xd7b2 &&  *0x546228 > 0) {
						 *0x546238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), 0x404f70, 2,  &_v4, 0);
				}
			}

0x00404ef0
0x00404f50
0x00404f60
0x00404f60
0x00404f66
0x00404ef2
0x00404efb
0x00404f0b
0x00404f0b
0x00404f27
0x00404f48
0x00404f48

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404FAF,?,?,?,00000002,0040505A,00402E4B,00402E92), ref: 00404F21
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404FAF,?,?,?,00000002,0040505A,00402E4B,00402E92), ref: 00404F27
GetStdHandle.KERNEL32(000000F5,00404F70,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404FAF), ref: 00404F3C
WriteFile.KERNEL32(00000000,000000F5,00404F70,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404FAF), ref: 00404F42
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404F60

Strings

Runtime error at 00000000, xrefs: 00404F1A, 00404F59
Error, xrefs: 00404F54

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 8ab7efce0faa610ee60cd4b3f34e64f0e504afd9757a67e462efbcc9c40962cc
Instruction ID: d3edda5a8cb98f636d805831e3f961b8e10702ca5b44d34a80c15322d0aa9720
Opcode Fuzzy Hash: 8ab7efce0faa610ee60cd4b3f34e64f0e504afd9757a67e462efbcc9c40962cc
Instruction Fuzzy Hash: E3F09698A4834075E610B3646D47FDA2B4857CAB18F10027FF310F50E296FC54C4972A

Uniqueness

Uniqueness Score: -1.00%

Function 0041792C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 334
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041792C(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				signed char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				char _v28;
				signed int _v44;
				void* __ebp;
				signed int _t136;
				signed short* _t256;
				intOrPtr _t307;
				intOrPtr _t310;
				intOrPtr _t318;
				intOrPtr _t325;
				intOrPtr _t333;
				signed int _t338;
				void* _t346;
				void* _t348;
				intOrPtr _t349;

				_t353 = __fp0;
				_t346 = _t348;
				_t349 = _t348 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t256 = __eax;
				_v13 = 1;
				_t338 =  *__eax & 0x0000ffff;
				if((_t338 & 0x00000fff) >= 0x10f) {
					_t136 =  *_v8 & 0x0000ffff;
					if(_t136 != 0) {
						if(_t136 != 1) {
							if(E00418568(_t338,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t341 =  *_v8 & 0x0000ffff;
									if(( *_v8 & 0xfff) >= 0x10f) {
										_t98 =  &_v28; // 0x41753f
										if(E00418568(_t341, _t98) != 0) {
											_push( &_v16);
											_t101 =  &_v28; // 0x41753f
											if( *((intOrPtr*)( *((intOrPtr*)( *_t101)) + 4))() == 0) {
												E0041283C(0xb);
												goto L41;
											} else {
												if(( *_t256 & 0x0000ffff) == _v16) {
													_t123 =  &_v28; // 0x41753f
													_v13 =  *(0x53fa8c + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t123)) + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v44);
													L00411898();
													_push(_t346);
													_push(0x417d12);
													_push( *[fs:eax]);
													 *[fs:eax] = _t349;
													_t268 = _v16 & 0x0000ffff;
													E004135CC( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
													if((_v44 & 0x0000ffff) != _v16) {
														E0041274C(_t268);
													}
													_t112 =  &_v28; // 0x41753f
													_v13 =  *(0x53fa8c + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t112)) + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
													_pop(_t307);
													 *[fs:eax] = _t307;
													_push(0x417d46);
													return E00412FD8( &_v44);
												}
											}
										} else {
											E0041283C(0xb);
											goto L41;
										}
									} else {
										_push( &_v44);
										L00411898();
										_push(_t346);
										_push(0x417c5b);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t273 =  *_v8 & 0x0000ffff;
										E004135CC( &_v44,  *_v8 & 0x0000ffff, _t256, __edi, __fp0);
										if(( *_v8 & 0x0000ffff) != _v44) {
											E0041274C(_t273);
										}
										_v13 = E004177A0( &_v44, _v12, _v8, _t353);
										_pop(_t310);
										 *[fs:eax] = _t310;
										_push(0x417d46);
										return E00412FD8( &_v44);
									}
								} else {
									if(( *_v8 & 0x0000ffff) == _v18) {
										_v13 =  *(0x53fa8c + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v44);
										L00411898();
										_push(_t346);
										_push(0x417bb8);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t278 = _v18 & 0x0000ffff;
										E004135CC( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if((_v44 & 0x0000ffff) != _v18) {
											E0041274C(_t278);
										}
										_v13 =  *(0x53fa8c + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										_pop(_t318);
										 *[fs:eax] = _t318;
										_push(0x417d46);
										return E00412FD8( &_v44);
									}
								}
							} else {
								E0041283C(__ecx);
								goto L41;
							}
						} else {
							_v13 = E00417568(_v12, 2);
							goto L41;
						}
					} else {
						_v13 = E00417554(0, 1);
						goto L41;
					}
				} else {
					if(_t338 != 0) {
						if(_t338 != 1) {
							_t7 =  &_v28; // 0x41753f
							if(E00418568( *_v8 & 0x0000ffff, _t7) != 0) {
								_push( &_v16);
								_t10 =  &_v28; // 0x41753f
								if( *((intOrPtr*)( *((intOrPtr*)( *_t10)) + 4))() == 0) {
									_push( &_v44);
									L00411898();
									_push(_t346);
									_push(0x417ac7);
									_push( *[fs:eax]);
									 *[fs:eax] = _t349;
									_t284 =  *_t256 & 0x0000ffff;
									E004135CC( &_v44,  *_t256 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0xfff) !=  *_t256) {
										E0041274C(_t284);
									}
									_v13 = E004177A0(_t256, _v12,  &_v44, _t353);
									_pop(_t325);
									 *[fs:eax] = _t325;
									_push(0x417d46);
									return E00412FD8( &_v44);
								} else {
									if(( *_t256 & 0x0000ffff) == _v16) {
										_t32 =  &_v28; // 0x41753f
										_v13 =  *(0x53fa8c + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t32)) + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v44);
										L00411898();
										_push(_t346);
										_push(0x417a38);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t289 = _v16 & 0x0000ffff;
										E004135CC( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
										if((_v44 & 0xfff) != _v16) {
											E0041274C(_t289);
										}
										_t21 =  &_v28; // 0x41753f
										_v13 =  *(0x53fa8c + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t21)) + 0x34))(_v12) & 0x0000007f) - 0x1c) & 0x000000ff;
										_pop(_t333);
										 *[fs:eax] = _t333;
										_push(0x417d46);
										return E00412FD8( &_v44);
									}
								}
							} else {
								E0041283C(__ecx);
								goto L41;
							}
						} else {
							_v13 = E00417568(_v12, 0);
							goto L41;
						}
					} else {
						_v13 = E00417554(1, 0);
						L41:
						return _v13 & 0x000000ff;
					}
				}
			}

0x0041792c
0x0041792d
0x0041792f
0x00417934
0x00417937
0x0041793a
0x0041793c
0x00417940
0x0041794d
0x00417ad1
0x00417ad7
0x00417af1
0x00417b13
0x00417b22
0x00417b35
0x00417bed
0x00417bfa
0x00417c62
0x00417c71
0x00417c80
0x00417c88
0x00417c92
0x00417d41
0x00000000
0x00417c98
0x00417c9f
0x00417d22
0x00417d3c
0x00000000
0x00417ca1
0x00417ca4
0x00417ca5
0x00417cac
0x00417cad
0x00417cb2
0x00417cb5
0x00417cb8
0x00417cc1
0x00417cce
0x00417cd0
0x00417cd0
0x00417cdf
0x00417cf9
0x00417cfe
0x00417d01
0x00417d04
0x00417d11
0x00417d11
0x00417c9f
0x00417c73
0x00417c73
0x00000000
0x00417c73
0x00417bfc
0x00417bff
0x00417c00
0x00417c07
0x00417c08
0x00417c0d
0x00417c10
0x00417c16
0x00417c1e
0x00417c2d
0x00417c2f
0x00417c2f
0x00417c42
0x00417c47
0x00417c4a
0x00417c4d
0x00417c5a
0x00417c5a
0x00417b3b
0x00417b45
0x00417be2
0x00000000
0x00417b47
0x00417b4a
0x00417b4b
0x00417b52
0x00417b53
0x00417b58
0x00417b5b
0x00417b5e
0x00417b68
0x00417b75
0x00417b77
0x00417b77
0x00417b9f
0x00417ba4
0x00417ba7
0x00417baa
0x00417bb7
0x00417bb7
0x00417b45
0x00417b15
0x00417b15
0x00000000
0x00417b15
0x00417af3
0x00417aff
0x00000000
0x00417aff
0x00417ad9
0x00417ae2
0x00000000
0x00417ae2
0x00417953
0x00417956
0x0041796d
0x00417983
0x00417993
0x004179a2
0x004179aa
0x004179b4
0x00417a6d
0x00417a6e
0x00417a75
0x00417a76
0x00417a7b
0x00417a7e
0x00417a81
0x00417a8a
0x00417a9a
0x00417a9c
0x00417a9c
0x00417aae
0x00417ab3
0x00417ab6
0x00417ab9
0x00417ac6
0x004179ba
0x004179c1
0x00417a48
0x00417a62
0x00000000
0x004179c3
0x004179c6
0x004179c7
0x004179ce
0x004179cf
0x004179d4
0x004179d7
0x004179da
0x004179e3
0x004179f4
0x004179f6
0x004179f6
0x00417a05
0x00417a1f
0x00417a24
0x00417a27
0x00417a2a
0x00417a37
0x00417a37
0x004179c1
0x00417995
0x00417995
0x00000000
0x00417995
0x0041796f
0x0041797b
0x00000000
0x0041797b
0x00417958
0x00417961
0x00417d46
0x00417d4f
0x00417d4f
0x00417956

Strings

?uA, xrefs: 00417C62, 00417C88, 00417D22, 00417CDF, 00417983, 004179AA, 00417A48, 00417A05

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID: ?uA
API String ID: 0-2212857610
Opcode ID: 2a9d1349c0b7e1bacb091f9800a8b2caa41ba8c7e68f3d2e864c2d609c76cc86
Instruction ID: b9814757fb559c2a0d08541edad1c14788bc90cafddcfcef193407997199bc80
Opcode Fuzzy Hash: 2a9d1349c0b7e1bacb091f9800a8b2caa41ba8c7e68f3d2e864c2d609c76cc86
Instruction Fuzzy Hash: 5CD1D035A04149EFCB00EF95C4818FEBBB6EF49714F5440AAE841A7351D738AEC6DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00428740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
threadsynchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00428740(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				struct tagMSG _v52;
				void* __ebp;
				long _t25;
				intOrPtr _t35;
				void* _t44;
				signed int _t45;
				void* _t47;
				void* _t48;

				_t48 = __esi;
				_t47 = __edi;
				_t44 = __ebx;
				_v8 = __eax;
				_t3 = _v8 + 4; // 0x8bfc458b
				_v20 =  *_t3;
				_t25 = GetCurrentThreadId();
				_t45 =  *0x54545c; // 0x546034
				if(_t25 !=  *_t45) {
					WaitForSingleObject(_v20, 0xffffffff);
				} else {
					_v24 = 0;
					_t35 =  *0x5492d0; // 0x274
					_v16 = _t35;
					do {
						if(_v24 == 2) {
							PeekMessageA( &_v52, 0, 0, 0, 0);
						}
						_v24 = MsgWaitForMultipleObjects(2,  &_v20, 0, 0x3e8, 0x40);
						_t45 = _t45 & 0xffffff00 | _v24 != 0xffffffff;
						E00428380(_v8, _t45);
						if(_v24 == 1) {
							E00427EC8(0, _t44, _t47, _t48);
						}
					} while (_v24 != 0);
				}
				GetExitCodeThread(_v20,  &_v12);
				asm("sbb edx, edx");
				E00428380(_v8, _t45 + 1);
				return _v12;
			}

0x00428740
0x00428740
0x00428740
0x00428746
0x0042874c
0x0042874f
0x00428752
0x00428757
0x0042875f
0x004287c6
0x00428761
0x00428763
0x00428766
0x0042876b
0x0042876e
0x00428772
0x00428780
0x00428780
0x00428799
0x004287a0
0x004287a6
0x004287af
0x004287b3
0x004287b3
0x004287b8
0x004287be
0x004287d3
0x004287db
0x004287e1
0x004287ec

APIs

GetCurrentThreadId.KERNEL32 ref: 00428752
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00428780
MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 00428794
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004287C6
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 004287D3

Strings

4`T, xrefs: 00428757

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID: 4`T
API String ID: 1797888035-3587729940
Opcode ID: 0afceee8431f44f2eecd6697290db245f75fe8c9456233febed8f1f7aa2cfa81
Instruction ID: 81de654f3c07fc110bc62734252d93c5aabf48d83f82b50234fc9d05661174fc
Opcode Fuzzy Hash: 0afceee8431f44f2eecd6697290db245f75fe8c9456233febed8f1f7aa2cfa81
Instruction Fuzzy Hash: 96113330E01219ABCB10DBA4DD46BAEB3F8AB44714F60066AF514F72C1DA749E008B55

Uniqueness

Uniqueness Score: -1.00%

Function 00403FFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00403FFC() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x53f024 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x53f024 & 0xffc0 | _v12 & 0x3f;
					 *0x53f024 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push("�^	");
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x404074);
					return RegCloseKey(_v8);
				}
			}

0x00403ffd
0x00403fff
0x00404009
0x00404025
0x00404087
0x0040408a
0x00404093
0x00404027
0x00404029
0x0040402a
0x0040402f
0x00404032
0x00404035
0x00404051
0x00404058
0x0040405b
0x0040405e
0x0040406c
0x0040406c

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040401E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,^,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00404051
RegCloseKey.ADVAPI32(?,00404074,00000000,?,00000004,00000000,^,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00404067

Strings

^, xrefs: 0040402A
FPUMaskValue, xrefs: 00404048
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404014

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL$^
API String ID: 3677997916-3529713538
Opcode ID: b257ae8e61bc8f891c5a431575b3fe330ee76ea97b4a0e692a20297e87adc608
Instruction ID: a4cba582660ef28f862fc1f1484d661cf89a7b1b2e0ef50f3f096a0439c6d171
Opcode Fuzzy Hash: b257ae8e61bc8f891c5a431575b3fe330ee76ea97b4a0e692a20297e87adc608
Instruction Fuzzy Hash: 770192B9900308BAEB11DBA18C02FAA73ECEB48B04F100076BB00F26D1E6785A10D769

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6D4 Relevance: 7.6, APIs: 5, Instructions: 53
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040E6D4(void* __eflags) {
				signed int _v8;
				long _v12;
				char _v16;
				intOrPtr _t41;
				void* _t44;
				void* _t46;

				_t46 = __eflags;
				_v16 = 0;
				_push(_t44);
				_push(0x40e780);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44 + 0xfffffff4;
				E0040E3EC(GetThreadLocale(), 0x40e794, 0x100b,  &_v16);
				_v12 = E0040A460(_v16, 1, _t46);
				if(_v12 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040E5FC, GetThreadLocale(), _v12, 4);
					_v8 = 1;
					do {
						 *((intOrPtr*)(0x5488f0 + _v8 * 4)) = 0xffffffff;
						_v8 = _v8 + 1;
					} while (_v8 != 8);
					EnumCalendarInfoA(E0040E648, GetThreadLocale(), _v12, 3);
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(0x40e787);
				return E0040513C( &_v16);
			}

0x0040e6d4
0x0040e6dc
0x0040e6e1
0x0040e6e2
0x0040e6e7
0x0040e6ea
0x0040e700
0x0040e712
0x0040e71e
0x0040e731
0x0040e736
0x0040e73d
0x0040e740
0x0040e74b
0x0040e74e
0x0040e765
0x0040e765
0x0040e76c
0x0040e76f
0x0040e772
0x0040e77f

APIs

GetThreadLocale.KERNEL32(?,00000000,0040E780), ref: 0040E6F1

Part of subcall function 0040E3EC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040E412

GetThreadLocale.KERNEL32(?,00000004,00000000,0040E780), ref: 0040E726
EnumCalendarInfoA.KERNEL32(Function_0000E5FC,00000000,?,00000004), ref: 0040E731
GetThreadLocale.KERNEL32(?,00000003,00000000,0040E780), ref: 0040E75A
EnumCalendarInfoA.KERNEL32(Function_0000E648,00000000,?,00000003), ref: 0040E765

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 6ea151f5057f48dbc6977af5b86a7bad7bf117f05103630925e008021880393a
Instruction ID: 311bc064b1842a9c7eb74ccb98e787f914651ec60d058e537ae3f56fa4e24376
Opcode Fuzzy Hash: 6ea151f5057f48dbc6977af5b86a7bad7bf117f05103630925e008021880393a
Instruction Fuzzy Hash: FF118674E04208AFDB00EBB6CC42A9EBBB8EB45718F204976F510F72C1D77D6A108A1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E798 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040E798(intOrPtr __eax, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v25;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _t106;
				char _t107;
				signed int _t112;
				signed int _t115;
				signed int _t118;
				signed int _t121;
				intOrPtr _t152;
				void* _t153;
				char _t154;
				signed int _t161;
				intOrPtr _t186;
				intOrPtr _t192;
				void* _t210;
				void* _t212;

				_t212 = __eflags;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t210);
				_push(0x40e9de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t210 + 0xffffffd8;
				_v16 = 1;
				E0040513C(_v12);
				E0040E3EC(GetThreadLocale(), 0x40e9f4, 0x1009,  &_v32);
				_v24 = E0040A460(_v32, 1, _t212);
				if(_v24 + 0xfffffffd - 3 < 0) {
					while(1) {
						_t106 = E004053FC(_v8);
						__eflags = _t106 - _v16;
						if(_t106 < _v16) {
							break;
						}
						_t107 = _v16;
						_t186 = _v8;
						__eflags =  *(_t186 + _t107 - 1) & 0x000000ff;
						asm("bt [0x53f83c], eax");
						if(( *(_t186 + _t107 - 1) & 0x000000ff) >= 0) {
							_t112 = E0040B274(_v8 + _v16 - 1, 2, 0x40e9f8);
							__eflags = _t112;
							if(_t112 != 0) {
								_t115 = E0040B274(_v8 + _v16 - 1, 4, 0x40ea08);
								__eflags = _t115;
								if(_t115 != 0) {
									_t118 = E0040B274(_v8 + _v16 - 1, 2, 0x40ea20);
									__eflags = _t118;
									if(_t118 != 0) {
										_t121 =  *((intOrPtr*)(_v8 + _v16 - 1)) - 0x59;
										__eflags = _t121;
										if(_t121 == 0) {
											L24:
											E00405408(_v12, 0x40ea38);
											L26:
											_t88 =  &_v16;
											 *_t88 = _v16 + 1;
											__eflags =  *_t88;
											continue;
										}
										__eflags = _t121 != 0x20;
										if(_t121 != 0x20) {
											E00405324();
											E00405408(_v12, _v44);
											goto L26;
										}
										goto L24;
									}
									E00405408(_v12, 0x40ea2c);
									_v16 = _v16 + 1;
									goto L26;
								}
								E00405408(_v12, 0x40ea18);
								_v16 = _v16 + 3;
								goto L26;
							}
							E00405408(_v12, 0x40ea04);
							_v16 = _v16 + 1;
							goto L26;
						}
						_v20 = E0040FC8C(_v8, _v16);
						E00405660(_v8, _v20, _v16,  &_v40);
						E00405408(_v12, _v40);
						_v16 = _v16 + _v20;
					}
					L28:
					_pop(_t192);
					 *[fs:eax] = _t192;
					_push(0x40e9e5);
					return E00405160( &_v44, 4);
				}
				_t152 =  *0x5488cc; // 0x9
				_t153 = _t152 - 4;
				if(_t153 == 0 || _t153 + 0xfffffff3 - 2 < 0) {
					_t154 = 1;
				} else {
					_t154 = 0;
				}
				_v25 = _t154;
				if(_v25 == 0) {
					E00405190(_v12, _v8);
				} else {
					while(E004053FC(_v8) >= _v16) {
						_t161 =  *((intOrPtr*)(_v8 + _v16 - 1)) - 0x47;
						__eflags = _t161;
						if(_t161 != 0) {
							__eflags = _t161 != 0x20;
							if(_t161 != 0x20) {
								E00405324();
								E00405408(_v12, _v36);
							}
						}
						_t27 =  &_v16;
						 *_t27 = _v16 + 1;
						__eflags =  *_t27;
					}
				}
			}

0x0040e798
0x0040e7a0
0x0040e7a3
0x0040e7a6
0x0040e7a9
0x0040e7ac
0x0040e7af
0x0040e7b4
0x0040e7b5
0x0040e7ba
0x0040e7bd
0x0040e7c0
0x0040e7ca
0x0040e7e2
0x0040e7f4
0x0040e800
0x0040e9b2
0x0040e9b5
0x0040e9ba
0x0040e9bd
0x00000000
0x00000000
0x0040e880
0x0040e883
0x0040e88a
0x0040e88f
0x0040e896
0x0040e8e5
0x0040e8ea
0x0040e8ec
0x0040e91a
0x0040e91f
0x0040e921
0x0040e94d
0x0040e952
0x0040e954
0x0040e975
0x0040e975
0x0040e977
0x0040e97d
0x0040e985
0x0040e9af
0x0040e9af
0x0040e9af
0x0040e9af
0x00000000
0x0040e9af
0x0040e979
0x0040e97b
0x0040e99c
0x0040e9a7
0x00000000
0x0040e9ac
0x00000000
0x0040e97b
0x0040e95e
0x0040e966
0x00000000
0x0040e966
0x0040e92b
0x0040e933
0x00000000
0x0040e933
0x0040e8f6
0x0040e8fe
0x00000000
0x0040e8fe
0x0040e8a3
0x0040e8b3
0x0040e8be
0x0040e8c9
0x0040e8c9
0x0040e9c3
0x0040e9c5
0x0040e9c8
0x0040e9cb
0x0040e9dd
0x0040e9dd
0x0040e806
0x0040e80b
0x0040e80e
0x0040e81c
0x0040e818
0x0040e818
0x0040e818
0x0040e81e
0x0040e825
0x0040e876
0x0040e827
0x0040e85e
0x0040e833
0x0040e833
0x0040e835
0x0040e837
0x0040e839
0x0040e848
0x0040e853
0x0040e858
0x0040e839
0x0040e85b
0x0040e85b
0x0040e85b
0x0040e85b
0x0040e86b

APIs

GetThreadLocale.KERNEL32(?,00000000,0040E9DE), ref: 0040E7D3

Part of subcall function 0040E3EC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040E412

Strings

yyyy, xrefs: 0040E906
eeee, xrefs: 0040E926
ggg, xrefs: 0040E8F1

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: eed8b94a3dc9499f587e628e1f7ce5f4585f6ba6490b499e9096c8317b1e5f12
Instruction ID: ef723f25a4754bf6e646247f43cd9ddc6825b4597c76fdcd79dd5ea9b4c628f3
Opcode Fuzzy Hash: eed8b94a3dc9499f587e628e1f7ce5f4585f6ba6490b499e9096c8317b1e5f12
Instruction Fuzzy Hash: F2713F74E04509DBCB04EBA6C5859EEF7B1EF49304F2085BAE850B7381C738AE529F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE6C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042BE6C(intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				void* __ecx;
				void* __ebp;
				intOrPtr _t31;

				if( *0x54933e != 0) {
					_v8 = 0;
					if((_a8 & 0x00000003) != 0 ||  *((intOrPtr*)(_a4 + 8)) > 0 &&  *((intOrPtr*)(_a4 + 0xc)) > 0 && GetSystemMetrics(0) >  *_a4 && GetSystemMetrics(1) >  *((intOrPtr*)(_a4 + 4))) {
						_v8 = 0x12340042;
					}
				} else {
					_t31 =  *0x54931c; // 0x42be6c
					 *0x54931c = E0042BCC8(2, "MonitorFromRect", _t31);
					_v8 =  *0x54931c(_a4, _a8);
				}
				return _v8;
			}

0x0042be77
0x0042bea5
0x0042beb0
0x0042bee3
0x0042bee3
0x0042be79
0x0042be7e
0x0042be8b
0x0042be9e
0x0042be9e
0x0042beef

APIs

GetSystemMetrics.USER32(00000000), ref: 0042BEC6
GetSystemMetrics.USER32(00000001), ref: 0042BED5

Part of subcall function 0042BCC8: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042BD53

Strings

B, xrefs: 0042BEE3
MonitorFromRect, xrefs: 0042BE79

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: B$MonitorFromRect
API String ID: 1792783759-2754499530
Opcode ID: 54ab40dd6e5df7d7f97e52ad79760e29334bae62ae04fafc55e684f65e52b407
Instruction ID: b8d6ec3073c44836359fd3c43f56f52871eb3d8508d384a65652f1b72aeec5c5
Opcode Fuzzy Hash: 54ab40dd6e5df7d7f97e52ad79760e29334bae62ae04fafc55e684f65e52b407
Instruction Fuzzy Hash: 26111774604118EFCB00CF58E946BDABBE4EB16314F91C44AE908CB351C379EE85DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410C34 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C34() {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 = GetModuleHandleA("kernel32.dll");
				_v8 = _t4;
				if(_v8 != 0) {
					_t4 = GetProcAddress(_v8, "GetDiskFreeSpaceExA");
					 *0x53f860 = _t4;
				}
				if( *0x53f860 == 0) {
					 *0x53f860 = E0040AEF0;
					return E0040AEF0;
				}
				return _t4;
			}

0x00410c3d
0x00410c42
0x00410c49
0x00410c54
0x00410c59
0x00410c59
0x00410c65
0x00410c6c
0x00000000
0x00410c6c
0x00410c73

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00410C3D
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 00410C54

Strings

kernel32.dll, xrefs: 00410C38
GetDiskFreeSpaceExA, xrefs: 00410C4B

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 0c366e16f4cc290337a3a8472756c8e7bc7ec2b87d38fa188cf8cc53f830f814
Instruction ID: 31d8e0e4f6654210a0ac43bd5596cbfe4b1bcb313eb6e87a290f8127d8ed78cf
Opcode Fuzzy Hash: 0c366e16f4cc290337a3a8472756c8e7bc7ec2b87d38fa188cf8cc53f830f814
Instruction Fuzzy Hash: 56E0BF70D4434CAEDB08EBA5D905799B6A4E710318F10427BA500673A1E7B969C4EF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00420060 Relevance: 6.4, APIs: 5, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00420060(intOrPtr* __eax, intOrPtr __edx, void* __edi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				CHAR* _v16;
				CHAR* _v20;
				char _v24;
				void* _t69;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t77;
				void* _t79;
				CHAR* _t82;
				intOrPtr _t85;
				void* _t100;
				intOrPtr _t131;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t135 = __edi;
				_t137 = _t138;
				_t139 = _t138 + 0xffffffec;
				_v24 = 0;
				_v12 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t139;
				E0041F08C(_v8);
				 *[fs:eax] = _t139;
				 *((intOrPtr*)( *_v8 + 0x44))( *[fs:eax], 0x4201eb, _t137,  *[fs:eax], 0x420208, _t137, _t136);
				_v16 = E00405600(_v12);
				if(E004202AC(_v8) != 0) {
					L24:
					while( *_v16 != 0) {
						_t69 = E00420280(_v8);
						__eflags = _t69 -  *_v16;
						if(_t69 !=  *_v16) {
							_v20 = _v16;
							while(1) {
								_t71 = _v8;
								__eflags =  *((char*)(_t71 + 0xe));
								if( *((char*)(_t71 + 0xe)) != 0) {
									goto L11;
								}
								L10:
								__eflags =  *_v16 - 0x20;
								if( *_v16 > 0x20) {
									L13:
									_t100 = E00420214(_v8);
									__eflags = _t100 -  *_v16;
									if(_t100 !=  *_v16) {
										_v16 = CharNextA(_v16);
										_t71 = _v8;
										__eflags =  *((char*)(_t71 + 0xe));
										if( *((char*)(_t71 + 0xe)) != 0) {
											goto L11;
										}
										goto L10;
									}
									L14:
									__eflags = _v16 - _v20;
									E0040522C( &_v24, _v16 - _v20, _v20, _v16 - _v20);
									L15:
									 *((intOrPtr*)( *_v8 + 0x38))();
									_t77 = _v8;
									__eflags =  *((char*)(_t77 + 0xe));
									if( *((char*)(_t77 + 0xe)) != 0) {
										L19:
										_t79 = E00420214(_v8);
										__eflags = _t79 -  *_v16;
										if(_t79 !=  *_v16) {
											goto L24;
										}
										_v20 = _v16;
										_t82 = CharNextA(_v20);
										__eflags =  *_t82;
										if( *_t82 == 0) {
											__eflags = 0;
											 *((intOrPtr*)( *_v8 + 0x38))();
										}
										while(1) {
											_v16 = CharNextA(_v16);
											_t85 = _v8;
											__eflags =  *((char*)(_t85 + 0xe));
											if( *((char*)(_t85 + 0xe)) != 0) {
												goto L24;
											}
											__eflags =  *_v16 - 0xffffffffffffffe1;
											if( *_v16 - 0xffffffffffffffe1 < 0) {
												continue;
											}
											goto L24;
										}
										goto L24;
									}
									while(1) {
										__eflags =  *_v16 - 0xffffffffffffffe1;
										if( *_v16 - 0xffffffffffffffe1 >= 0) {
											goto L19;
										}
										_v16 = CharNextA(_v16);
									}
									goto L19;
								}
								L11:
								_t72 = _v8;
								__eflags =  *((char*)(_t72 + 0xe));
								if( *((char*)(_t72 + 0xe)) == 0) {
									goto L14;
								}
								__eflags =  *_v16;
								if( *_v16 == 0) {
									goto L14;
								}
								goto L13;
							}
						}
						E00409DDC( &_v16,  &_v24, E00420280(_v8), _t135);
						goto L15;
					}
					_pop(_t131);
					 *[fs:eax] = _t131;
					_push(0x4201f2);
					return E0041F15C(_v8);
				}
				while( *_v16 - 0xffffffffffffffe1 < 0) {
					_v16 = CharNextA(_v16);
				}
				goto L24;
			}

0x00420060
0x00420061
0x00420063
0x00420068
0x0042006b
0x0042006e
0x0042007c
0x00420082
0x00420092
0x0042009a
0x004200a5
0x004200b2
0x00000000
0x004201c9
0x004200d8
0x004200e0
0x004200e2
0x004200fe
0x0042010f
0x0042010f
0x00420112
0x00420116
0x00000000
0x00000000
0x00420118
0x0042011b
0x0042011e
0x00420131
0x00420134
0x0042013c
0x0042013e
0x0042010c
0x0042010f
0x00420112
0x00420116
0x00000000
0x00000000
0x00000000
0x00420116
0x00420140
0x00420143
0x0042014c
0x00420151
0x00420159
0x0042015c
0x0042015f
0x00420163
0x0042017d
0x00420180
0x00420188
0x0042018a
0x00000000
0x00000000
0x0042018f
0x00420196
0x0042019b
0x0042019e
0x004201a0
0x004201a7
0x004201a7
0x004201aa
0x004201b3
0x004201b6
0x004201b9
0x004201bd
0x00000000
0x00000000
0x004201c5
0x004201c7
0x00000000
0x00000000
0x00000000
0x004201c7
0x00000000
0x004201aa
0x00420173
0x00420179
0x0042017b
0x00000000
0x00000000
0x00420170
0x00420170
0x00000000
0x00420173
0x00420120
0x00420120
0x00420123
0x00420127
0x00000000
0x00000000
0x0042012c
0x0042012f
0x00000000
0x00000000
0x00000000
0x0042012f
0x0042010f
0x004200f4
0x00000000
0x004200f4
0x004201d7
0x004201da
0x004201dd
0x004201ea
0x004201ea
0x004200c6
0x004200c3
0x004200c3
0x00000000

APIs

CharNextA.USER32(?,?,00000000,00420208), ref: 004200BE
CharNextA.USER32(?,?,00000000,00420208), ref: 0042016B
CharNextA.USER32(?,?,00000000,00420208), ref: 00420196
CharNextA.USER32(?,?,?,00000000,00420208), ref: 004201AE

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8bbfbbfc73bbb292a93c9ba9a597e8e2bf2e93bbaf05527cb4aaff614185aaf2
Instruction ID: d0ff4cd284d4aa6951416f3b218772eec3c0ac07fb840a855a541865dd785c2f
Opcode Fuzzy Hash: 8bbfbbfc73bbb292a93c9ba9a597e8e2bf2e93bbaf05527cb4aaff614185aaf2
Instruction Fuzzy Hash: 66511830F04158EFDB11DBA9D895AAEBBF1EF05304F9080E6E450A7262C739AE41DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00412DE0 Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00412DE0(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if((_v776[0] & 0x00000020) == 0) {
					E00412C28(0x80070057);
				}
				_t43 =  *_v776 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 = _v776[4];
					} else {
						_v780 =  *(_v776[4]);
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L00411D74();
							E00412C28(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L00411D7C();
							E00412C28(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E00412D84(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E00412D54(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L00411D84();
						E00412C28(_v780);
						E00412FD8(_v792);
					}
				}
				L15:
				_push(_v776);
				L004118A0();
				return E00412C28(_v776);
			}

0x00412dec
0x00412dfc
0x00412e03
0x00412e03
0x00412e0e
0x00412e1c
0x00412e2b
0x00412e49
0x00412e2d
0x00412e38
0x00412e38
0x00412e58
0x00412e64
0x00412e67
0x00412e69
0x00412e6a
0x00412e6c
0x00412e72
0x00412e74
0x00412e83
0x00412e84
0x00412e8e
0x00412e8f
0x00412e94
0x00412e9f
0x00412ea0
0x00412eaa
0x00412eab
0x00412eb0
0x00412ecb
0x00412ecd
0x00412ece
0x00412ed1
0x00412ed1
0x00412e72
0x00412eda
0x00412edd
0x00412edf
0x00412ee0
0x00412ee6
0x00412eec
0x00412eee
0x00412ef0
0x00412ef3
0x00412ef6
0x00412ef6
0x00412ef9
0x00000000
0x00000000
0x00000000
0x00412ef9
0x00412ef9
0x00412f00
0x00412f0b
0x00412f13
0x00412f1a
0x00412f21
0x00412f22
0x00412f27
0x00412f32
0x00412f32
0x00412f40
0x00412f44
0x00412f4a
0x00412f4b
0x00412f5b

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00412E8F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00412EAB
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00412F22
VariantClear.OLEAUT32(?), ref: 00412F4B

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: caa889b1331f5c323ac89b0da0adcd99bbc18575d7beb09748198d58efd46eea
Instruction ID: 4dc2754e2dc17817f9f74060fd3840e610a43bda67b2fcf3d95b9b0c27e398cf
Opcode Fuzzy Hash: caa889b1331f5c323ac89b0da0adcd99bbc18575d7beb09748198d58efd46eea
Instruction Fuzzy Hash: B9410F75A006199FCB62DB59DD90ADAB3BCEF08304F0046DAE648E7212DA74AFD18F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA4C Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EA4C(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __edi, void* __fp0, intOrPtr _a4) {
				intOrPtr* _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v297;
				char _v558;
				char _v814;
				struct _MEMORY_BASIC_INFORMATION _v844;
				char _v848;
				intOrPtr _v852;
				char _v856;
				intOrPtr _v860;
				char _v864;
				intOrPtr _v868;
				char _v872;
				char* _v876;
				char _v880;
				char _v884;
				char _v1140;
				struct HINSTANCE__* _t62;
				intOrPtr _t75;
				struct HINSTANCE__* _t77;
				intOrPtr _t114;
				void* _t118;
				void* _t125;

				_t125 = __fp0;
				_t118 = __edi;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				VirtualQuery(_v12,  &_v844, 0x1c);
				if(_v844.State != 0x1000 || GetModuleFileNameA(_v844.AllocationBase,  &_v558, 0x105) == 0) {
					_t62 =  *0x5487f8; // 0x400000
					GetModuleFileNameA(_t62,  &_v558, 0x105);
					_v36 = E0040EA3C(_v12);
				} else {
					_v36 = _v12 - _v844.AllocationBase;
				}
				E0040B118( &_v297, 0x104, E00410120( &_v558, 0x5c) + 1);
				_v24 = 0x40ebfc;
				_v28 = 0x40ebfc;
				_t114 =  *0x408c2c; // 0x408c78
				if(E00404388(_v8, _t114) != 0) {
					_v24 = E00405600( *((intOrPtr*)(_v8 + 4)));
					_v32 = E0040B088(_v24, _t118);
					if(_v32 != 0 &&  *((char*)(_v24 + _v32 - 1)) != 0x2e) {
						_v28 = 0x40ec00;
					}
				}
				_t75 =  *0x545418; // 0x4089cc
				_t32 = _t75 + 4; // 0xffeb
				_t77 =  *0x5487f8; // 0x400000
				LoadStringA(E004068F8(_t77),  *_t32,  &_v814, 0x100);
				E004040DC( *_v8,  &_v1140);
				_v884 =  &_v1140;
				_v880 = 4;
				_v876 =  &_v297;
				_v872 = 6;
				_v868 = _v36;
				_v864 = 5;
				_v860 = _v24;
				_v856 = 6;
				_v852 = _v28;
				_v848 = 6;
				E0040B8A0(_v16,  &_v814, _a4, _t118, _t125, 4,  &_v884);
				_v20 = E0040B088(_v16, _t118);
				return _v20;
			}

0x0040ea4c
0x0040ea4c
0x0040ea55
0x0040ea58
0x0040ea5b
0x0040ea6b
0x0040ea7a
0x0040eaa4
0x0040eaaa
0x0040eab9
0x0040eabe
0x0040eac7
0x0040eac7
0x0040eae5
0x0040eaef
0x0040eaf7
0x0040eafd
0x0040eb0a
0x0040eb17
0x0040eb22
0x0040eb29
0x0040eb3d
0x0040eb3d
0x0040eb29
0x0040eb4c
0x0040eb51
0x0040eb55
0x0040eb60
0x0040eb70
0x0040eb7b
0x0040eb81
0x0040eb8e
0x0040eb94
0x0040eb9e
0x0040eba4
0x0040ebae
0x0040ebb4
0x0040ebbe
0x0040ebc4
0x0040ebe0
0x0040ebed
0x0040ebf6

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040EA6B
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040EA8F
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040EAAA
LoadStringA.USER32(00000000,0000FFEB,?,00000100), ref: 0040EB60

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 88b0f1d6c0570c30c31b1e9558b4f785441179290571e1db126fb0b066288775
Instruction ID: d7b5210dde3b5fcb0ee24ead076ce876e7b1c7ff945549cd487c37f8fa6f8d32
Opcode Fuzzy Hash: 88b0f1d6c0570c30c31b1e9558b4f785441179290571e1db126fb0b066288775
Instruction Fuzzy Hash: 9251E770D002199FDB11DBA9C885BDEBBF8AB08304F1044AAE548F7291D779AF848F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB38 Relevance: 6.1, APIs: 4, Instructions: 68
timefileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040AB38(WORD* __eax) {
				WORD* _v8;
				long _v12;
				struct _FILETIME _v20;
				signed int _v24;
				WORD* _t63;
				intOrPtr* _t73;

				_v8 = __eax;
				while((_v8[0x10].dwFileAttributes & _v8[0xc]) != 0) {
					if(FindNextFileA(_v8[0xe],  &(_v8[0x10])) != 0) {
						continue;
					} else {
						_v12 = GetLastError();
					}
					L5:
					return _v12;
				}
				FileTimeToLocalFileTime( &(_v8[0x1a]),  &_v20);
				FileTimeToDosDateTime( &_v20,  &(_v8[1]), _v8);
				_push(0);
				_push(_v8[0x20]);
				_t63 = _v8;
				 *((intOrPtr*)(_t63 + 8)) =  *_t73;
				 *(_t63 + 0xc) = _v8[0x1e] | _v24;
				_v8[8] = _v8[0x10];
				E004053AC( &(_v8[0xa]), 0x104,  &(_v8[0x26]));
				_v12 = 0;
				goto L5;
			}

0x0040ab3e
0x0040ab67
0x0040ab58
0x00000000
0x0040ab5a
0x0040ab5f
0x0040ab5f
0x0040abe9
0x0040abef
0x0040abef
0x0040ab80
0x0040ab94
0x0040aba1
0x0040aba2
0x0040abb9
0x0040abbc
0x0040abbf
0x0040abcb
0x0040abdf
0x0040abe6
0x00000000

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040AB51
GetLastError.KERNEL32(?,?), ref: 0040AB5A
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040AB80
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040AB94

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 110b8034df6e0f9f15833521b5b1f280b4429586cd90f81aa3c026b33f3db8fa
Instruction ID: 6692d9608e268d79ffd3478b910406d2ed4782d0b76591220de2ec3134dc900f
Opcode Fuzzy Hash: 110b8034df6e0f9f15833521b5b1f280b4429586cd90f81aa3c026b33f3db8fa
Instruction Fuzzy Hash: 6321B975E00208EFCB40DFA9C981E9EB7F9BF48308B2485A5E504E7342D634EF519B55

Uniqueness

Uniqueness Score: -1.00%

Function 00421DF0 Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00421DF0(intOrPtr __eax, void* __ebx, CHAR* __ecx, struct HINSTANCE__* __edx, CHAR* _a8) {
				CHAR* _v8;
				intOrPtr _v12;
				struct HINSTANCE__* _v16;
				void* __ebp;
				void* _t41;
				void* _t48;
				void* _t54;

				_t47 = __ecx;
				_t46 = __ebx;
				_v8 = __ecx;
				_v16 = __edx;
				_v12 = __eax;
				 *(_v12 + 0x10) = FindResourceA(_v16, _v8, _a8);
				if( *(_v12 + 0x10) == 0) {
					E00421D50(__ebx, _t47, _t54);
					_pop(_t47);
				}
				 *(_v12 + 0x14) = LoadResource(_v16,  *(_v12 + 0x10));
				if( *(_v12 + 0x14) == 0) {
					E00421D50(_t46, _t47, _t54);
				}
				_push(SizeofResource(_v16,  *(_v12 + 0x10)));
				_t41 = LockResource( *(_v12 + 0x14));
				_pop(_t48);
				return E00421738(_v12, _t48, _t41);
			}

0x00421df0
0x00421df0
0x00421df6
0x00421df9
0x00421dfc
0x00421e13
0x00421e1d
0x00421e20
0x00421e25
0x00421e25
0x00421e39
0x00421e43
0x00421e46
0x00421e4b
0x00421e5c
0x00421e64
0x00421e6e
0x00421e77

APIs

FindResourceA.KERNEL32(00421D2C,?,00421D2C), ref: 00421E0B
LoadResource.KERNEL32(00421D2C,?,00421D2C,?,00421D2C), ref: 00421E31
SizeofResource.KERNEL32(00421D2C,?,00421D2C,?,00421D2C,?,00421D2C), ref: 00421E57
LockResource.KERNEL32(?,00000000,00421D2C,?,00421D2C,?,00421D2C,?,00421D2C), ref: 00421E64

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 333ce5f89e7905c390bebbb7afd233a951e023624dc8ebce99826cc8546bdffd
Instruction ID: 241d3af46dcfa7c393e73150dfc3a9d741e9533a3bf93857a77f1ad12f1ec28b
Opcode Fuzzy Hash: 333ce5f89e7905c390bebbb7afd233a951e023624dc8ebce99826cc8546bdffd
Instruction Fuzzy Hash: ED119A75E04208AFCB44DF9DD885E8EBBF8AB18314F50459AF518E7352D738EA808B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
threadCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040CEBC(intOrPtr __eax, intOrPtr* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v34;
				short _v38;
				struct _SYSTEMTIME _v40;
				char _v296;
				char* _t49;
				intOrPtr _t80;
				void* _t86;

				_v16 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t86);
				_push(0x40cfc2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86 + 0xfffffedc;
				E0040513C(_v12);
				_v40 =  *((intOrPtr*)(_a4 - 0xe));
				_v38 =  *((intOrPtr*)(_a4 - 0x10));
				_v34 =  *((intOrPtr*)(_a4 - 0x12));
				if(_v8 > 2) {
					E004051D4( &_v16, 0x40cfe4);
				} else {
					E004051D4( &_v16, 0x40cfd8);
				}
				_t49 = E00405600(_v16);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v40, _t49,  &_v296, 0x100) != 0) {
					E004053AC(_v12, 0x100,  &_v296);
					if(_v8 == 1 &&  *((char*)( *_v12)) == 0x30) {
						_v20 =  *_v12;
						_v24 = _v20;
						if(_v24 != 0) {
							_v24 =  *((intOrPtr*)(_v24 - 4));
						}
						E00405660( *_v12, _v24 - 1, 2, _v12);
					}
				}
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x40cfc9);
				return E0040513C( &_v16);
			}

0x0040cec7
0x0040ceca
0x0040cecd
0x0040ced2
0x0040ced3
0x0040ced8
0x0040cedb
0x0040cee1
0x0040ceed
0x0040cef8
0x0040cf03
0x0040cf0b
0x0040cf24
0x0040cf0d
0x0040cf15
0x0040cf15
0x0040cf38
0x0040cf51
0x0040cf61
0x0040cf6a
0x0040cf7b
0x0040cf81
0x0040cf88
0x0040cf92
0x0040cf92
0x0040cfa7
0x0040cfa7
0x0040cf6a
0x0040cfae
0x0040cfb1
0x0040cfb4
0x0040cfc1

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040CFC2), ref: 0040CF44
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040CFC2), ref: 0040CF4A

Strings

yyyy, xrefs: 0040CF1F

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 15391e345b8e333caddb3a419c2d001cf52746d14d4259b2439eaf70077a6ad5
Instruction ID: 469cc75820ce05d5e1ab010304fe3ef7b12cd3eef8667ec7a3162141977021d6
Opcode Fuzzy Hash: 15391e345b8e333caddb3a419c2d001cf52746d14d4259b2439eaf70077a6ad5
Instruction Fuzzy Hash: 3231C874A04609EFDB00DF99C581A9EB7B5EF48314F5041AAF805F7391D778AE40CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00404F74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404F74() {
				int _t18;
				void* _t32;
				struct HINSTANCE__* _t41;
				intOrPtr _t43;
				void* _t44;

				if( *0x005487F0 != 0 ||  *0x546048 == 0) {
					L3:
					if( *0x53f004 != 0) {
						E00404E54();
						E00404EE8(_t32);
						 *0x53f004 = 0;
					}
					L5:
					while(1) {
						if( *((char*)(0x5487f0)) == 2 &&  *0x53f000 == 0) {
							 *0x005487D4 = 0;
						}
						E00404CFC();
						if( *((char*)(0x5487f0)) <= 1 ||  *0x53f000 != 0) {
							_t36 =  *0x005487D8;
							if( *0x005487D8 != 0) {
								E00406E84(_t36);
								_t43 =  *((intOrPtr*)(0x5487d8));
								_t7 = _t43 + 0x10; // 0x400000
								_t41 =  *_t7;
								_t8 = _t43 + 4; // 0x400000
								if(_t41 !=  *_t8 && _t41 != 0) {
									FreeLibrary(_t41);
								}
							}
						}
						E00404CD4();
						if( *((char*)(0x5487f0)) == 1) {
							 *0x005487EC();
						}
						if( *((char*)(0x5487f0)) != 0) {
							E00404EB8();
						}
						if( *0x5487c8 == 0) {
							if( *0x546028 != 0) {
								 *0x546028();
							}
							_t18 =  *0x53f000; // 0x0
							ExitProcess(_t18);
						}
						memcpy(0x5487c8,  *0x5487c8, 0xb << 2);
						_t44 = _t44 + 0xc;
					}
				} else {
					do {
						 *0x546048 = 0;
						 *((intOrPtr*)( *0x546048))();
					} while ( *0x546048 != 0);
					goto L3;
				}
			}

0x00404f86
0x00404f9c
0x00404fa3
0x00404fa5
0x00404faa
0x00404fb1
0x00404fb1
0x00000000
0x00404fb6
0x00404fba
0x00404fc7
0x00404fc7
0x00404fca
0x00404fd3
0x00404fde
0x00404fe3
0x00404fe7
0x00404fec
0x00404fef
0x00404fef
0x00404ff2
0x00404ff5
0x00404ffc
0x00404ffc
0x00404ff5
0x00404fe3
0x00405001
0x0040500a
0x0040500c
0x0040500c
0x00405013
0x00405015
0x00405015
0x0040501d
0x00405026
0x00405028
0x00405028
0x0040502e
0x00405034
0x00405034
0x00405044
0x00405044
0x00405044
0x00404f8d
0x00404f8d
0x00404f93
0x00404f95
0x00404f97
0x00000000
0x00404f8d

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,0040505A,00402E4B,00402E92,?,?,?,?,?,00404C14), ref: 00404FFC
ExitProcess.KERNEL32(00000000,?,?,?,00000002,0040505A,00402E4B,00402E92,?,?,?,?,?,00404C14), ref: 00405034

Strings

H`T, xrefs: 00404F7D

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID: H`T
API String ID: 1404682716-2285108000
Opcode ID: 56423ecf37d3c44b9a4bad7ced072811fe7b8fd7fad11259bb6e9029da246df3
Instruction ID: b19ceb5ea28925f1933101729288d75963a9f41694b1882f5c19c10fa940e8cd
Opcode Fuzzy Hash: 56423ecf37d3c44b9a4bad7ced072811fe7b8fd7fad11259bb6e9029da246df3
Instruction Fuzzy Hash: 0D217FB49006528FEF25AF65C88835B3BD0AB45328F25057AD908A73D2D77C9CC4DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042BDC8(int _a4) {
				int _v8;
				void* __ecx;
				void* __ebp;
				void* _t15;
				void* _t21;

				if( *0x54933c != 0) {
					_v8 = 0xffffffff;
					_t15 = _a4 + 0xffffffb4 - 2;
					__eflags = _t15;
					if(__eflags < 0) {
						_v8 = 0;
					} else {
						if(__eflags == 0) {
							_a4 = 0;
						} else {
							_t21 = _t15 - 1;
							__eflags = _t21;
							if(_t21 == 0) {
								_a4 = 1;
							} else {
								__eflags = _t21 - 0xffffffffffffffff;
								if(_t21 - 0xffffffffffffffff < 0) {
									_v8 = 1;
								}
							}
						}
					}
					__eflags = _v8 - 0xffffffff;
					if(_v8 == 0xffffffff) {
						_v8 = GetSystemMetrics(_a4);
					}
				} else {
					 *0x549314 = E0042BCC8(0, "GetSystemMetrics",  *0x549314);
					_v8 = GetSystemMetrics(_a4);
				}
				return _v8;
			}

0x0042bdd3
0x0042bdfb
0x0042be08
0x0042be08
0x0042be0b
0x0042be23
0x0042be0d
0x0042be0d
0x0042be2a
0x0042be0f
0x0042be0f
0x0042be0f
0x0042be10
0x0042be2f
0x0042be12
0x0042be13
0x0042be16
0x0042be18
0x0042be18
0x0042be16
0x0042be10
0x0042be0d
0x0042be36
0x0042be3a
0x0042be45
0x0042be45
0x0042bdd5
0x0042bde7
0x0042bdf6
0x0042bdf6
0x0042be4d

APIs

GetSystemMetrics.USER32(?), ref: 0042BE40

Part of subcall function 0042BCC8: GetProcAddress.KERNEL32(745C0000,00000000), ref: 0042BD53

GetSystemMetrics.USER32(?), ref: 0042BDF0

Strings

GetSystemMetrics, xrefs: 0042BDD5

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 85127b3d549ff1edaf46e197a9098cf0fee0138927e9a63a8de141c3b48b91d0
Instruction ID: 0b9b7f7178eb3725668e60d98a4c46d97d5aeaf0960904640a1b168027fdd17e
Opcode Fuzzy Hash: 85127b3d549ff1edaf46e197a9098cf0fee0138927e9a63a8de141c3b48b91d0
Instruction Fuzzy Hash: 2B01F9B1A04218EFCB10CF78E6456EE7BF0EB16324FD0851AE215D72D0D738DA409799

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AF70(char __eax, union _ULARGE_INTEGER* __ecx, union _ULARGE_INTEGER* __edx) {
				char _v5;
				union _ULARGE_INTEGER* _v12;
				union _ULARGE_INTEGER* _v16;
				int _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				CHAR* _v32;

				_v16 = __ecx;
				_v12 = __edx;
				_v5 = __eax;
				_v32 = 0;
				if(_v5 > 0) {
					_v25 = _v5 + 0x40;
					_v24 = 0x3a;
					_v23 = 0x5c;
					_v22 = 0;
					_v32 =  &_v25;
				}
				_v20 = GetDiskFreeSpaceExA(_v32, _v16, _v12, 0);
				return _v20;
			}

0x0040af76
0x0040af79
0x0040af7c
0x0040af81
0x0040af88
0x0040af8f
0x0040af92
0x0040af96
0x0040af9a
0x0040afa1
0x0040afa1
0x0040afb8
0x0040afc1

APIs

GetDiskFreeSpaceExA.KERNEL32(?,?,?,00000000), ref: 0040AFB2

Strings

\, xrefs: 0040AF96
:, xrefs: 0040AF92

Memory Dump Source

Source File: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.928183000.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928315410.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928323466.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928328425.0000000000569000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928342017.0000000000585000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928358941.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.928362816.00000000005A6000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID: :$\
API String ID: 1705453755-1166558509
Opcode ID: 1901d7d277e43cd263b09c8f2be45b10874acc09ea2807c77fcddb37e5a3a44f
Instruction ID: e818fa8f5b684bc3d717cb4e4063f4719f182022595ac4cd220615dfe21b429e
Opcode Fuzzy Hash: 1901d7d277e43cd263b09c8f2be45b10874acc09ea2807c77fcddb37e5a3a44f
Instruction Fuzzy Hash: A0F0CDB4D0438D9EDB01CBE88445BEFBFF4AF19204F04409AE954E7341D3755605CBA5

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sourceforge.net	file.log.exe	Get hash	malicious	Browse	216.105.38.6
	data.log.exe	Get hash	malicious	Browse	216.105.38.6
	message.txt.exe	Get hash	malicious	Browse	216.105.38.6
	test.dat.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB7390-x86.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB6734-x86.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB5058-x86.exe	Get hash	malicious	Browse	216.105.38.6
	file.txt.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB250-x86.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB2984-x86.exe	Get hash	malicious	Browse	216.105.38.6
	doc.msg.exe	Get hash	malicious	Browse	216.105.38.6
	test.msg.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB3756-x86.exe	Get hash	malicious	Browse	216.105.38.6
	body.elm.exe	Get hash	malicious	Browse	216.105.38.6
	readme.txt.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB9504-x86.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB6340-x86.exe	Get hash	malicious	Browse	216.105.38.6
	file.msg.exe	Get hash	malicious	Browse	216.105.38.6
	Update-KB1484-x86.exe	Get hash	malicious	Browse	216.105.38.6
	tgup0018.exe	Get hash	malicious	Browse	216.105.38.17
www.rejetto.com	hfs.exe	Get hash	malicious	Browse	94.23.66.84
	uUey7ZnTha.exe	Get hash	malicious	Browse	185.20.49.7
	ijxxKAiHHB.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	http://37.1.211.221:1699	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	rjAAd0Yg6h.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	comments_175343.xls	Get hash	malicious	Browse	142.4.219.173
	https___grupomartinsanchez.com_wp-admin_QpFDJPMY49_Thu_Jan_27_11_18_39_AM_CST_2022.dll	Get hash	malicious	Browse	142.4.219.173
	CT 7839428.xls	Get hash	malicious	Browse	142.4.219.173
	https___pcovestudio.com_wp-admin_c3zgRi2wXwCbdSD3iz_Thu_Jan_27_11_18_36_AM_CST_2022.dll	Get hash	malicious	Browse	142.4.219.173
	imedpub.com.xls	Get hash	malicious	Browse	158.69.222.101
	4tWrWVF8FkB9IrJ.exe	Get hash	malicious	Browse	91.134.184.235
	Invoice.xls	Get hash	malicious	Browse	158.69.222.101
	Yn4VrvXmjp66S.dll	Get hash	malicious	Browse	51.38.71.0
	Inv WW-7328.xls	Get hash	malicious	Browse	158.69.222.101
	Yn4VrvXmjp66S.dll	Get hash	malicious	Browse	158.69.222.101
	lfvERL.dll	Get hash	malicious	Browse	158.69.222.101
	dp20s.dll	Get hash	malicious	Browse	158.69.222.101
	SSH.m68k	Get hash	malicious	Browse	188.165.198.196
	LD4AbVjBFwQ.dll	Get hash	malicious	Browse	158.69.222.101
	euleFiWuOpDvZHd.dll	Get hash	malicious	Browse	158.69.222.101
	lfvERL.dll	Get hash	malicious	Browse	158.69.222.101
	dp20s.dll	Get hash	malicious	Browse	158.69.222.101
	iMedPub LTD.xls	Get hash	malicious	Browse	158.69.222.101
	imedpub.com.xls	Get hash	malicious	Browse	158.69.222.101
	xlxGasJ7tx.dll	Get hash	malicious	Browse	158.69.222.101

Target ID:	0
Start time:	22:18:35
Start date:	27/01/2022
Path:	C:\Users\user\Desktop\hfs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hfs.exe"
Imagebase:	0x400000
File size:	572928 bytes
MD5 hash:	6E491A7FECB845974F8F6F65B419C7B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.928189105.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hfs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
hfs.exe

Function 00406B14 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Function 0040A8F8 Relevance: 6.0, APIs: 4, Instructions: 37
timefileCOMMON

Function 0041C908 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 0041032C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 204
threadCOMMON

Function 0042A120 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Function 0042156C Relevance: 4.6, APIs: 3, Instructions: 105
fileCOMMON

Function 00410240 Relevance: 4.6, APIs: 3, Instructions: 55
threadCOMMON

Function 0040367C Relevance: 3.1, APIs: 2, Instructions: 61
fileCOMMON

Function 0040A8A4 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 0040AB00 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Function 0040F6F8 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Function 004040F0 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 00408664 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Function 004086C8 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Function 004050C0 Relevance: 1.5, APIs: 1, Instructions: 38
threadCOMMON

Function 0040A7C4 Relevance: 1.5, APIs: 1, Instructions: 36
fileCOMMON

Function 004068B0 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0040A86C Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Function 0040A968 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Function 0042A1DC Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Function 0040A9A0 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Function 004079EC Relevance: 1.5, APIs: 1, Instructions: 18
synchronizationCOMMON

Function 004214EC Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Function 0040ACC4 Relevance: 1.5, APIs: 1, Instructions: 17
fileCOMMON

Function 00428158 Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Function 0042A00C Relevance: 1.3, APIs: 1, Instructions: 64
memoryCOMMON

Function 00406950 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Function 0040ABF0 Relevance: 3.0, APIs: 2, Instructions: 37
fileCOMMON

Function 0040AEF0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 0040F63C Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Function 0040E3EC Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0040E448 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 0040CAF0 Relevance: 1.5, APIs: 1, Instructions: 18
timeCOMMON

Function 00410890 Relevance: .2, Instructions: 184
COMMONCrypto

Function 004021FC Relevance: .1, Instructions: 94
COMMONCrypto

Function 00411DD0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Function 004030E8 Relevance: 27.1, APIs: 9, Strings: 9, Instructions: 110
COMMON

Function 00408728 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63
registryclipboardwindowCOMMON

Function 00402668 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Function 00428518 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107
synchronizationthreadCOMMON

Function 0040EC04 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
filewindowCOMMON

Function 00413080 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON

Function 00427EC8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Function 00404EE8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON