Edit tour

Windows Analysis Report
download.exe

Overview

General Information

Sample Name:	download.exe
Analysis ID:	606090
MD5:	a2c883b0e7a1b002b088f52f647f2e2f
SHA1:	0ed075b4c2163cac0463f4f6b7961d0850e1fc05
SHA256:	27d4749a0db6fffdcc3744cb2ed29e8ffa8cc00140ee61faa3a4b0446d512076
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

download.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\download.exe" -install MD5: A2C883B0E7A1B002B088F52F647F2E2F)

download.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\download.exe" /install MD5: A2C883B0E7A1B002B088F52F647F2E2F)

download.exe (PID: 6724 cmdline: "C:\Users\user\Desktop\download.exe" /load MD5: A2C883B0E7A1B002B088F52F647F2E2F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: download.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: download.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,	0_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040AEF4 FindFirstFileW,FindClose,	1_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	1_2_0040A928
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040AEF4 FindFirstFileW,FindClose,	2_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	2_2_0040A928

Source: download.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: download.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

Source: download.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: download.exe, 00000000.00000003.251830348.0000000002258000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe, 00000000.00000000.220189376.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000001.00000000.225614313.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000001.00000003.246708963.0000000002248000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe, 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs download.exe
Source: download.exe, 00000002.00000003.242637775.0000000002228000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs download.exe
Source: download.exe	Binary or memory string: OriginalFileName vs download.exe

Source: download.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: download.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_004AF110
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_004AF110
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	2_2_004AF110

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004323DC	0_2_004323DC
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004255DC	0_2_004255DC
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040E9C4	0_2_0040E9C4
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004323DC	1_2_004323DC
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004255DC	1_2_004255DC
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040E9C4	1_2_0040E9C4
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004323DC	2_2_004323DC
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004255DC	2_2_004255DC
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040E9C4	2_2_0040E9C4

Source: C:\Users\user\Desktop\download.exe	Code function: String function: 00427848 appears 63 times
Source: C:\Users\user\Desktop\download.exe	Code function: String function: 0040CC60 appears 51 times
Source: C:\Users\user\Desktop\download.exe	Code function: String function: 0040873C appears 54 times

Source: C:\Users\user\Desktop\download.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\download.exe "C:\Users\user\Desktop\download.exe" /load

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_004AF110
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_004AF110
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	2_2_004AF110

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,

0_2_004AF9F0

Source: download.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe	String found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
Source: download.exe	String found in binary or memory: /LOADINF="filename"

Source: classification engine

Classification label: clean5.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_0041A4DC GetDiskFreeSpaceW,

0_2_0041A4DC

Source: C:\Users\user\Desktop\download.exe	Automated click: OK
Source: C:\Users\user\Desktop\download.exe	Automated click: OK
Source: C:\Users\user\Desktop\download.exe	Automated click: OK

Source: download.exe

Static file information: File size 1735928 > 1048576

Source: download.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004B5000 push 004B50DEh; ret	0_2_004B50D6
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004B5980 push 004B5A48h; ret	0_2_004B5A40
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458000 push ecx; mov dword ptr [esp], ecx	0_2_00458005
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049B03C push ecx; mov dword ptr [esp], edx	0_2_0049B03D
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A00F8 push ecx; mov dword ptr [esp], edx	0_2_004A00F9
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458084 push ecx; mov dword ptr [esp], ecx	0_2_00458089
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004B1084 push 004B10ECh; ret	0_2_004B10E4
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A1094 push ecx; mov dword ptr [esp], edx	0_2_004A1095
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0041A0B4 push ecx; mov dword ptr [esp], ecx	0_2_0041A0B8
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004270BC push 00427104h; ret	0_2_004270FC
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458108 push ecx; mov dword ptr [esp], ecx	0_2_0045810D
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004321C8 push ecx; mov dword ptr [esp], edx	0_2_004321C9
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A21D8 push ecx; mov dword ptr [esp], edx	0_2_004A21D9
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049E1B8 push ecx; mov dword ptr [esp], edx	0_2_0049E1B9
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049A260 push 0049A378h; ret	0_2_0049A370
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00455268 push ecx; mov dword ptr [esp], ecx	0_2_0045526C
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004252D4 push ecx; mov dword ptr [esp], eax	0_2_004252D9
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004592FC push ecx; mov dword ptr [esp], edx	0_2_004592FD
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0045B284 push ecx; mov dword ptr [esp], edx	0_2_0045B285
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00430358 push ecx; mov dword ptr [esp], eax	0_2_00430359
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00430370 push ecx; mov dword ptr [esp], eax	0_2_00430371
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00459394 push ecx; mov dword ptr [esp], ecx	0_2_00459398
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A1428 push ecx; mov dword ptr [esp], edx	0_2_004A1429
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0049B424 push ecx; mov dword ptr [esp], edx	0_2_0049B425
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004A24D8 push ecx; mov dword ptr [esp], edx	0_2_004A24D9
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004224F0 push 004225F4h; ret	0_2_004225EC
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_004304F0 push ecx; mov dword ptr [esp], eax	0_2_004304F1
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00499490 push ecx; mov dword ptr [esp], edx	0_2_00499493
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458564 push ecx; mov dword ptr [esp], edx	0_2_00458565
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00458574 push ecx; mov dword ptr [esp], edx	0_2_00458575
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_00457574 push ecx; mov dword ptr [esp], ecx	0_2_00457578

Source: download.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\download.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\download.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_004AF91C

Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040AEF4 FindFirstFileW,FindClose,	0_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe	Code function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040AEF4 FindFirstFileW,FindClose,	1_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe	Code function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	1_2_0040A928
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040AEF4 FindFirstFileW,FindClose,	2_2_0040AEF4
Source: C:\Users\user\Desktop\download.exe	Code function: 2_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	2_2_0040A928

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\download.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_0040B044
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	0_2_0041E034
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	0_2_0041E080
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	0_2_004AF218
Source: C:\Users\user\Desktop\download.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0040A4CC
Source: C:\Users\user\Desktop\download.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	1_2_0040B044
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	1_2_0041E034
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	1_2_0041E080
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	1_2_004AF218
Source: C:\Users\user\Desktop\download.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0040A4CC
Source: C:\Users\user\Desktop\download.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	2_2_0040B044
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	2_2_0041E034
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	2_2_0041E080
Source: C:\Users\user\Desktop\download.exe	Code function: GetLocaleInfoW,	2_2_004AF218
Source: C:\Users\user\Desktop\download.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0040A4CC

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_00405AE0 cpuid

0_2_00405AE0

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_004B5114

Source: C:\Users\user\Desktop\download.exe

Code function: 0_2_0041C3D8 GetLocalTime,

0_2_0041C3D8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	25 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
download.exe	4%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	download.exe	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdline	download.exe	false		high

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	606090
Start date and time: 08/04/202223:58:49	2022-04-08 23:58:49 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	download.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19.7% (good quality ratio 19.5%) Quality average: 77.6% Quality standard deviation: 22.4%
HCA Information:	Successful, ratio: 88% Number of executed functions: 63 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.89.106, 52.152.110.14, 40.112.88.60, 20.54.110.249
Excluded domains from analysis (whitelisted): www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net

Joe Sandbox View / Context

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.547049237301527
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	download.exe
File size:	1735928
MD5:	a2c883b0e7a1b002b088f52f647f2e2f
SHA1:	0ed075b4c2163cac0463f4f6b7961d0850e1fc05
SHA256:	27d4749a0db6fffdcc3744cb2ed29e8ffa8cc00140ee61faa3a4b0446d512076
SHA512:	4894c7fc90c85a1e1d62a712688e39b3809e090653cf126fc36fe0555843206443612676ec2c9ab5a6df5cb0d62966624e4633abfe0a3f8a7a2e360f2c748dd1
SSDEEP:	24576:N4nXubIQGyxbPV0db26p2iInkk7vhTCxMLM05Zl3dWzXh35FqF+ahOIZDNJxjNh2:Nqe3f6JIPuxMA05Zl3EFqDEoN3jNhntU
TLSH:	0F85CF3FB268653FD4AE0B3245B39350997BBA61A81A8C2F07F0094DCF665701F3B656
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB0F96E [Sun Nov 15 09:48:30 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007FA8C8A17D65h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007FA8C8ABA48Fh
call 00007FA8C8AB9FE2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FA8C8A2D7D8h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007FA8C8A12957h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007FA8C8A2E83Fh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FA8C8ABA517h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FA8C8AC0AFAh
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007FA8C8A2F134h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	False	0.344863934105	data	6.35605820433	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.544921875	data	5.97275005522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.360979352679	data	5.04440056201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.89870464796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.75636286825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.87222286659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.38389437522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x4800	0x4800	False	0.314832899306	data	4.41298427192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc74c8	0x128	GLS_BINARY_LSB_FIRST	Dutch	Netherlands
RT_ICON	0xc75f0	0x568	GLS_BINARY_LSB_FIRST	Dutch	Netherlands
RT_ICON	0xc7b58	0x2e8	data	Dutch	Netherlands
RT_ICON	0xc7e40	0x8a8	data	Dutch	Netherlands
RT_STRING	0xc86e8	0x360	data
RT_STRING	0xc8a48	0x260	data
RT_STRING	0xc8ca8	0x45c	data
RT_STRING	0xc9104	0x40c	data
RT_STRING	0xc9510	0x2d4	data
RT_STRING	0xc97e4	0xb8	data
RT_STRING	0xc989c	0x9c	data
RT_STRING	0xc9938	0x374	data
RT_STRING	0xc9cac	0x398	data
RT_STRING	0xca044	0x368	data
RT_STRING	0xca3ac	0x2a4	data
RT_RCDATA	0xca650	0x10	data
RT_RCDATA	0xca660	0x2c4	data
RT_RCDATA	0xca924	0x2c	data
RT_GROUP_ICON	0xca950	0x3e	data	English	United States
RT_VERSION	0xca990	0x584	data	English	United States
RT_MANIFEST	0xcaf14	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Version Infos

Description	Data
LegalCopyright
FileVersion
CompanyName
Comments	This installation was built with Inno Setup.
ProductName	Inno Script Studio
ProductVersion	1.0
FileDescription	Inno Script Studio Setup
OriginalFileName
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: download.exePID: 6644, Parent PID: 2732COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	543
Total number of Limit Nodes:	23

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

0x004b5115
0x004b5117
0x004b511c
0x004b511c
0x004b511e
0x004b5120
0x004b5120
0x004b5128
0x004b5129
0x004b512e
0x004b5131
0x004b5134
0x004b513b
0x004b536d
0x004b536f
0x004b5372
0x004b5375
0x004b5387
0x004b5141
0x004b514b
0x004b514d
0x004b5154
0x004b515a
0x004b5167
0x004b516b
0x004b5172
0x004b5177
0x004b5179
0x004b5179
0x004b516b
0x004b517c
0x004b5188
0x004b518f
0x004b5196
0x004b5196
0x004b519b
0x004b51a8
0x004b51b4
0x004b51ba
0x004b51c1
0x004b51c6
0x004b51c6
0x004b51d4
0x004b51e0
0x004b51e0
0x004b51f3
0x004b51fb
0x004b520e
0x004b5216
0x004b5229
0x004b5231
0x004b5244
0x004b524c
0x004b525f
0x004b5267
0x004b527a
0x004b5282
0x004b5295
0x004b529d
0x004b52b0
0x004b52b8
0x004b52cb
0x004b52d3
0x004b52e6
0x004b52ee
0x004b5301
0x004b5309
0x004b531c
0x004b5324
0x004b5337
0x004b533f
0x004b533f
0x004b51b4
0x004b534a
0x004b5351
0x004b5358
0x004b5358
0x004b5360
0x004b5367
0x004b536b
0x004b536b
0x00000000
0x004b5367

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

propsys.dll, xrefs: 004B5254
ntmarta.dll, xrefs: 004B532C
kernel32.dll, xrefs: 004B5141
oleacc.dll, xrefs: 004B52A5
dwmapi.dll, xrefs: 004B526F
clbcatq.dll, xrefs: 004B5311
hK, xrefs: 004B51D6
cryptbase.dll, xrefs: 004B528A
profapi.dll, xrefs: 004B52DB
SetProcessDEPPolicy, xrefs: 004B535A
hK, xrefs: 004B51A3
uxtheme.dll, xrefs: 004B51E8
apphelp.dll, xrefs: 004B5239
userenv.dll, xrefs: 004B5203
version.dll, xrefs: 004B52C0
SetSearchPathMode, xrefs: 004B5344
comres.dll, xrefs: 004B52F6
setupapi.dll, xrefs: 004B521E
SetDefaultDllDirectories, xrefs: 004B515C
SetDllDirectoryW, xrefs: 004B5182

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

0x004af920
0x004af923
0x004af926
0x004af92f
0x004af93b
0x004af942
0x004af9ee
0x004af9ee
0x004af948
0x004af9db
0x004af9db
0x004af9e1
0x00000000
0x00000000
0x004af954
0x004af9c7
0x004af9d2
0x004af9d9
0x00000000
0x00000000
0x00000000
0x004af95c
0x004af95c
0x004af961
0x004af967
0x004af986
0x004af98d
0x004af98f
0x004af98f
0x004af98d
0x004af994
0x004af9a5
0x004af99c
0x004af9a1
0x004af9a1
0x004af9af
0x004af9c2
0x004af9c2
0x00000000
0x004af9af
0x004af954
0x00000000
0x004af9db

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040B044 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

0x0040b04a
0x0040b04d
0x0040b050
0x0040b053
0x0040b055
0x0040b05b
0x0040b062
0x0040b063
0x0040b068
0x0040b06b
0x0040b070
0x0040b076
0x0040b07f
0x0040b08f
0x0040b09c
0x0040b0a3
0x0040b0aa
0x0040b0ac
0x0040b0bd
0x0040b0ca
0x0040b0d1
0x0040b0d8
0x0040b0dc
0x0040b0dc
0x0040b0d8
0x0040b0e3
0x0040b0e6
0x0040b0e9
0x0040b0f6
0x0040b103

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

0x0040ab19
0x0040ab1b
0x0040ab22
0x0040ab24
0x0040ab2a
0x0040ab31
0x0040ab32
0x0040ab37
0x0040ab3a
0x0040ab41
0x0040ab6d
0x0040ab43
0x0040ab51
0x0040ab51
0x0040ab7a
0x0040ad27
0x0040ad29
0x0040ad2c
0x0040ad2f
0x0040ad3c
0x0040ab80
0x0040ab82
0x0040ab9a
0x0040aba1
0x0040ac41
0x0040ac43
0x0040ac44
0x0040ac49
0x0040ac4c
0x0040ac5a
0x0040ac7b
0x0040acca
0x0040acd4
0x0040acec
0x0040acf6
0x0040acf6
0x0040ac7d
0x0040ac85
0x0040ac9f
0x0040aca9
0x0040aca9
0x0040acfd
0x0040ad00
0x0040ad03
0x0040ad0c
0x0040ad11
0x0040ad11
0x0040ad1f
0x0040aba7
0x0040abbc
0x0040abc3
0x00000000
0x0040abc5
0x0040abda
0x0040abe1
0x00000000
0x0040abe3
0x0040abf8
0x0040abff
0x00000000
0x0040ac01
0x0040ac16
0x0040ac1d
0x00000000
0x0040ac1f
0x0040ac34
0x0040ac3b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac3b
0x0040ac1d
0x0040abff
0x0040abe1
0x0040abc3
0x0040aba1

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\Borland\Delphi\Locales, xrefs: 0040AC2A
Software\Borland\Locales, xrefs: 0040AC0C

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

0x004b5a90
0x004b5a93
0x004b5a95
0x004b5a97
0x004b5a9b
0x004b5a9c
0x004b5aa1
0x004b5aa4
0x004b5aa7
0x004b5aae
0x004b5ac9
0x004b5ae3
0x004b5aef
0x004b5afa
0x004b5afe
0x004b5afe
0x004b5afe
0x004b5b00
0x004b5b08
0x004b5b13
0x004b5b20
0x004b5b2d
0x004b5b3a
0x004b5b3a
0x004b5b41
0x004b5b44
0x004b5b47
0x004b5b59

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

shell32.dll, xrefs: 004B5B1B
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4
Wow64RevertWow64FsRedirection, xrefs: 004B5ACE
kernel32.dll, xrefs: 004B5AB9, 004B5AD3

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 00407750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

0x0040774a
0x00407764
0x00407766
0x0040776b
0x00407772
0x00407772
0x0040777e
0x00407792
0x0040779c
0x0040779c
0x004077a5
0x004077c9
0x004077cd
0x004077d6
0x004077d6
0x004077dd
0x004077fc
0x004077fc
0x00407805
0x0040780c
0x00407811
0x00407813
0x00407818
0x0040781b
0x0040781b
0x0040781e
0x00407821
0x00407828
0x00407828
0x00407821
0x00407811
0x0040782f
0x00407838
0x0040783a
0x0040783a
0x00407841
0x00407845
0x00407845
0x0040784d
0x00407856
0x00407858
0x00407858
0x00407861
0x00407861
0x00407873
0x00407873
0x00407875
0x00407876
0x00000000
0x004077df
0x004077df
0x004077e4
0x004077e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004077ea
0x004077ea
0x004077ec
0x004077f1
0x004077f6
0x004077f8
0x00000000
0x004077ea
0x004077b0
0x004077b0
0x004077b0
0x004077b9
0x004077be
0x004077c0
0x00000000
0x004077c9
0x00000000
0x004077c9

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000 Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

0x004b5005
0x004b5006
0x004b500b
0x004b500e
0x004b5011
0x004b5018
0x004b501e
0x004b5023
0x004b502d
0x004b5032
0x004b5037
0x004b503e
0x004b5048
0x004b5052
0x004b505e
0x004b5063
0x004b5072
0x004b5077
0x004b5080
0x004b5089
0x004b5097
0x004b50a1
0x004b50ab
0x004b50b0
0x004b50bf
0x004b50c4
0x004b50c4
0x004b50cb
0x004b50ce
0x004b50d1
0x004b50d6

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

0x0041ff95
0x0041ff97
0x0041ff9f
0x0041ffa2
0x0041ffa4
0x0041ffaa
0x0041ffab
0x0041ffb0
0x0041ffb3
0x0041ffb6
0x0041ffbf
0x0041ffc7
0x0041ffd9
0x0041ffde
0x0041ffe2
0x00420080
0x00420083
0x00420086
0x00420093
0x0041ffe8
0x0041ffef
0x0041fff4
0x0041fff5
0x0041fffa
0x0041fffd
0x00420012
0x00420019
0x00420041
0x0042004a
0x0042005b
0x0042005d
0x0042005d
0x00420063
0x00420066
0x00420069
0x00420076
0x00420076

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 00406D86 Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00406D86(void* __ebx, void* __edi, void* __esi, void* __ebp, struct _EXCEPTION_POINTERS _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD* _t22;
				intOrPtr* _t25;
				long _t28;
				long _t30;
				long _t31;
				long _t32;
				void* _t33;
				void* _t38;
				long _t41;
				intOrPtr* _t43;
				intOrPtr _t44;
				void* _t45;
				void* _t47;
				void* _t48;
				intOrPtr _t50;

				_t48 = __ebp;
				_t47 = __esi;
				_t45 = __edi;
				_t33 = __ebx;
				_t22 = _a4.ExceptionRecord;
				if((_t22->ExceptionFlags & 0x00000006) == 0) {
					_t41 = _t22->ExceptionInformation[1];
					_t38 = _t22->ExceptionInformation;
					if(_t22->ExceptionCode == 0xeedfade) {
						L11:
						if( *0x4b7031 <= 1 ||  *0x4b7030 > 0) {
							goto L14;
						}
						_t28 = UnhandledExceptionFilter( &_a4);
						_t38 = _t38;
						_t41 = _t41;
						_t22 = _t22;
						if(_t28 != 0) {
							goto L14;
						}
					} else {
						asm("cld");
						E00405BCC(_t22);
						_t43 =  *0x4bb018; // 0x0
						if(_t43 != 0) {
							_t30 =  *_t43();
							if(_t30 != 0) {
								_t44 = _a12;
								if(_a4.ExceptionRecord->ExceptionCode == 0xeefface) {
									L10:
									_t41 = _t30;
									_t22 = _a4.ExceptionRecord;
									_t38 = _t22->ExceptionAddress;
									goto L11;
								} else {
									_t30 = E00406CA0(_t30, _t44, __edi);
									if( *0x4b7031 <= 0 ||  *0x4b7030 > 0) {
										goto L10;
									} else {
										_t31 = UnhandledExceptionFilter( &_a4);
										_t32 = _t30;
										if(_t31 != 0) {
											_t41 = _t32;
											_t22 = _a4.ExceptionRecord;
											_t38 = _t22->ExceptionAddress;
											L14:
											_t22->ExceptionFlags = _t22->ExceptionFlags | 0x00000002;
											 *0x4bb020(_a8, "true", _t22, 0, _t38, _t41, _t22,  *[fs:ebx], _t48, _t45, _t47, _t33); // executed
											_t46 = _v8;
											_t25 = E0040CC60();
											_push( *_t25);
											 *_t25 = _t50;
											 *((intOrPtr*)(_v8 + 4)) = E00406E8C;
											E00406CF0(_t25,  *((intOrPtr*)(_t46 + 4)) + 5, _t47);
											goto __ebx;
										}
									}
								}
							}
						}
					}
				}
				return 1;
			}

0x00406d86
0x00406d86
0x00406d86
0x00406d86
0x00406d88
0x00406d93
0x00406d9f
0x00406da2
0x00406da5
0x00406e15
0x00406e1c
0x00000000
0x00000000
0x00406e2f
0x00406e37
0x00406e38
0x00406e39
0x00406e3a
0x00000000
0x00000000
0x00406da7
0x00406da7
0x00406da8
0x00406dad
0x00406db5
0x00406dbb
0x00406dbf
0x00406dc5
0x00406dd3
0x00406e0c
0x00406e0c
0x00406e0e
0x00406e12
0x00000000
0x00406dd5
0x00406dd5
0x00406de1
0x00000000
0x00406dec
0x00406df2
0x00406dfa
0x00406dfb
0x00406e01
0x00406e03
0x00406e07
0x00406e3c
0x00406e3c
0x00406e5a
0x00406e60
0x00406e64
0x00406e69
0x00406e6f
0x00406e7b
0x00406e85
0x00406e8a
0x00406e8a
0x00406dfb
0x00406de1
0x00406dd3
0x00406dbf
0x00406db5
0x00406da5
0x00406eb1

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00406DF2
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00006D88), ref: 00406E2F
RtlUnwind.KERNEL32(?,?,Function_00006D88,00000000,?,?,Function_00006D88,?), ref: 00406E5A

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ExceptionFilterUnhandled$Unwind
String ID:
API String ID: 1141220122-0
Opcode ID: 9e921812675e94d09cf659e9b3dc74c1040adbde875b4dc9461ad8792aed939a
Instruction ID: 82ba9095b820b8f74b53f70e2f32f8d84a8c98116d21455e8c3fce4a4b86a7d7
Opcode Fuzzy Hash: 9e921812675e94d09cf659e9b3dc74c1040adbde875b4dc9461ad8792aed939a
Instruction Fuzzy Hash: F9316478208300AFE720DB14C884F2777A9EB88B54F26857AF449A7391C739EC50C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

0x0040b110
0x0040b110
0x0040b113
0x0040b115
0x0040b117
0x0040b119
0x0040b11b
0x0040b11d
0x0040b11f
0x0040b120
0x0040b121
0x0040b123
0x0040b126
0x0040b12c
0x0040b134
0x0040b13b
0x0040b13c
0x0040b141
0x0040b144
0x0040b149
0x0040b152
0x0040b20c
0x0040b20e
0x0040b211
0x0040b214
0x0040b226
0x0040b226
0x0040b15e
0x0040b163
0x0040b168
0x0040b16d
0x0040b16d
0x0040b16f
0x0040b174
0x0040b19b
0x0040b1a1
0x0040b1aa
0x0040b1bb
0x0040b1c3
0x0040b1d0
0x0040b1d5
0x0040b1d8
0x0040b1da
0x0040b1e1
0x0040b1e3
0x0040b1eb
0x0040b1f8
0x0040b1f8
0x0040b1e1
0x0040b1fd
0x0040b200
0x0040b207
0x0040b207
0x0040b1ac
0x0040b1b4
0x0040b1b4
0x00000000
0x0040b1aa
0x0040b176
0x0040b196
0x0040b197
0x0040b199
0x00000000
0x00000000
0x00000000
0x0040b199
0x0040b185
0x0040b18f
0x00000000

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

0x0040b241
0x0040b247
0x0040b24d
0x0040b250
0x0040b254
0x0040b255
0x0040b25a
0x0040b25d
0x0040b270
0x0040b27d
0x0040b288
0x0040b29a
0x0040b2a8
0x0040b2a9
0x0040b2b2
0x0040b2c1
0x0040b2c6
0x0040b2ca
0x0040b2cd
0x0040b2d0
0x0040b2e0
0x0040b2ed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421230 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x00421231
0x00421233
0x00421237
0x0042123a
0x0042123f
0x00421244
0x00421245
0x0042124a
0x0042124d
0x00421250
0x00421255
0x00421256
0x0042125b
0x0042125e
0x00421269
0x0042126e
0x00421273
0x00421276
0x00421279
0x0042127e
0x00421280
0x00421283

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4 Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

0x004052e2
0x004052f9
0x004052e7
0x004052f2
0x004052f7
0x004052f7
0x004052fd
0x00405302
0x00405307
0x00405309
0x0040530e
0x00405311
0x0040531a
0x0040531d
0x00405320
0x00405320
0x00405323
0x00405325
0x00405328
0x0040532d
0x00405332
0x00405332
0x00405334
0x00405336
0x00405336
0x00405339
0x0040533c
0x0040533c
0x00405341
0x00405352
0x00405357
0x00405359
0x0040535e
0x00405375
0x00405363
0x0040536e
0x00405373
0x00405373
0x00405379
0x0040537b
0x00405382

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004AF404 Relevance: 1.5, APIs: 1, Instructions: 33
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004AF404() {
				char _v8;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x4af467);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				_t6 = E00405474();
				_t20 =  *0x415748; // 0x4157a0
				if(E00405F30(_t6, _t20) == 0) {
					_t11 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t11 + 0x164; // 0x0
					E00423270( &_v8);
					MessageBoxW(0, E004084EC(_v8),  *_t1, 0x10); // executed
				}
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x4af46e);
				return E00407A20( &_v8);
			}

0x004af407
0x004af40b
0x004af40c
0x004af411
0x004af414
0x004af417
0x004af41c
0x004af429
0x004af42d
0x004af432
0x004af43c
0x004af44c
0x004af44c
0x004af453
0x004af456
0x004af459
0x004af466

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000010), ref: 004AF44C

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 85040d05a667a057702a81a59cc8903d7cf9b38789560b08f9d619bd8c07588f
Instruction ID: df185ba2c4542d38c973d174cb8fca7e9c56812a44b35e206d2562239992b1e5
Opcode Fuzzy Hash: 85040d05a667a057702a81a59cc8903d7cf9b38789560b08f9d619bd8c07588f
Instruction Fuzzy Hash: C9F0B430204608EFEB00EB91DD43FAB73A8D759704F9144B7F900A7192DA3C6E048918

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8 Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x00403bce
0x00403bd0
0x00403be3
0x00403bea
0x00403c3c
0x00403c45
0x00403bec
0x00403bec
0x00403bf2
0x00403bf4
0x00403bfa
0x00403bff
0x00403c02
0x00403c06
0x00403c11
0x00403c1e
0x00403c26
0x00403c28
0x00403c35
0x00403c39
0x00403c39

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

0x0040a934
0x0040a937
0x0040a93d
0x0040a94a
0x0040a94e
0x0040a98d
0x0040a994
0x0040a9d4
0x00000000
0x0040a996
0x0040a99e
0x0040a9af
0x0040a9b5
0x0040a9bb
0x0040a9c3
0x0040a9c9
0x0040a9d7
0x0040a9d9
0x0040a9dc
0x0040a9de
0x0040a9e0
0x0040a9e0
0x0040a9e3
0x0040a9eb
0x0040a9fc
0x0040aac3
0x0040aa0e
0x0040aa12
0x0040aa14
0x0040aa16
0x0040aa18
0x0040aa18
0x0040aa23
0x0040aa33
0x0040aa37
0x0040aa39
0x0040aa3b
0x0040aa3d
0x0040aa3d
0x0040aa43
0x0040aa5b
0x0040aa62
0x0040aa68
0x0040aa84
0x0040aa86
0x0040aaad
0x0040aabf
0x0040aac1
0x00000000
0x0040aac1
0x0040aa84
0x0040aa62
0x00000000
0x0040aa23
0x0040aad9
0x0040aad9
0x0040a9eb
0x0040a9c9
0x0040a9b5
0x0040a99e
0x0040a950
0x0040a95b
0x0040a95f
0x00000000
0x0040a961
0x0040a961
0x0040a96c
0x0040a970
0x0040a975
0x00000000
0x0040a977
0x0040a983
0x0040a983
0x0040a975
0x0040a95f
0x0040aade
0x0040aae7

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

GetLongPathNameW, xrefs: 0040A950
\, xrefs: 0040AA86
kernel32.dll, xrefs: 0040A940

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32 ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4CC Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

0x0040a4cc
0x0040a4d7
0x0040a4da
0x0040a4e0
0x0040a4e6
0x0040a4ec
0x0040a4ef
0x0040a4f3
0x0040a4f4
0x0040a4f9
0x0040a4fc
0x0040a502
0x0040a507
0x0040a50e
0x0040a510
0x0040a517
0x0040a519
0x0040a520
0x0040a526
0x0040a528
0x0040a52d
0x0040a537
0x0040a53e
0x0040a546
0x0040a558
0x0040a548
0x0040a549
0x00000000
0x0040a549
0x0040a539
0x0040a53b
0x00000000
0x0040a53b
0x00000000
0x0040a55f
0x0040a55f
0x0040a528
0x0040a526
0x0040a517
0x0040a564
0x0040a56a
0x0040a58e
0x0040a592
0x0040a5a3
0x0040a5b9
0x0040a5be
0x0040a5c4
0x0040a5da
0x0040a5df
0x0040a5e5
0x0040a5fb
0x0040a600
0x0040a60e
0x0040a60e
0x0040a615
0x0040a618
0x0040a61b
0x0040a630

APIs

IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Locale$Info$Valid
String ID:
API String ID: 1826331170-0
Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DC Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

0x0041a4e3
0x0041a4e8
0x0041a4ea
0x0041a4ea
0x0041a4fd
0x0041a50c
0x0041a50f
0x0041a51c
0x0041a51f
0x0041a524
0x0041a527
0x0041a529
0x0041a536
0x0041a539
0x0041a53e
0x0041a541
0x0041a543
0x0041a54c

APIs

GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E034 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}

0x0041e03f
0x0041e041
0x0041e052
0x0041e057
0x0041e059
0x00000000
0x0041e071
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E080 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}

0x0041e083
0x0041e084
0x0041e09a
0x0041e0a2
0x0041e09c
0x0041e09c
0x0041e09c
0x0041e0a8

APIs

GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275

Uniqueness

Uniqueness Score: -1.00%

Function 004AF218 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}

0x004af22e
0x004af235
0x00000000
0x004af23c
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D8 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x0041c3dc
0x0041c3e8

APIs

GetLocalTime.KERNEL32 ref: 0041C3DC

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7

Uniqueness

Uniqueness Score: -1.00%

Function 004255DC Relevance: .5, Instructions: 545
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}

0x004255e8
0x004255eb
0x004255ee
0x004255f9
0x004255fc
0x0042560d
0x0042561e
0x00425626
0x0042562f
0x00425635
0x0042563b
0x00425644
0x0042564d
0x00425656
0x0042565f
0x00425668
0x00425671
0x0042567a
0x00425683
0x00425689
0x00425692
0x00425698
0x004256a1
0x004256af
0x004256b5
0x004256bb
0x00000000
0x004256bd
0x004256c4
0x004256c8
0x004256cd
0x004256d0
0x004256dd
0x004256dd
0x004256e0
0x004256e4
0x00425785
0x0042578e
0x004257c3
0x004257c3
0x004257c7
0x00000000
0x00000000
0x004257cc
0x004257cf
0x00425795
0x00425797
0x0042579a
0x0042579c
0x0042579c
0x0042579c
0x004257a9
0x004257aa
0x004257b0
0x004257b2
0x004257b5
0x004257b8
0x004257b9
0x004257bc
0x004257be
0x004257be
0x004257be
0x004257c0
0x004257c0
0x004257c0
0x00000000
0x004257c0
0x00000000
0x004257cf
0x004257d1
0x004257d3
0x004257eb
0x004257d5
0x004257df
0x004257df
0x004257f0
0x004257f2
0x004257f5
0x004257f8
0x004257f8
0x00425801
0x00425807
0x0042580a
0x00000000
0x00000000
0x00000000
0x00000000
0x00425810
0x00425810
0x00425819
0x0042581c
0x00425820
0x00000000
0x00000000
0x0042582a
0x0042582e
0x00425851
0x00425856
0x00425858
0x00425931
0x00425936
0x00425937
0x00425a77
0x00425a7d
0x00425a80
0x00425a83
0x00425a86
0x00425a8f
0x00425a88
0x00425a88
0x00425a88
0x00425a94
0x00425aac
0x00425aaf
0x00425ab5
0x00425ab9
0x00425ac0
0x00425abb
0x00425abb
0x00425abb
0x00425adc
0x00425adf
0x00425ae3
0x00425b5c
0x00425ae5
0x00425aeb
0x00425aee
0x00425afa
0x00425afc
0x00425b00
0x00425b36
0x00425b58
0x00425b02
0x00425b26
0x00425b26
0x00425b00
0x00425b5f
0x00425b5f
0x00425b60
0x00425b6b
0x00425b6b
0x00425b6f
0x00425b72
0x00425b84
0x00425b87
0x00425b94
0x00425b89
0x00425b8c
0x00425b8c
0x00425b97
0x00425b99
0x00425b9b
0x00425b9e
0x00425ba0
0x00425ba0
0x00425ba0
0x00425ba9
0x00425bb2
0x00425bb5
0x00425bb6
0x00425bb9
0x00425bbb
0x00425bbb
0x00425bbb
0x00425bbd
0x00425bc6
0x00425bc8
0x00425bcb
0x00425bce
0x00425bd2
0x00000000
0x00000000
0x00425bd7
0x00425bda
0x00000000
0x00000000
0x00000000
0x00425bda
0x00425bdc
0x00425bdf
0x00425be2
0x00000000
0x00000000
0x00000000
0x00425be2
0x00000000
0x00425b62
0x00425b62
0x00000000
0x00425b62
0x00425b60
0x0042594f
0x00425954
0x00425956
0x00425a06
0x00425a08
0x00425a26
0x00425a28
0x00425a2f
0x00425a35
0x00425a2a
0x00425a2a
0x00425a2a
0x00425a3b
0x00425a0a
0x00425a0a
0x00425a0a
0x00425a3e
0x00425a41
0x00425a43
0x00425a59
0x00425a5c
0x00425a5f
0x00425a68
0x00425a61
0x00425a61
0x00425a61
0x00425a6d
0x00000000
0x00425a6d
0x0042597d
0x0042597f
0x00000000
0x00000000
0x00425985
0x00425989
0x00425995
0x00425998
0x004259a1
0x0042599a
0x0042599a
0x0042599a
0x004259a6
0x004259aa
0x004259ac
0x004259af
0x004259b1
0x004259b1
0x004259b1
0x004259ba
0x004259c3
0x004259c6
0x004259c7
0x004259ca
0x004259cc
0x004259cc
0x004259cc
0x004259d4
0x004259d6
0x004259dc
0x004259df
0x004259e5
0x004259e5
0x00000000
0x004259df
0x00000000
0x0042598b
0x00425888
0x0042588d
0x00425890
0x004258d1
0x00425892
0x00425896
0x0042589c
0x0042589f
0x004258a4
0x004258a4
0x004258a4
0x004258a4
0x004258b0
0x004258c1
0x004258c1
0x004258da
0x004258dc
0x004258df
0x004258e5
0x004258e8
0x004258ea
0x004258ea
0x004258ea
0x004258ea
0x004258f3
0x004258f6
0x004258f7
0x004258fa
0x004258fc
0x004258fc
0x004258fc
0x004258fe
0x00425901
0x0042590a
0x0042590d
0x00425917
0x0042590f
0x0042590f
0x0042590f
0x00425903
0x00425903
0x00425903
0x00000000
0x00425901
0x00000000
0x00425830
0x00000000
0x00425822
0x00425be8
0x00425bee
0x00425bf7
0x00425bfd
0x00425c09
0x00425c12
0x00425c18
0x00425c21
0x00425c2a
0x00425c33
0x00425c39
0x00425c42
0x00425c4b
0x00425c57
0x00425c60
0x00425c69
0x00425c6b
0x00000000
0x00425c6b
0x00425701
0x00425704
0x0042570c
0x00425712
0x00425715
0x0042572e
0x00425735
0x00425738
0x0042573b
0x0042573e
0x00425740
0x00425745
0x00425748
0x00425750
0x00425752
0x0042575d
0x00425762
0x00425766
0x00000000
0x00425768
0x00425770
0x00425774
0x00425780
0x00425782
0x00000000
0x00425776
0x00000000
0x00425776
0x00000000
0x00000000
0x00000000
0x00425717
0x00425717
0x0042571a
0x0042571f
0x00425722
0x00425729
0x00425729
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004323DC Relevance: .4, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}

0x004323dc
0x004323e5
0x004323e8
0x004323eb
0x004323ee
0x004323f1
0x004323ff
0x00432403
0x00432407
0x0043240c
0x00432413
0x0043261d
0x0043273d
0x00432740
0x00432784
0x0043278e
0x00432790
0x0043279a
0x0043279c
0x004327a6
0x004327a8
0x004327af
0x004327b1
0x004327bb
0x004327bd
0x004327c7
0x004327c9
0x004327d3
0x004327d5
0x004327dc
0x004327de
0x004327e8
0x004327ea
0x004327f4
0x004327f6
0x00432800
0x00432802
0x00432808
0x0043280a
0x0043280c
0x0043281a
0x0043281e
0x0043282c
0x00432830
0x0043283e
0x00432842
0x00432850
0x00432854
0x00432862
0x00432866
0x00432874
0x00432878
0x00432886
0x00000000
0x00432888
0x00432742
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432623
0x00432623
0x0043264d
0x0043267a
0x004326a7
0x004326ab
0x004326b9
0x004326bd
0x004326c1
0x004326cf
0x004326d3
0x004326d7
0x004326e5
0x004326e9
0x004326ed
0x004326fb
0x004326ff
0x00432703
0x00432711
0x00432715
0x00432719
0x00432727
0x0043272b
0x0043272d
0x00432730
0x00432734
0x00000000
0x00432623
0x0043241c
0x004324cd
0x004324d0
0x00000000
0x00000000
0x004324d6
0x00000000
0x00000000
0x00000000
0x0043251b
0x0043251d
0x00432523
0x00000000
0x00000000
0x0043252d
0x0043252f
0x00432535
0x00000000
0x00000000
0x0043253f
0x00432541
0x00432547
0x00000000
0x00000000
0x00432551
0x00432553
0x00000000
0x00000000
0x0043255a
0x0043255f
0x00432561
0x0043256a
0x00000000
0x00000000
0x00432571
0x00432576
0x00432578
0x00432581
0x00000000
0x00000000
0x00432588
0x0043258d
0x0043258f
0x00432598
0x00000000
0x00000000
0x0043259f
0x004325a4
0x004325a9
0x00000000
0x00000000
0x004325b0
0x004325b5
0x004325ba
0x004325bc
0x004325c5
0x00000000
0x00000000
0x004325cc
0x004325d1
0x004325d6
0x004325d8
0x004325e1
0x00000000
0x00000000
0x004325e8
0x004325ed
0x004325f2
0x004325f4
0x004325fd
0x00000000
0x00000000
0x00432604
0x00432609
0x0043260e
0x00432613
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432422
0x00432422
0x00432427
0x0043242f
0x00432437
0x0043243b
0x00432449
0x0043244d
0x00432451
0x0043245f
0x00432463
0x00432467
0x00432475
0x00432479
0x0043247d
0x0043248b
0x0043248f
0x00432493
0x004324a1
0x004324a5
0x004324a9
0x004324b7
0x004324bb
0x004324bd
0x004324c0
0x004324c4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C4 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64

Uniqueness

Uniqueness Score: -1.00%

Function 00427874 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

0x00427882
0x00427896
0x004278ac
0x004278c2
0x004278d8
0x004278ee
0x00427904
0x0042791a
0x00427930
0x00427946
0x0042795c
0x00427972
0x00427988
0x0042799e
0x004279b4
0x004279ca
0x004279e0
0x004279f6
0x00427a0c
0x00427a22
0x00427a38
0x00427a4e
0x00427a5e
0x00427a64
0x00427a6b

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarNeg, xrefs: 004278A1
VarAnd, xrefs: 00427951
VarBstrFromCy, xrefs: 00427A2D
VarNot, xrefs: 004278B7
VarCmp, xrefs: 00427993
VarOr, xrefs: 00427967
oleaut32.dll, xrefs: 00427878
VarAdd, xrefs: 004278CD
VarCyFromStr, xrefs: 00427A01
VarDiv, xrefs: 0042790F
VariantChangeTypeEx, xrefs: 0042788B
VarBstrFromBool, xrefs: 00427A59
VarR4FromStr, xrefs: 004279BF
VarXor, xrefs: 0042797D
VarI4FromStr, xrefs: 004279A9
VarBoolFromStr, xrefs: 00427A17
VarDateFromStr, xrefs: 004279EB
VarBstrFromDate, xrefs: 00427A43
VarMul, xrefs: 004278F9
VarSub, xrefs: 004278E3
VarIdiv, xrefs: 00427925
VarMod, xrefs: 0042793B
VarR8FromStr, xrefs: 004279D5

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

0x0041e7cc
0x0041e7cc
0x0041e7cc
0x0041e7cd
0x0041e7cf
0x0041e7d4
0x0041e7d7
0x0041e7da
0x0041e7dd
0x0041e7e1
0x0041e7e2
0x0041e7e7
0x0041e7ea
0x0041e7ed
0x0041e7f2
0x0041e7f5
0x0041e7f9
0x0041e7f9
0x0041e80b
0x0041e812
0x0041e813
0x0041e818
0x0041e81b
0x0041e820
0x0041e826
0x0041e837
0x0041e83c
0x0041e84f
0x0041e861
0x0041e86b
0x0041e8c8
0x0041e8cb
0x0041e8d6
0x0041e8dc
0x0041e8ed
0x0041e8f2
0x0041e8ff
0x0041e90b
0x0041e90e
0x0041e913
0x0041e91a
0x0041e92d
0x0041e937
0x0041e93a
0x0041e93d
0x0041e945
0x0041e948
0x0041e957
0x0041e95c
0x0041e961
0x0041e963
0x0041e965
0x0041e965
0x0041e968
0x0041e968
0x0041e96c
0x0041e96d
0x0041e96f
0x0041e971
0x0041e976
0x0041e97f
0x0041e987
0x0041e988
0x0041e988
0x0041e988
0x0041e976
0x0041e999
0x0041e999
0x0041e86d
0x0041e87b
0x0041e880
0x0041e887
0x0041e88c
0x0041e88c
0x0041e890
0x0041e893
0x0041e895
0x0041e896
0x0041e898
0x0041e8a1
0x0041e8a9
0x0041e8aa
0x0041e8aa
0x0041e898
0x0041e8bb
0x0041e8bb
0x0041e9a3
0x0041e9a7
0x0041e9ac
0x0041e9ac
0x0041e9ae
0x0041e9c2
0x0041e9ca
0x0041e9d1
0x0041e9d6
0x0041e9d6
0x0041e9da
0x0041e9dd
0x0041e9df
0x0041e9e0
0x0041e9e2
0x0041e9e2
0x0041e9fa
0x0041ea00
0x0041ea05
0x0041ea06
0x0041ea06
0x0041e9e2
0x0041ea0e
0x0041ea14
0x0041ea19
0x0041ea20
0x0041ea25
0x0041ea25
0x0041ea27
0x0041ea2e
0x0041ea30
0x0041ea31
0x0041ea34
0x0041ea43

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

K, xrefs: 0041EA09
B.C., xrefs: 0041E8FA
K, xrefs: 0041E827
ToA, xrefs: 0041E9BC
K, xrefs: 0041E8DD

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

SetThreadPreferredUILanguages, xrefs: 0040A29A
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9
GetThreadUILanguage, xrefs: 0040A2B4
GetThreadPreferredUILanguages, xrefs: 0040A280

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

0x0041e0ac
0x0041e0ac
0x0041e0ad
0x0041e0af
0x0041e0b4
0x0041e0b4
0x0041e0b6
0x0041e0b8
0x0041e0b8
0x0041e0bd
0x0041e0be
0x0041e0c0
0x0041e0c4
0x0041e0c5
0x0041e0ca
0x0041e0cd
0x0041e0d3
0x0041e0d8
0x0041e0da
0x0041e0e1
0x0041e0e1
0x0041e0e9
0x0041e0ef
0x0041e0f8
0x0041e101
0x0041e10a
0x0041e11c
0x0041e126
0x0041e13b
0x0041e14a
0x0041e15d
0x0041e16c
0x0041e182
0x0041e199
0x0041e1b0
0x0041e1bf
0x0041e1d2
0x0041e1d4
0x0041e1d8
0x0041e1e9
0x0041e1f4
0x0041e1fd
0x0041e20e
0x0041e219
0x0041e22e
0x0041e242
0x0041e24d
0x0041e262
0x0041e26d
0x0041e275
0x0041e27d
0x0041e292
0x0041e29c
0x0041e2a1
0x0041e2a3
0x0041e2bc
0x0041e2a5
0x0041e2ad
0x0041e2ad
0x0041e2d1
0x0041e2db
0x0041e2e0
0x0041e2e2
0x0041e2f4
0x0041e305
0x0041e31e
0x0041e307
0x0041e30f
0x0041e30f
0x0041e305
0x0041e323
0x0041e326
0x0041e329
0x0041e32e
0x0041e339
0x0041e33e
0x0041e341
0x0041e344
0x0041e349
0x0041e354
0x0041e369
0x0041e36d
0x0041e378
0x0041e37b
0x0041e37e
0x0041e390

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

AMPM, xrefs: 0041E30A
m/d/yy, xrefs: 0041E1DD
:mm:ss, xrefs: 0041E344
ToA, xrefs: 0041E0E9
mmmm d, yyyy, xrefs: 0041E202
2, xrefs: 0041E36D
AMPM , xrefs: 0041E319
:mm, xrefs: 0041E329

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

0x0040a7e4
0x0040a7e7
0x0040a7e9
0x0040a7ea
0x0040a7eb
0x0040a7ed
0x0040a7f1
0x0040a7f2
0x0040a7f7
0x0040a7fa
0x0040a802
0x0040a80e
0x0040a835
0x0040a83c
0x0040a84e
0x0040a857
0x0040a868
0x0040a86d
0x0040a875
0x0040a87a
0x0040a883
0x0040a883
0x0040a888
0x0040a890
0x0040a89a
0x0040a89a
0x0040a859
0x0040a85d
0x0040a85d
0x0040a857
0x0040a8a4
0x0040a8a9
0x0040a8c3
0x0040a8cd
0x0040a810
0x0040a81c
0x0040a826
0x0040a826
0x0040a8d4
0x0040a8d7
0x0040a8da
0x0040a8e7

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

0x00423022
0x00423025
0x00423028
0x0042302d
0x0042302e
0x00423033
0x00423036
0x00423049
0x00423050
0x00423063
0x004230b8
0x004230c5
0x004230ce
0x004230ce
0x00423065
0x00423080
0x0042308d
0x00423096
0x00423096
0x00423080
0x004230de
0x004230e9
0x004230f4
0x004230f4
0x00423052
0x00423052
0x00423054
0x004230fa
0x004230fd
0x00423100
0x00423108
0x00423115

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

.DEFAULT\Control Panel\International, xrefs: 0042306D
Locale, xrefs: 00423085
GetUserDefaultUILanguage, xrefs: 00423039
Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
kernel32.dll, xrefs: 0042303E

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

0x0040d22c
0x0040d232
0x0040d234
0x0040d237
0x0040d244
0x0040d251
0x0040d25e
0x0040d26b
0x0040d278
0x0040d285
0x0040d28e
0x0040d29c
0x0040d29e
0x0040d29f
0x0040d2a5
0x0040d2ab
0x0040d2b2
0x0040d2b4
0x0040d2ba
0x0040d2c0
0x0040d2d0
0x00000000
0x0040d2d5
0x0040d2e2
0x0040d2e7
0x0040d2e9
0x0040d2eb
0x0040d2eb
0x0040d2f1
0x0040d2f4
0x0040d2fc
0x0040d306
0x0040d309
0x0040d30e
0x0040d329
0x0040d310
0x0040d31c
0x0040d31c
0x0040d32c
0x0040d335
0x0040d34e
0x0040d350
0x0040d412
0x0040d412
0x0040d41c
0x0040d42a
0x0040d42a
0x0040d42e
0x0040d47b
0x0040d47d
0x0040d484
0x0040d48e
0x0040d49c
0x0040d49c
0x0040d4a0
0x0040d4a2
0x0040d4a7
0x0040d4ad
0x0040d4bd
0x0040d4c2
0x0040d4c2
0x0040d4a0
0x00000000
0x0040d430
0x0040d434
0x0040d46f
0x0040d479
0x00000000
0x0040d43c
0x0040d43f
0x0040d447
0x00000000
0x0040d460
0x0040d466
0x0040d46b
0x00000000
0x00000000
0x0040d4c5
0x0040d4c8
0x00000000
0x0040d4c8
0x0040d447
0x0040d434
0x0040d42e
0x0040d35d
0x0040d36b
0x0040d36b
0x0040d36f
0x0040d37a
0x0040d37a
0x0040d37e
0x0040d3cb
0x0040d3d7
0x0040d40d
0x0040d3d9
0x0040d3dd
0x0040d3e3
0x0040d3e8
0x0040d3ed
0x0040d3f4
0x0040d3fa
0x0040d3ff
0x0040d404
0x0040d404
0x0040d3ed
0x0040d3dd
0x00000000
0x0040d380
0x0040d385
0x0040d38f
0x0040d39d
0x0040d39d
0x0040d3a1
0x00000000
0x0040d3a3
0x0040d3a3
0x0040d3a8
0x0040d3ae
0x0040d3be
0x00000000
0x0040d3c3
0x0040d3a1
0x0040d337
0x0040d343
0x0040d347
0x00000000
0x0040d349
0x0040d4ca
0x0040d4d1
0x0040d4d5
0x0040d4d8
0x0040d4db
0x0040d4e4
0x0040d4e4
0x00000000
0x0040d4ea
0x0040d347

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

0x004047b0
0x004047b3
0x004047b5
0x004047be
0x00404821
0x00404826
0x00404827
0x00404828
0x0040482a
0x004047c0
0x004047c9
0x004047d8
0x004047e4
0x004047e9
0x004047ef
0x004047fd
0x0040480b
0x0040481a
0x0040481a
0x00404832

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x0040426c
0x0040426c
0x00404275
0x0040427b
0x00404364
0x00404367
0x00404454
0x00404455
0x00404458
0x00403cf8
0x00403cfa
0x00403cfc
0x00403d01
0x00403d04
0x00403d09
0x00403d0d
0x00403d13
0x00403d17
0x00403d1d
0x00403d39
0x00403d3d
0x00403d40
0x00403d40
0x00403d42
0x00403d4a
0x00403d57
0x00403d5c
0x00403d5e
0x00403d60
0x00403d63
0x00403d63
0x00403d65
0x00403d69
0x00403d6b
0x00403d6d
0x00403d6f
0x00000000
0x00403d6f
0x00000000
0x00403d6b
0x00403d1f
0x00403d2e
0x00403d34
0x00403d30
0x00403d30
0x00403d30
0x00403d2e
0x00403d73
0x00403d75
0x00403d7e
0x00403d87
0x00403d87
0x00403d8a
0x00403d9a
0x0040445e
0x00404463
0x00404463
0x00000000
0x00000000
0x00000000
0x00404281
0x00404281
0x00404283
0x00404285
0x004042e8
0x004042e8
0x004042ed
0x004042f1
0x00000000
0x00000000
0x004042f3
0x004042f5
0x004042fc
0x00000000
0x004042fe
0x00404302
0x00404307
0x00404308
0x00404309
0x0040430e
0x00404312
0x0040431c
0x00404321
0x00404322
0x00000000
0x00404322
0x00404312
0x00000000
0x004042fc
0x004042e8
0x00404287
0x00404287
0x00404287
0x00404287
0x0040428b
0x0040428e
0x004042bc
0x004042be
0x004042d3
0x004042d3
0x004042c0
0x004042c0
0x004042c3
0x004042c6
0x004042c9
0x004042cc
0x004042ce
0x004042d1
0x00000000
0x00000000
0x004042d1
0x004042d6
0x004042d8
0x004042da
0x004042dd
0x0040436d
0x00404370
0x00404372
0x00404374
0x00404375
0x00404377
0x00404328
0x00404328
0x0040432d
0x00404335
0x00000000
0x00000000
0x00404337
0x00404339
0x00404340
0x00000000
0x00404342
0x00404344
0x00404349
0x0040434e
0x00404356
0x0040435a
0x00000000
0x0040435a
0x00404356
0x00000000
0x00404340
0x00404328
0x00404379
0x00404379
0x00404381
0x00404385
0x004043bc
0x004043bf
0x004043c2
0x004043c4
0x004043ca
0x004043cc
0x004043cc
0x00404387
0x00404387
0x00404387
0x0040438a
0x0040438a
0x0040438e
0x00404392
0x004043d4
0x004043d7
0x004043d9
0x004043db
0x004043e1
0x004043e5
0x004043e5
0x004043e1
0x00404394
0x0040439a
0x004043ec
0x004043f6
0x00404424
0x0040442a
0x0040442f
0x00404436
0x00404440
0x00404446
0x0040444d
0x00404451
0x004043f8
0x004043f8
0x004043fb
0x004043fd
0x00404400
0x00404403
0x00404405
0x00404414
0x00404419
0x0040441c
0x00404420
0x00404420
0x0040439c
0x0040439f
0x004043a2
0x004043aa
0x004043af
0x004043b6
0x004043ba
0x004043ba
0x00404290
0x00404290
0x00404292
0x00404298
0x0040429b
0x004042a4
0x004042a7
0x004042aa
0x004042ad
0x004042b0
0x004042b3
0x004042b6
0x004042b6
0x004042b8
0x004042b9
0x0040429d
0x0040429d
0x0040429d
0x0040429f
0x004042a1
0x004042a2
0x004042a2
0x0040429b
0x0040428e

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4 Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

0x0041f0fd
0x0041f0fe
0x0041f101
0x0041f106
0x0041f107
0x0041f10c
0x0041f10f
0x0041f122
0x0041f124
0x0041f12c
0x0041f1ca
0x0041f1cf
0x0041f1de
0x0041f1f8
0x0041f132
0x0041f132
0x0041f13c
0x0041f15a
0x0041f15c
0x0041f16b
0x0041f188
0x0041f1a0
0x0041f1ba
0x0041f1ba
0x0041f1ff
0x0041f202
0x0041f205
0x0041f20d
0x0041f218

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: deb6da76ab9c4b496f2ff2870dbb370d0f709f8902d14da44dea0f11333fc18e
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: deb6da76ab9c4b496f2ff2870dbb370d0f709f8902d14da44dea0f11333fc18e
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464 Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00404464
0x00404464
0x00404464
0x0040446c
0x0040446e
0x004044fc
0x004044ff
0x0040476c
0x0040476d
0x0040476e
0x00404771
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dac
0x00403db5
0x00403dba
0x00403ea1
0x00403ea3
0x00403eb6
0x00403eb8
0x00403eba
0x00403ebc
0x00403ec2
0x00403ec6
0x00403ec6
0x00403ec9
0x00403ec9
0x00403ed2
0x00403ed9
0x00403ed9
0x00403ea5
0x00403ea5
0x00403eaa
0x00403eaa
0x00403dc0
0x00403dc9
0x00403dcf
0x00403dcb
0x00403dcb
0x00403dcb
0x00403ddb
0x00403dea
0x00403df7
0x00403e67
0x00403e6e
0x00403e70
0x00403e72
0x00403e74
0x00403e7a
0x00403e7e
0x00403e7e
0x00403e81
0x00403e81
0x00403e91
0x00403e98
0x00403e98
0x00403df9
0x00403df9
0x00403e05
0x00403e0b
0x00000000
0x00403e0d
0x00403e1e
0x00403e22
0x00403e24
0x00403e24
0x00403e3a
0x00000000
0x00403e52
0x00403e54
0x00403e57
0x00403e60
0x00403e63
0x00403e63
0x00403e3a
0x00403e0b
0x00403df7
0x00403ee7
0x00404777
0x00404777
0x00404779
0x00404779
0x00404505
0x00404507
0x0040450a
0x0040450b
0x0040450e
0x00404511
0x00404514
0x00404516
0x00404517
0x0040462c
0x0040462f
0x00404631
0x00404724
0x0040472f
0x00404736
0x00404738
0x0040473b
0x00404740
0x00404741
0x00404743
0x00000000
0x00404745
0x00404745
0x0040474b
0x0040474d
0x0040474d
0x00404750
0x00404758
0x0040475f
0x0040476a
0x0040476a
0x00404637
0x00404637
0x0040463a
0x0040463d
0x0040463f
0x00000000
0x00404645
0x00404645
0x0040464c
0x004046a9
0x004046a9
0x004046ae
0x004046b4
0x004046b9
0x004046ba
0x004046ba
0x004046c6
0x004046d7
0x004046dd
0x004046dd
0x004046df
0x004046ec
0x004046f3
0x004046f7
0x004046f9
0x004046ff
0x00404701
0x00404703
0x00404703
0x004046e1
0x004046e1
0x004046e5
0x004046e5
0x00404708
0x00404708
0x0040470a
0x0040470d
0x00404714
0x00404716
0x0040471a
0x0040464e
0x0040464e
0x00404653
0x0040465b
0x00000000
0x00000000
0x0040465d
0x0040465f
0x00404666
0x00000000
0x00404668
0x0040466c
0x00404671
0x00404672
0x00404678
0x00404680
0x00404686
0x0040468b
0x0040468c
0x00000000
0x0040468c
0x00404680
0x00000000
0x00404666
0x00404695
0x00404698
0x0040469b
0x0040469d
0x0040471d
0x0040471d
0x00000000
0x0040469f
0x0040469f
0x004046a2
0x004046a5
0x004046a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004046a7
0x0040469d
0x0040464c
0x0040463f
0x0040451d
0x00404520
0x00404522
0x0040452c
0x00404532
0x00404549
0x00404549
0x00404555
0x0040455b
0x0040455d
0x00404564
0x00404566
0x0040456b
0x00404573
0x00000000
0x00000000
0x00404575
0x00404577
0x0040457e
0x00000000
0x00404580
0x00404583
0x00404588
0x0040458e
0x00404596
0x0040459b
0x004045a0
0x00000000
0x004045a0
0x00404596
0x00000000
0x0040457e
0x004045a9
0x004045a9
0x004045a9
0x004045ae
0x004045b1
0x004045b3
0x004045b6
0x004045b9
0x004045c4
0x004045c6
0x004045c9
0x004045cb
0x004045cd
0x004045d3
0x004045d5
0x004045d5
0x004045bb
0x004045be
0x004045be
0x004045da
0x004045e0
0x004045e4
0x004045ea
0x004045f1
0x004045f1
0x004045f6
0x00404603
0x00404534
0x00404534
0x0040453a
0x00404604
0x00404608
0x0040460d
0x0040460f
0x00404611
0x00404619
0x00404620
0x00404625
0x00404625
0x0040462b
0x00404540
0x00404540
0x00404545
0x00404547
0x00000000
0x00000000
0x00000000
0x00000000
0x00404547
0x0040453a
0x00404524
0x00404524
0x00404528
0x00404528
0x00404522
0x00404517
0x00404474
0x00404474
0x00404476
0x0040447a
0x0040447d
0x0040447f
0x004044b8
0x004044bc
0x004044bd
0x004044bf
0x004044c1
0x004044c3
0x004044c6
0x004044c8
0x004044ca
0x004044cf
0x004044d1
0x004044d3
0x004044d9
0x004044db
0x004044db
0x004044e2
0x004044e2
0x004044e5
0x004044e7
0x004044f0
0x004044f5
0x004044f5
0x004044f7
0x004044f8
0x004044f9
0x004044fa
0x00404481
0x00404481
0x00404488
0x0040448a
0x00404490
0x00404492
0x00404494
0x00404499
0x0040449b
0x0040449d
0x0040449f
0x004044a1
0x004044ac
0x004044b1
0x004044b1
0x004044b3
0x004044b4
0x004044b5
0x0040448c
0x0040448c
0x0040448d
0x0040448e
0x0040448e
0x0040448a
0x0040447f

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

0x0041f7a0
0x0041f7a1
0x0041f7ad
0x0041f7b3
0x0041f7b9
0x0041f7bf
0x0041f7c5
0x0041f7ca
0x0041f7cb
0x0041f7d0
0x0041f7d3
0x0041f7df
0x0041f7df
0x0041f7e2
0x0041f7f0
0x0041f7f5
0x0041f7e4
0x0041f7e4
0x0041f7ff
0x0041f804
0x0041f7e6
0x0041f7e9
0x0041f80e
0x0041f813
0x0041f7eb
0x0041f81d
0x0041f822
0x0041f822
0x0041f7e9
0x0041f7e4
0x0041f82d
0x0041f840
0x0041f845
0x0041f84e
0x0041f86c
0x0041f871
0x0041f873
0x00000000
0x0041f879
0x0041f882
0x0041f888
0x0041f8a0
0x0041f8b1
0x0041f8bc
0x0041f8c2
0x0041f8cc
0x0041f8d2
0x0041f8d9
0x0041f8df
0x0041f8ec
0x0041f8f5
0x0041f8fa
0x0041f90c
0x0041f911
0x0041f915
0x0041f915
0x0041f91e
0x0041f924
0x0041f92e
0x0041f934
0x0041f93b
0x0041f941
0x0041f94e
0x0041f957
0x0041f95c
0x0041f96e
0x0041f973
0x0041f977
0x0041f97a
0x0041f97d
0x0041f988
0x0041f998
0x0041f9a5

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

H@, xrefs: 0041F81D
0@, xrefs: 0041F7F0
8@, xrefs: 0041F7FF
@@, xrefs: 0041F80E

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688 Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

0x0040668f
0x00406691
0x00406693
0x00406696
0x00406696
0x0040669d
0x004066a4
0x00000000
0x00000000
0x004066b2
0x004066b9
0x00406751
0x00406751
0x00406751
0x00406755
0x00000000
0x00000000
0x00406760
0x00406766
0x00000000
0x00000000
0x00000000
0x00000000
0x00406768
0x00406768
0x0040676d
0x00406773
0x0040677a
0x00406784
0x00406789
0x00406790
0x00406797
0x004067a5
0x004067b3
0x004067a7
0x004067af
0x004067af
0x004067a5
0x004067b9
0x004067db
0x004067e4
0x004067e8
0x004067ec
0x00000000
0x004067bb
0x004067bb
0x004067c0
0x00000000
0x00000000
0x004067cc
0x004067d2
0x00000000
0x00000000
0x004067d4
0x00000000
0x004067d4
0x004067bb
0x004067f1
0x004067f1
0x00406800
0x00406807
0x0040680a
0x0040680a
0x00000000
0x00406800
0x00000000
0x00406751
0x004066c4
0x004066ca
0x004066d0
0x0040672c
0x0040672f
0x00000000
0x00000000
0x00406736
0x0040673e
0x00406744
0x0040674f
0x00000000
0x0040674f
0x00406746
0x00000000
0x00406746
0x00000000
0x004066d2
0x004066d5
0x00000000
0x004066e4
0x004066e4
0x004066e4
0x00000000
0x004066ed
0x004066f0
0x00000000
0x00000000
0x004066f5
0x0040671e
0x00406722
0x00406727
0x0040672a
0x00000000
0x00000000
0x00000000
0x0040672a
0x004066fe
0x00406704
0x00000000
0x00000000
0x0040670b
0x0040670e
0x00406715
0x00000000
0x00406715
0x00406811
0x0040681c

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x22538d0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				 *0x4ba450 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0);
				_t22 =  *0x4ba450; // 0x0
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x0
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4ca924
				_t4 = _t26 + 0x20; // 0x50750f
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4ca924
				_t7 = _t28 + 0x24; // 0xbea00
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0);
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0xffffffff
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x22538d0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32);
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47));
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x0
					_t40 = DestroyWindow(_t46);
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x0
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a1
0x004b63a3
0x004b63a6
0x004b63d3
0x004b63da
0x004b63e0
0x004b640c
0x004b6418
0x004b6423
0x004b642c
0x004b6431
0x004b6434
0x004b6438
0x004b643d
0x004b6440
0x004b6443
0x004b6447
0x004b644c
0x004b644f
0x004b6452
0x004b6463
0x004b6468
0x004b646b
0x004b6471
0x004b6479
0x004b647e
0x004b6489
0x004b6496
0x004b649b
0x004b64a7
0x004b64a9
0x004b64ae
0x004b64ae
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32(00000000,000000FC,004AF69C), ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00000000,004B6554), ref: 004B6514

Strings

STATIC, xrefs: 004B6400
InnoSetupLdrWindow, xrefs: 004B63FB
/SL5="$%x,%d,%d,, xrefs: 004B645E

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

0x004971ac
0x004971ac
0x004971ac
0x004971ad
0x004971af
0x004971b6
0x004971bb
0x004971bd
0x004971c0
0x004971c0
0x004971c5
0x004971c7
0x004971ca
0x004971ce
0x004971cf
0x004971d4
0x004971d7
0x004971de
0x004971e3
0x004971e9
0x004971ee
0x004971f6
0x004971fa
0x004971fa
0x004971fa
0x004971fc
0x00497203
0x00497284
0x0049728c
0x00497205
0x00497209
0x0049722c
0x0049723e
0x0049720b
0x00497211
0x00497224
0x00497224
0x00497245
0x00497251
0x00497259
0x0049725c
0x00497266
0x00497273
0x00497278
0x00497278
0x00497245
0x00497291
0x00497294
0x00497297
0x004972a4

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

0@G, xrefs: 0049726E
XtI, xrefs: 00497214, 0049722F
l@, xrefs: 00497266

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: 0f3d49910cd0fe0a2777fff9c7d37287e03b93d316d56716644e12c604fcc986
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: 0f3d49910cd0fe0a2777fff9c7d37287e03b93d316d56716644e12c604fcc986
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51);
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

0x004af733
0x004af736
0x004af738
0x004af73a
0x004af73e
0x004af73f
0x004af744
0x004af747
0x004af74a
0x004af74f
0x004af750
0x004af755
0x004af75e
0x004af76d
0x004af772
0x004af798
0x004af79d
0x004af79f
0x004af7a5
0x004af7a5
0x004af7ae
0x004af7b3
0x004af7b3
0x004af7cc
0x004af7d1
0x004af7db
0x004af7e4
0x004af7eb
0x004af7ee
0x004af7f1
0x004af7fe

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 00406424 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

0x00406425
0x00406427
0x0040642c
0x00406446
0x004064d9
0x004064d9
0x00000000
0x0040644c
0x0040644c
0x0040644f
0x00406450
0x00406452
0x00406459
0x00000000
0x00406465
0x0040646d
0x00406472
0x00406473
0x00406478
0x0040647b
0x00406481
0x00406485
0x00406486
0x0040648b
0x00406492
0x004064bc
0x004064be
0x004064c1
0x004064c4
0x004064d1
0x00406494
0x00406494
0x004064af
0x004064b2
0x004064ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ba
0x004064a5
0x004064a8
0x004064e0
0x004064e6
0x004064e6
0x00406492
0x00406459
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

GetLogicalProcessorInformation, xrefs: 0040642F
@, xrefs: 004064D9
kernel32.dll, xrefs: 00406434

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Runtime error at 00000000, xrefs: 004076EA, 0040772F
Error, xrefs: 0040772A

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

CompareStringOrdinal, xrefs: 00420534
kernel32.dll, xrefs: 00420539
NTDLL.DLL, xrefs: 00420554
RtlCompareUnicodeString, xrefs: 0042054F

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

0x0042931c
0x00429328
0x0042932e
0x00429334
0x00429344
0x0042934b
0x0042934b
0x00429356
0x00429364
0x004294ef
0x004294f6
0x004294f7
0x00000000
0x0042936a
0x0042936d
0x0042938b
0x0042936f
0x0042937a
0x0042937a
0x0042939a
0x004293a6
0x004293a9
0x00429416
0x0042941c
0x0042941d
0x00429423
0x00429424
0x00429426
0x0042942b
0x0042942f
0x00429431
0x00429431
0x0042943c
0x00429447
0x00429452
0x0042945b
0x0042945e
0x0042947a
0x00429481
0x0042948c
0x004294a3
0x004294a8
0x004294bc
0x004294c1
0x004294d4
0x004294d4
0x004294dd
0x00429460
0x00429460
0x00429461
0x00429467
0x0042946d
0x0042946f
0x00429471
0x00429474
0x00429477
0x00429477
0x0042947a
0x00000000
0x00000000
0x00000000
0x0042947a
0x004293ab
0x004293ab
0x004293ac
0x004293ae
0x004293b4
0x004293b6
0x004293c5
0x004293c6
0x004293d0
0x004293d1
0x004293d6
0x004293e1
0x004293e2
0x004293ec
0x004293ed
0x004293f2
0x0042940d
0x0042940f
0x00429410
0x00429413
0x00429413
0x00000000
0x004293b4
0x004293a9

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8 Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2242e50
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2242e50
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2242e70
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x00403ee8
0x00403ef4
0x00403efa
0x00404148
0x0040414d
0x00404260
0x00404261
0x00404263
0x00403c94
0x00403c98
0x00403c9a
0x00403ca4
0x00403cb9
0x00403cbd
0x00403cbf
0x00403cc1
0x00403cc7
0x00403cca
0x00403ccf
0x00403cd4
0x00403cda
0x00403ce0
0x00403ce3
0x00403ce5
0x00403cec
0x00403cec
0x00403cf5
0x00404269
0x00404269
0x0040426b
0x0040426b
0x00404153
0x00404153
0x0040415f
0x00404162
0x00404164
0x0040410c
0x00404111
0x00404119
0x00000000
0x00000000
0x0040411b
0x0040411d
0x00404124
0x00000000
0x00404126
0x00404128
0x00404132
0x0040413a
0x0040413e
0x00000000
0x0040413e
0x0040413a
0x00000000
0x00404124
0x0040410c
0x00404166
0x00404166
0x00404166
0x0040416e
0x00404171
0x0040417b
0x0040417b
0x00404182
0x00404195
0x00404199
0x0040419f
0x004041b8
0x004041be
0x004041be
0x004041c0
0x004041de
0x004041c2
0x004041c2
0x004041c7
0x004041c9
0x004041ce
0x004041d7
0x004041d7
0x004041e3
0x004041eb
0x004041a1
0x004041a1
0x004041ab
0x004041b3
0x00000000
0x004041b3
0x00404184
0x00404187
0x0040418a
0x004041ec
0x004041ec
0x004041ed
0x004041ee
0x004041f5
0x004041f8
0x004041fb
0x004041fe
0x00404200
0x00404202
0x00404209
0x0040420b
0x0040420b
0x0040420b
0x00404212
0x00404214
0x00404214
0x00404212
0x00404220
0x00404225
0x00404225
0x00404227
0x00404248
0x00404248
0x00404248
0x00404229
0x00404229
0x0040422f
0x00404232
0x00404236
0x0040423c
0x0040423e
0x0040423e
0x0040423c
0x0040424d
0x00404250
0x00404253
0x0040425f
0x0040425f
0x00404182
0x00403f00
0x00403f00
0x00403f02
0x00403f02
0x00403f09
0x00403f10
0x00403f68
0x00403f68
0x00403f6d
0x00403f71
0x00000000
0x00000000
0x00403f73
0x00403f73
0x00403f76
0x00403f7b
0x00403f7f
0x00403f81
0x00403f81
0x00403f84
0x00403f89
0x00403f8d
0x00403f8f
0x00403f92
0x00403f94
0x00403f9b
0x00000000
0x00403f9d
0x00403f9f
0x00403fa4
0x00403fa9
0x00403fad
0x00403fb5
0x00000000
0x00403fb5
0x00403fad
0x00403f9b
0x00403f8d
0x00000000
0x00403f7f
0x00403f68
0x00403f12
0x00403f12
0x00403f15
0x00403f18
0x00403f1d
0x00403f1f
0x00403f38
0x00403f3b
0x00403f3f
0x00403f41
0x00403f44
0x00403fbc
0x00403fbd
0x00403fbe
0x00403fc5
0x00403fc7
0x00403fc7
0x00403fcc
0x00403fd4
0x00000000
0x00000000
0x00403fd6
0x00403fd8
0x00403fdf
0x00000000
0x00403fe1
0x00403fe3
0x00403fe8
0x00403fed
0x00403ff5
0x00403ff9
0x00000000
0x00403ff9
0x00403ff5
0x00000000
0x00403fdf
0x00403fc7
0x00404000
0x00404004
0x00404004
0x0040400a
0x0040407c
0x00404080
0x00404086
0x00404088
0x004040b0
0x004040b4
0x004040b6
0x004040bb
0x004040bd
0x004040bf
0x00000000
0x004040c1
0x004040c1
0x004040c6
0x004040c8
0x004040c9
0x004040ca
0x004040cb
0x004040cb
0x0040408a
0x0040408a
0x00404090
0x00404094
0x0040409a
0x0040409c
0x0040409e
0x0040409e
0x004040a0
0x004040a2
0x004040a8
0x00000000
0x004040a8
0x0040400c
0x0040400c
0x0040400f
0x00404016
0x0040401d
0x00404020
0x00404023
0x0040402a
0x0040402d
0x00404030
0x00404033
0x00404035
0x00404037
0x00404039
0x0040403e
0x00404040
0x00404040
0x00404040
0x00404047
0x00404049
0x00404049
0x00404047
0x00404050
0x00404055
0x00404058
0x0040405e
0x004040cc
0x004040cc
0x004040cc
0x00404060
0x00404060
0x00404062
0x00404066
0x00404068
0x0040406b
0x0040406e
0x00404071
0x00404075
0x00404075
0x004040d1
0x004040d1
0x004040d1
0x004040d4
0x004040d7
0x004040d9
0x004040de
0x004040e0
0x004040e3
0x004040ea
0x004040ed
0x004040ed
0x004040f0
0x004040f4
0x004040f7
0x004040fa
0x004040fc
0x004040fc
0x004040fe
0x00404101
0x00404104
0x00404107
0x00404108
0x00404109
0x0040410a
0x0040410a
0x00403f46
0x00403f46
0x00403f46
0x00403f46
0x00403f4a
0x00403f4d
0x00403f50
0x00403f53
0x00403f54
0x00403f54
0x00403f21
0x00403f21
0x00403f25
0x00403f25
0x00403f28
0x00403f2b
0x00403f2e
0x00403f58
0x00403f5b
0x00403f5e
0x00403f61
0x00403f64
0x00403f65
0x00403f30
0x00403f30
0x00403f33
0x00403f34
0x00403f34
0x00403f2e
0x00403f1f

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119);
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4ca924
					_t15 = _t37 + 0x14; // 0x5100a5
					_t38 =  *0x4c1d88; // 0x22538d0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					 *0x4c1d8c = E00423D00(1, 0, 1, 0);
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4ca924
					_t16 = _t44 + 0x18; // 0x2dfe00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4ca924
					_t17 = _t47 + 0x18; // 0x2dfe00
					_t86 =  *0x4c1de0; // 0x0
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x22538d0
					 *0x4c1de4 = E00424748(_t93, 1, _t51);
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4ca924
					_t18 = _t55 + 0x18; // 0x2dfe00
					_t56 =  *0x4c1de4; // 0x0
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x0
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x22538d0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32);
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82));
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x0
						_t75 = DestroyWindow(_t81);
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x0
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

0x004b60e8
0x004b60e8
0x004b60e8
0x004b60ea
0x004b60ec
0x004b60ed
0x004b610d
0x004b6119
0x004b613e
0x004b614b
0x004b6150
0x004b6156
0x004b615c
0x004b615f
0x004b6169
0x004b6181
0x004b6183
0x004b618d
0x004b618d
0x004b6181
0x004b6192
0x004b619a
0x004b61a7
0x004b61af
0x004b61b4
0x004b61c4
0x004b61cc
0x004b61d0
0x004b61d5
0x004b61e2
0x004b61e3
0x004b61ed
0x004b61f3
0x004b61f8
0x004b61fd
0x004b6200
0x004b6205
0x004b620c
0x004b620d
0x004b6212
0x004b6215
0x004b621a
0x004b6237
0x004b623e
0x004b623f
0x004b6244
0x004b6247
0x004b624a
0x004b624f
0x004b6257
0x004b625c
0x004b6261
0x004b6264
0x004b626e
0x004b6275
0x004b6276
0x004b627b
0x004b627e
0x004b6281
0x004b6287
0x004b6299
0x004b62a0
0x004b62a1
0x004b62a6
0x004b62a9
0x004b62ac
0x004b62b1
0x004b62b6
0x004b62bb
0x004b62c2
0x004b62c5
0x004b62c8
0x004b62cd
0x004b62d7
0x004b611b
0x004b611b
0x004b6120
0x004b6126
0x004b612d
0x004b64b5
0x004b64b8
0x004b64bb
0x004b64c0
0x004b64c5
0x004b64d1
0x004b64df
0x004b64e7
0x004b64e7
0x004b64f3
0x004b64f5
0x004b6500
0x004b6500
0x004b650c
0x004b650e
0x004b6514
0x004b6514
0x004b6520
0x004b6522
0x004b6527
0x004b652d
0x004b6533
0x004b6538
0x004b653d
0x004b6544
0x00000000
0x004b6544
0x004b6549
0x004b6549

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00000000,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

0MB, xrefs: 004B6281
.tmp, xrefs: 004B61BF

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: .tmp$0MB
API String ID: 3858953238-176122739
Opcode ID: 301e16f47666b727b4d85adc4dd2dde41dfd151105f37d762b4374fa6a6ed9b3
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 301e16f47666b727b4d85adc4dd2dde41dfd151105f37d762b4374fa6a6ed9b3
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

0x004afa44
0x004afa44
0x004afa47
0x004afa49
0x004afa4c
0x004afa50
0x004afa51
0x004afa56
0x004afa59
0x004afa63
0x004afa77
0x004afa65
0x004afa6d
0x004afa6d
0x004afa7c
0x004afa81
0x004afa84
0x004afa85
0x004afa8a
0x004afa97
0x004afaae
0x004afab5
0x004afab8
0x004afabb
0x004afacd

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
Setup, xrefs: 004AFA9E

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 19aabbd57dabec6cee2d168a692b8da5fbf684a47e321c3871ba092039eb267d
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 19aabbd57dabec6cee2d168a692b8da5fbf684a47e321c3871ba092039eb267d
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8 Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

0x0042f9b8
0x0042f9b8
0x0042f9b9
0x0042f9bb
0x0042f9bf
0x0042f9c2
0x0042f9c5
0x0042f9c8
0x0042f9cf
0x0042f9dc
0x0042fb6d
0x0042fb73
0x0042fb8a
0x0042fbac
0x0042fbbb
0x0042fbc7
0x0042fbce
0x0042fc88
0x0042fc95
0x0042fd0a
0x0042fd19
0x0042fd25
0x0042fd2c
0x0042fde0
0x00000000
0x0042fd32
0x0042fd3c
0x0042fdd6
0x0042fddb
0x00000000
0x0042fd3e
0x0042fd41
0x0042fd42
0x0042fd49
0x0042fd4a
0x0042fd4f
0x0042fd52
0x0042fd55
0x0042fd5f
0x0042fd6c
0x0042fd6e
0x0042fd6e
0x0042fd92
0x0042fd97
0x0042fd9c
0x0042fd9f
0x0042fda2
0x0042fdaf
0x0042fdaf
0x0042fd3c
0x0042fd0c
0x0042fd0c
0x00000000
0x0042fd0c
0x0042fc97
0x0042fc9a
0x0042fc9b
0x0042fca2
0x0042fca3
0x0042fca8
0x0042fcab
0x0042fcb1
0x0042fcba
0x0042fcc9
0x0042fccb
0x0042fccb
0x0042fcde
0x0042fce3
0x0042fce6
0x0042fce9
0x0042fcf6
0x0042fcf6
0x0042fbd4
0x0042fbde
0x0042fc78
0x0042fc7d
0x00000000
0x0042fbe0
0x0042fbe3
0x0042fbe4
0x0042fbeb
0x0042fbec
0x0042fbf1
0x0042fbf4
0x0042fbf7
0x0042fc01
0x0042fc0e
0x0042fc10
0x0042fc10
0x0042fc34
0x0042fc39
0x0042fc3e
0x0042fc41
0x0042fc44
0x0042fc51
0x0042fc51
0x0042fbde
0x0042fbae
0x0042fbae
0x00000000
0x0042fbae
0x0042fb8c
0x0042fb98
0x00000000
0x0042fb98
0x0042fb75
0x0042fb7e
0x00000000
0x0042fb7e
0x0042f9e2
0x0042f9e5
0x0042f9fc
0x0042fa22
0x0042fa31
0x0042fa3d
0x0042fa44
0x0042fb02
0x0042fb03
0x0042fb0a
0x0042fb0b
0x0042fb10
0x0042fb13
0x0042fb19
0x0042fb22
0x0042fb35
0x0042fb37
0x0042fb37
0x0042fb4a
0x0042fb4f
0x0042fb52
0x0042fb55
0x0042fb62
0x0042fa4a
0x0042fa54
0x0042faf2
0x0042faf7
0x00000000
0x0042fa56
0x0042fa59
0x0042fa5a
0x0042fa61
0x0042fa62
0x0042fa67
0x0042fa6a
0x0042fa6d
0x0042fa77
0x0042fa88
0x0042fa8a
0x0042fa8a
0x0042faae
0x0042fab3
0x0042fab8
0x0042fabb
0x0042fabe
0x0042facb
0x0042facb
0x0042fa54
0x0042fa24
0x0042fa24
0x00000000
0x0042fa24
0x0042f9fe
0x0042fa0a
0x00000000
0x0042fa0a
0x0042f9e7
0x0042f9f0
0x0042fde5
0x0042fded
0x0042fded
0x0042f9e5

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

0x0041c79d
0x0041c7a0
0x0041c7a2
0x0041c7a6
0x0041c7a7
0x0041c7ac
0x0041c7af
0x0041c7b4
0x0041c7c0
0x0041c7cb
0x0041c7d6
0x0041c7dd
0x0041c7f6
0x0041c7df
0x0041c7e7
0x0041c7e7
0x0041c80a
0x0041c823
0x0041c832
0x0041c838
0x0041c842
0x0041c846
0x0041c84b
0x0041c84b
0x0041c858
0x0041c858
0x0041c838
0x0041c85f
0x0041c862
0x0041c865
0x0041c872

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

, xrefs: 0041C7E2
yyyy, xrefs: 0041C7F1

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

0x0041ef0a
0x0041ef10
0x0041ef13
0x0041ef15
0x0041ef19
0x0041ef1a
0x0041ef1f
0x0041ef22
0x0041ef2f
0x0041ef3e
0x0041ef6e
0x0041ef7a
0x0041ef7f
0x0041ef85
0x0041ef85
0x0041efa7
0x0041efac
0x0041efb1
0x0041efb8
0x0041efc5
0x0041efcf
0x0041efd3
0x0041efda
0x0041efe4
0x0041efe4
0x0041efda
0x0041eff5
0x0041effa
0x0041f009
0x0041f016
0x0041f021
0x0041f027
0x0041f034
0x0041f03a
0x0041f044
0x0041f04a
0x0041f051
0x0041f057
0x0041f05e
0x0041f064
0x0041f080
0x0041f088
0x0041f091
0x0041f094
0x0041f097
0x0041f0a7

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

0x0040a6d0
0x0040a6d2
0x0040a6d6
0x0040a6e2
0x0040a6ec
0x0040a6ef
0x0040a6f1
0x0040a6f8
0x0040a6fb
0x0040a70c
0x0040a712
0x0040a715
0x0040a718
0x0040a71b
0x0040a721
0x0040a727
0x0040a737
0x0040a737
0x0040a740
0x0040a745
0x0040a749
0x0040a74e
0x0040a753
0x0040a755
0x0040a756
0x0040a75d
0x0040a765
0x0040a76a
0x0040a76a
0x0040a770
0x0040a773
0x0040a773
0x0040a75d
0x0040a77a
0x0040a781
0x0040a781
0x0040a78a
0x0040a794
0x0040a7a2
0x0040a7aa
0x0040a7c7
0x0040a7c7
0x0040a7cf
0x00000000
0x0040a7d7
0x0040a7e1

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78);
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8);
					if(CreateDirectoryW(E004084EC(_v8), 0) != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

0x004aefe8
0x004aefe8
0x004aefe9
0x004aefeb
0x004aeff0
0x004aeff0
0x004aeff2
0x004aeff4
0x004aeff4
0x004aeff7
0x004aeff8
0x004aeffa
0x004aeffc
0x004aeffe
0x004aefff
0x004af004
0x004af007
0x004af00a
0x004af011
0x004af019
0x004af020
0x004af037
0x00000000
0x00000000
0x004af03e
0x004af040
0x004af046
0x004af056
0x004af05e
0x004af06a
0x004af072
0x004af07a
0x004af082
0x004af091
0x004af096
0x004af0a0
0x004af0a5
0x004af0a5
0x004af046
0x004af0b4
0x004af0b9
0x004af0bb
0x004af0be
0x004af0c1
0x004af0ce
0x004af0e0

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 6f0e3b43b341346264ac3305718c7c69d836a314285037dfad24d3529da5ded2
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: 6f0e3b43b341346264ac3305718c7c69d836a314285037dfad24d3529da5ded2
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4);
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

STATIC, xrefs: 0040E48D
InnoSetupLdrWindow, xrefs: 0040E453

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

kernel32.dll, xrefs: 00420BD9
GetDiskFreeSpaceExW, xrefs: 00420BE9

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19);
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

0x004af1b4
0x004af1bb
0x004af1be
0x004af1c2
0x004af1c5
0x004af213
0x004af213
0x004af213
0x004af1c7
0x004af1c8
0x004af1ca
0x004af1ca
0x004af1cd
0x004af1da
0x004af1dd
0x004af1e3
0x004af1e3
0x004af1cf
0x004af1d3
0x004af1d3
0x004af1ed
0x004af1f4
0x00000000
0x00000000
0x004af1f6
0x004af1fe
0x00000000
0x00000000
0x004af200
0x004af208
0x00000000
0x00000000
0x004af20a
0x004af20b
0x004af20c
0x00000000
0x00000000
0x00000000
0x004af20c
0x00000000

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000000.00000002.253297742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253290226.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253654940.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253778465.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253786079.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253794557.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_download.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: download.exePID: 6696, Parent PID: 2732COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	543
Total number of Limit Nodes:	23

Executed Functions

Function 0040B044 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 004B5114 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

version.dll, xrefs: 004B52C0
SetSearchPathMode, xrefs: 004B5344
ntmarta.dll, xrefs: 004B532C
profapi.dll, xrefs: 004B52DB
oleacc.dll, xrefs: 004B52A5
setupapi.dll, xrefs: 004B521E
apphelp.dll, xrefs: 004B5239
hK, xrefs: 004B51A3
uxtheme.dll, xrefs: 004B51E8
comres.dll, xrefs: 004B52F6
dwmapi.dll, xrefs: 004B526F
userenv.dll, xrefs: 004B5203
SetDllDirectoryW, xrefs: 004B5182
clbcatq.dll, xrefs: 004B5311
hK, xrefs: 004B51D6
kernel32.dll, xrefs: 004B5141
propsys.dll, xrefs: 004B5254
cryptbase.dll, xrefs: 004B528A
SetDefaultDllDirectories, xrefs: 004B515C
SetProcessDEPPolicy, xrefs: 004B535A

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\Borland\Locales, xrefs: 0040AC0C
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\Borland\Delphi\Locales, xrefs: 0040AC2A
Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

shell32.dll, xrefs: 004B5B1B
kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4
Wow64RevertWow64FsRedirection, xrefs: 004B5ACE

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 00407750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000 Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 00406D86 Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00406D86(void* __ebx, void* __edi, void* __esi, void* __ebp, struct _EXCEPTION_POINTERS _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD* _t22;
				intOrPtr* _t25;
				long _t28;
				long _t30;
				long _t31;
				long _t32;
				void* _t33;
				void* _t38;
				long _t41;
				intOrPtr* _t43;
				intOrPtr _t44;
				void* _t45;
				void* _t47;
				void* _t48;
				intOrPtr _t50;

				_t48 = __ebp;
				_t47 = __esi;
				_t45 = __edi;
				_t33 = __ebx;
				_t22 = _a4.ExceptionRecord;
				if((_t22->ExceptionFlags & 0x00000006) == 0) {
					_t41 = _t22->ExceptionInformation[1];
					_t38 = _t22->ExceptionInformation;
					if(_t22->ExceptionCode == 0xeedfade) {
						L11:
						if( *0x4b7031 <= 1 ||  *0x4b7030 > 0) {
							goto L14;
						}
						_t28 = UnhandledExceptionFilter( &_a4);
						_t38 = _t38;
						_t41 = _t41;
						_t22 = _t22;
						if(_t28 != 0) {
							goto L14;
						}
					} else {
						asm("cld");
						E00405BCC(_t22);
						_t43 =  *0x4bb018; // 0x0
						if(_t43 != 0) {
							_t30 =  *_t43();
							if(_t30 != 0) {
								_t44 = _a12;
								if(_a4.ExceptionRecord->ExceptionCode == 0xeefface) {
									L10:
									_t41 = _t30;
									_t22 = _a4.ExceptionRecord;
									_t38 = _t22->ExceptionAddress;
									goto L11;
								} else {
									_t30 = E00406CA0(_t30, _t44, __edi);
									if( *0x4b7031 <= 0 ||  *0x4b7030 > 0) {
										goto L10;
									} else {
										_t31 = UnhandledExceptionFilter( &_a4);
										_t32 = _t30;
										if(_t31 != 0) {
											_t41 = _t32;
											_t22 = _a4.ExceptionRecord;
											_t38 = _t22->ExceptionAddress;
											L14:
											_t22->ExceptionFlags = _t22->ExceptionFlags | 0x00000002;
											 *0x4bb020(_a8, "true", _t22, 0, _t38, _t41, _t22,  *[fs:ebx], _t48, _t45, _t47, _t33); // executed
											_t46 = _v8;
											_t25 = E0040CC60();
											_push( *_t25);
											 *_t25 = _t50;
											 *((intOrPtr*)(_v8 + 4)) = E00406E8C;
											E00406CF0(_t25,  *((intOrPtr*)(_t46 + 4)) + 5, _t47);
											goto __ebx;
										}
									}
								}
							}
						}
					}
				}
				return 1;
			}

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00406DF2
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00006D88), ref: 00406E2F
RtlUnwind.KERNEL32(?,?,Function_00006D88,00000000,?,?,Function_00006D88,?), ref: 00406E5A

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ExceptionFilterUnhandled$Unwind
String ID:
API String ID: 1141220122-0
Opcode ID: 9e921812675e94d09cf659e9b3dc74c1040adbde875b4dc9461ad8792aed939a
Instruction ID: 82ba9095b820b8f74b53f70e2f32f8d84a8c98116d21455e8c3fce4a4b86a7d7
Opcode Fuzzy Hash: 9e921812675e94d09cf659e9b3dc74c1040adbde875b4dc9461ad8792aed939a
Instruction Fuzzy Hash: F9316478208300AFE720DB14C884F2777A9EB88B54F26857AF449A7391C739EC50C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421230 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4 Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004AF404 Relevance: 1.5, APIs: 1, Instructions: 33
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004AF404() {
				char _v8;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x4af467);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				_t6 = E00405474();
				_t20 =  *0x415748; // 0x4157a0
				if(E00405F30(_t6, _t20) == 0) {
					_t11 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t11 + 0x164; // 0x0
					E00423270( &_v8);
					MessageBoxW(0, E004084EC(_v8),  *_t1, 0x10); // executed
				}
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x4af46e);
				return E00407A20( &_v8);
			}

0x004af407
0x004af40b
0x004af40c
0x004af411
0x004af414
0x004af417
0x004af41c
0x004af429
0x004af42d
0x004af432
0x004af43c
0x004af44c
0x004af44c
0x004af453
0x004af456
0x004af459
0x004af466

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000010), ref: 004AF44C

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 85040d05a667a057702a81a59cc8903d7cf9b38789560b08f9d619bd8c07588f
Instruction ID: df185ba2c4542d38c973d174cb8fca7e9c56812a44b35e206d2562239992b1e5
Opcode Fuzzy Hash: 85040d05a667a057702a81a59cc8903d7cf9b38789560b08f9d619bd8c07588f
Instruction Fuzzy Hash: C9F0B430204608EFEB00EB91DD43FAB73A8D759704F9144B7F900A7192DA3C6E048918

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8 Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

GetLongPathNameW, xrefs: 0040A950
kernel32.dll, xrefs: 0040A940
\, xrefs: 0040AA86

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32 ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 00427874 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarAdd, xrefs: 004278CD
VarMul, xrefs: 004278F9
VarSub, xrefs: 004278E3
VarXor, xrefs: 0042797D
VarBstrFromBool, xrefs: 00427A59
VarBstrFromCy, xrefs: 00427A2D
VarR8FromStr, xrefs: 004279D5
VarOr, xrefs: 00427967
VarCmp, xrefs: 00427993
VarIdiv, xrefs: 00427925
VarNeg, xrefs: 004278A1
VarBstrFromDate, xrefs: 00427A43
oleaut32.dll, xrefs: 00427878
VarI4FromStr, xrefs: 004279A9
VarMod, xrefs: 0042793B
VarBoolFromStr, xrefs: 00427A17
VariantChangeTypeEx, xrefs: 0042788B
VarDiv, xrefs: 0042790F
VarCyFromStr, xrefs: 00427A01
VarDateFromStr, xrefs: 004279EB
VarAnd, xrefs: 00427951
VarNot, xrefs: 004278B7
VarR4FromStr, xrefs: 004279BF

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

K, xrefs: 0041E8DD
ToA, xrefs: 0041E9BC
K, xrefs: 0041E827
K, xrefs: 0041EA09
B.C., xrefs: 0041E8FA

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

SetThreadPreferredUILanguages, xrefs: 0040A29A
GetThreadUILanguage, xrefs: 0040A2B4
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9
GetThreadPreferredUILanguages, xrefs: 0040A280

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

mmmm d, yyyy, xrefs: 0041E202
2, xrefs: 0041E36D
m/d/yy, xrefs: 0041E1DD
AMPM, xrefs: 0041E30A
AMPM , xrefs: 0041E319
:mm:ss, xrefs: 0041E344
ToA, xrefs: 0041E0E9
:mm, xrefs: 0041E329

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

Locale, xrefs: 00423085
.DEFAULT\Control Panel\International, xrefs: 0042306D
kernel32.dll, xrefs: 0042303E
Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
GetUserDefaultUILanguage, xrefs: 00423039

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4 Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: deb6da76ab9c4b496f2ff2870dbb370d0f709f8902d14da44dea0f11333fc18e
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: deb6da76ab9c4b496f2ff2870dbb370d0f709f8902d14da44dea0f11333fc18e
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464 Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

H@, xrefs: 0041F81D
0@, xrefs: 0041F7F0
8@, xrefs: 0041F7FF
@@, xrefs: 0041F80E

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688 Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x22438d0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				 *0x4ba450 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0);
				_t22 =  *0x4ba450; // 0x0
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x0
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4ca924
				_t4 = _t26 + 0x20; // 0x50750f
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4ca924
				_t7 = _t28 + 0x24; // 0xbea00
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0);
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0xffffffff
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x22438d0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32);
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47));
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x0
					_t40 = DestroyWindow(_t46);
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x0
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32(00000000,000000FC,004AF69C), ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00000000,004B6554), ref: 004B6514

Strings

/SL5="$%x,%d,%d,, xrefs: 004B645E
InnoSetupLdrWindow, xrefs: 004B63FB
STATIC, xrefs: 004B6400

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

l@, xrefs: 00497266
0@G, xrefs: 0049726E
XtI, xrefs: 00497214, 0049722F

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: 0f3d49910cd0fe0a2777fff9c7d37287e03b93d316d56716644e12c604fcc986
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: 0f3d49910cd0fe0a2777fff9c7d37287e03b93d316d56716644e12c604fcc986
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51);
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 00406424 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

@, xrefs: 004064D9
kernel32.dll, xrefs: 00406434
GetLogicalProcessorInformation, xrefs: 0040642F

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Runtime error at 00000000, xrefs: 004076EA, 0040772F
Error, xrefs: 0040772A

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

kernel32.dll, xrefs: 00420539
NTDLL.DLL, xrefs: 00420554
RtlCompareUnicodeString, xrefs: 0042054F
CompareStringOrdinal, xrefs: 00420534

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8 Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2232e50
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2232e50
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2232e70
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119);
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4ca924
					_t15 = _t37 + 0x14; // 0x5100a5
					_t38 =  *0x4c1d88; // 0x22438d0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					 *0x4c1d8c = E00423D00(1, 0, 1, 0);
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4ca924
					_t16 = _t44 + 0x18; // 0x2dfe00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4ca924
					_t17 = _t47 + 0x18; // 0x2dfe00
					_t86 =  *0x4c1de0; // 0x0
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x22438d0
					 *0x4c1de4 = E00424748(_t93, 1, _t51);
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4ca924
					_t18 = _t55 + 0x18; // 0x2dfe00
					_t56 =  *0x4c1de4; // 0x0
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x0
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x22438d0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32);
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82));
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x0
						_t75 = DestroyWindow(_t81);
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x0
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00000000,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

.tmp, xrefs: 004B61BF
0MB, xrefs: 004B6281

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: .tmp$0MB
API String ID: 3858953238-176122739
Opcode ID: 301e16f47666b727b4d85adc4dd2dde41dfd151105f37d762b4374fa6a6ed9b3
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 301e16f47666b727b4d85adc4dd2dde41dfd151105f37d762b4374fa6a6ed9b3
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
Setup, xrefs: 004AFA9E
For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 19aabbd57dabec6cee2d168a692b8da5fbf684a47e321c3871ba092039eb267d
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 19aabbd57dabec6cee2d168a692b8da5fbf684a47e321c3871ba092039eb267d
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8 Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78);
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8);
					if(CreateDirectoryW(E004084EC(_v8), 0) != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 6f0e3b43b341346264ac3305718c7c69d836a314285037dfad24d3529da5ded2
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: 6f0e3b43b341346264ac3305718c7c69d836a314285037dfad24d3529da5ded2
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4);
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

InnoSetupLdrWindow, xrefs: 0040E453
STATIC, xrefs: 0040E48D

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

GetDiskFreeSpaceExW, xrefs: 00420BE9
kernel32.dll, xrefs: 00420BD9

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19);
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000001.00000002.246977280.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.246972478.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247048995.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247054824.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247058916.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.247062027.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_download.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: download.exePID: 6724, Parent PID: 2732COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	543
Total number of Limit Nodes:	23

Executed Functions

Function 0040B044 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F

Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}

0x0040aefd
0x0040aefe
0x0040af04
0x0040af0b
0x0040af0c
0x0040af11
0x0040af14
0x0040af27
0x0040af34
0x0040af37
0x0040af37
0x0040af3e
0x0040af41
0x0040af44
0x0040af51

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519

Uniqueness

Uniqueness Score: -1.00%

Function 004B5114 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188

Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F

GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B

Strings

cryptbase.dll, xrefs: 004B528A
ntmarta.dll, xrefs: 004B532C
dwmapi.dll, xrefs: 004B526F
userenv.dll, xrefs: 004B5203
SetDefaultDllDirectories, xrefs: 004B515C
profapi.dll, xrefs: 004B52DB
clbcatq.dll, xrefs: 004B5311
propsys.dll, xrefs: 004B5254
oleacc.dll, xrefs: 004B52A5
apphelp.dll, xrefs: 004B5239
hK, xrefs: 004B51D6
kernel32.dll, xrefs: 004B5141
SetDllDirectoryW, xrefs: 004B5182
version.dll, xrefs: 004B52C0
SetProcessDEPPolicy, xrefs: 004B535A
uxtheme.dll, xrefs: 004B51E8
comres.dll, xrefs: 004B52F6
hK, xrefs: 004B51A3
SetSearchPathMode, xrefs: 004B5344
setupapi.dll, xrefs: 004B521E

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
API String ID: 2248137261-3182217745
Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB18 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A

Strings

Software\CodeGear\Locales, xrefs: 0040ABD0, 0040ABEE
Software\Borland\Delphi\Locales, xrefs: 0040AC2A
Software\Embarcadero\Locales, xrefs: 0040AB90, 0040ABB2
Software\Borland\Locales, xrefs: 0040AC0C

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Open$QueryValue$CloseFileModuleName
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 2701450724-3496071916
Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E

Uniqueness

Uniqueness Score: -1.00%

Function 004B5A90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B

Strings

shell32.dll, xrefs: 004B5B1B
Wow64RevertWow64FsRedirection, xrefs: 004B5ACE
kernel32.dll, xrefs: 004B5AB9, 004B5AD3
Wow64DisableWow64FsRedirection, xrefs: 004B5AB4

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 004AF91C Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}

APIs

GetSystemInfo.KERNEL32(?), ref: 004AF92F
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766

Uniqueness

Uniqueness Score: -1.00%

Function 00407750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 00407748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00407780
FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861

Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

MZP, xrefs: 00407827

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID: MZP
API String ID: 3490077880-2889622443
Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004B5000 Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}

APIs

SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D

Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8

GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092

Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821

GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
GetCurrentThreadId.KERNEL32 ref: 004B50BA

Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
String ID:
API String ID: 2740004594-0
Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF94 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765

Uniqueness

Uniqueness Score: -1.00%

Function 00406D86 Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00406D86(void* __ebx, void* __edi, void* __esi, void* __ebp, struct _EXCEPTION_POINTERS _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD* _t22;
				intOrPtr* _t25;
				long _t28;
				long _t30;
				long _t31;
				long _t32;
				void* _t33;
				void* _t38;
				long _t41;
				intOrPtr* _t43;
				intOrPtr _t44;
				void* _t45;
				void* _t47;
				void* _t48;
				intOrPtr _t50;

				_t48 = __ebp;
				_t47 = __esi;
				_t45 = __edi;
				_t33 = __ebx;
				_t22 = _a4.ExceptionRecord;
				if((_t22->ExceptionFlags & 0x00000006) == 0) {
					_t41 = _t22->ExceptionInformation[1];
					_t38 = _t22->ExceptionInformation;
					if(_t22->ExceptionCode == 0xeedfade) {
						L11:
						if( *0x4b7031 <= 1 ||  *0x4b7030 > 0) {
							goto L14;
						}
						_t28 = UnhandledExceptionFilter( &_a4);
						_t38 = _t38;
						_t41 = _t41;
						_t22 = _t22;
						if(_t28 != 0) {
							goto L14;
						}
					} else {
						asm("cld");
						E00405BCC(_t22);
						_t43 =  *0x4bb018; // 0x0
						if(_t43 != 0) {
							_t30 =  *_t43();
							if(_t30 != 0) {
								_t44 = _a12;
								if(_a4.ExceptionRecord->ExceptionCode == 0xeefface) {
									L10:
									_t41 = _t30;
									_t22 = _a4.ExceptionRecord;
									_t38 = _t22->ExceptionAddress;
									goto L11;
								} else {
									_t30 = E00406CA0(_t30, _t44, __edi);
									if( *0x4b7031 <= 0 ||  *0x4b7030 > 0) {
										goto L10;
									} else {
										_t31 = UnhandledExceptionFilter( &_a4);
										_t32 = _t30;
										if(_t31 != 0) {
											_t41 = _t32;
											_t22 = _a4.ExceptionRecord;
											_t38 = _t22->ExceptionAddress;
											L14:
											_t22->ExceptionFlags = _t22->ExceptionFlags | 0x00000002;
											 *0x4bb020(_a8, "true", _t22, 0, _t38, _t41, _t22,  *[fs:ebx], _t48, _t45, _t47, _t33); // executed
											_t46 = _v8;
											_t25 = E0040CC60();
											_push( *_t25);
											 *_t25 = _t50;
											 *((intOrPtr*)(_v8 + 4)) = E00406E8C;
											E00406CF0(_t25,  *((intOrPtr*)(_t46 + 4)) + 5, _t47);
											goto __ebx;
										}
									}
								}
							}
						}
					}
				}
				return 1;
			}

APIs

UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00406DF2
UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00006D88), ref: 00406E2F
RtlUnwind.KERNEL32(?,?,Function_00006D88,00000000,?,?,Function_00006D88,?), ref: 00406E5A

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ExceptionFilterUnhandled$Unwind
String ID:
API String ID: 1141220122-0
Opcode ID: 9e921812675e94d09cf659e9b3dc74c1040adbde875b4dc9461ad8792aed939a
Instruction ID: 82ba9095b820b8f74b53f70e2f32f8d84a8c98116d21455e8c3fce4a4b86a7d7
Opcode Fuzzy Hash: 9e921812675e94d09cf659e9b3dc74c1040adbde875b4dc9461ad8792aed939a
Instruction Fuzzy Hash: F9316478208300AFE720DB14C884F2777A9EB88B54F26857AF449A7391C739EC50C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B110 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B234 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421230 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

APIs

SetErrorMode.KERNEL32 ref: 0042123A
LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574

Uniqueness

Uniqueness Score: -1.00%

Function 004052D4 Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}

APIs

VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004AF404 Relevance: 1.5, APIs: 1, Instructions: 33
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004AF404() {
				char _v8;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x4af467);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				_t6 = E00405474();
				_t20 =  *0x415748; // 0x4157a0
				if(E00405F30(_t6, _t20) == 0) {
					_t11 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t11 + 0x164; // 0x0
					E00423270( &_v8);
					MessageBoxW(0, E004084EC(_v8),  *_t1, 0x10); // executed
				}
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(0x4af46e);
				return E00407A20( &_v8);
			}

0x004af407
0x004af40b
0x004af40c
0x004af411
0x004af414
0x004af417
0x004af41c
0x004af429
0x004af42d
0x004af432
0x004af43c
0x004af44c
0x004af44c
0x004af453
0x004af456
0x004af459
0x004af466

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000010), ref: 004AF44C

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 85040d05a667a057702a81a59cc8903d7cf9b38789560b08f9d619bd8c07588f
Instruction ID: df185ba2c4542d38c973d174cb8fca7e9c56812a44b35e206d2562239992b1e5
Opcode Fuzzy Hash: 85040d05a667a057702a81a59cc8903d7cf9b38789560b08f9d619bd8c07588f
Instruction Fuzzy Hash: C9F0B430204608EFEB00EB91DD43FAB73A8D759704F9144B7F900A7192DA3C6E048918

Uniqueness

Uniqueness Score: -1.00%

Function 004232EC Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}

0x004232f3
0x0042330b
0x00423313
0x00423317
0x00423320
0x00423312
0x00423312
0x00423312
0x00000000
0x00423322
0x00423322
0x00423326
0x00000000
0x00000000
0x00423326
0x00000000
0x00423320
0x00423339

APIs

FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E

Uniqueness

Uniqueness Score: -1.00%

Function 00423DA8 Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}

0x00423de5
0x00423ded

APIs

CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00409fb0
0x00409fb2
0x00409fb6
0x00409fc6
0x00409fcf
0x00409fd4
0x00409fd6
0x00409fdb
0x00409fe0
0x00409fe0
0x00409fdb
0x00409fee

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6

Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAA4 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}

0x0040caa8
0x0040cab4

APIs

GetSystemInfo.KERNEL32 ref: 0040CAA8

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB

Uniqueness

Uniqueness Score: -1.00%

Function 00403BCC Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A928 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9

Strings

GetLongPathNameW, xrefs: 0040A950
\, xrefs: 0040AA86
kernel32.dll, xrefs: 0040A940

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 1930782624-3908791685
Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 004AF110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}

0x004af11b
0x004af178
0x004af17c
0x004af184
0x00000000
0x004af186
0x004af12d
0x004af13f
0x004af144
0x004af14c
0x004af166
0x004af172
0x00000000
0x00000000
0x00000000
0x004af174
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
ExitWindowsEx.USER32 ref: 004AF17C

Strings

SeShutdownPrivilege, xrefs: 004AF138

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF

Uniqueness

Uniqueness Score: -1.00%

Function 00427874 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}

APIs

GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D

Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861

Strings

VarIdiv, xrefs: 00427925
VarMod, xrefs: 0042793B
VarCyFromStr, xrefs: 00427A01
VarBstrFromBool, xrefs: 00427A59
VarCmp, xrefs: 00427993
oleaut32.dll, xrefs: 00427878
VarDateFromStr, xrefs: 004279EB
VarDiv, xrefs: 0042790F
VarBoolFromStr, xrefs: 00427A17
VarAnd, xrefs: 00427951
VarNot, xrefs: 004278B7
VarSub, xrefs: 004278E3
VarOr, xrefs: 00427967
VarAdd, xrefs: 004278CD
VarR4FromStr, xrefs: 004279BF
VarNeg, xrefs: 004278A1
VarXor, xrefs: 0042797D
VarBstrFromCy, xrefs: 00427A2D
VarMul, xrefs: 004278F9
VariantChangeTypeEx, xrefs: 0042788B
VarBstrFromDate, xrefs: 00427A43
VarR8FromStr, xrefs: 004279D5
VarI4FromStr, xrefs: 004279A9

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7CC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}

APIs

GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999

Strings

B.C., xrefs: 0041E8FA
K, xrefs: 0041E827
K, xrefs: 0041EA09
ToA, xrefs: 0041E9BC
K, xrefs: 0041E8DD

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CalendarEnumInfoLocaleThread
String ID: B.C.$ToA$K$K$K
API String ID: 683597275-1724967715
Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A250 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}

0x0040a255
0x0040a25a
0x0040a268
0x0040a270
0x0040a27e
0x0040a295
0x0040a2af
0x0040a2c4
0x0040a2c9
0x00000000
0x0040a2c9
0x0040a2ce

APIs

InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4

Strings

GetThreadUILanguage, xrefs: 0040A2B4
kernel32.dll, xrefs: 0040A285, 0040A29F, 0040A2B9
SetThreadPreferredUILanguages, xrefs: 0040A29A
GetThreadPreferredUILanguages, xrefs: 0040A280

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
API String ID: 74573329-1403180336
Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0AC Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}

APIs

IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC

Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093

Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052

Strings

AMPM , xrefs: 0041E319
m/d/yy, xrefs: 0041E1DD
AMPM, xrefs: 0041E30A
mmmm d, yyyy, xrefs: 0041E202
:mm, xrefs: 0041E329
:mm:ss, xrefs: 0041E344
2, xrefs: 0041E36D
ToA, xrefs: 0041E0E9

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Locale$Info$ThreadValid
String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
API String ID: 233154393-2808312488
Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7E4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}

APIs

EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD

Strings

en-US,en,, xrefs: 0040A812, 0040A8B9

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValid
String ID: en-US,en,
API String ID: 975949045-3579323720
Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F

Uniqueness

Uniqueness Score: -1.00%

Function 0042301C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 004230A5
.DEFAULT\Control Panel\International, xrefs: 0042306D
GetUserDefaultUILanguage, xrefs: 00423039
Locale, xrefs: 00423085
kernel32.dll, xrefs: 0042303E

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D218 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004047B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}

APIs

GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A

Strings

9@, xrefs: 004047E4, 004047EF

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite
String ID: 9@
API String ID: 3320372497-3209974744
Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E

Uniqueness

Uniqueness Score: -1.00%

Function 0040426C Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

APIs

Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0F4 Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}

APIs

Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
String ID:
API String ID: 135118572-0
Opcode ID: deb6da76ab9c4b496f2ff2870dbb370d0f709f8902d14da44dea0f11333fc18e
Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
Opcode Fuzzy Hash: deb6da76ab9c4b496f2ff2870dbb370d0f709f8902d14da44dea0f11333fc18e
Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404464 Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C

Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35

Strings

0@, xrefs: 0041F7F0
8@, xrefs: 0041F7FF
@@, xrefs: 0041F80E
H@, xrefs: 0041F81D

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: 0@$8@$@@$H@
API String ID: 902310565-4161625419
Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406688 Relevance: 10.6, APIs: 7, Instructions: 130
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}

APIs

Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33

GetTickCount.KERNEL32 ref: 004066BF
GetTickCount.KERNEL32 ref: 004066D7
GetCurrentThreadId.KERNEL32 ref: 00406706
GetTickCount.KERNEL32 ref: 00406731
GetTickCount.KERNEL32 ref: 00406768
GetTickCount.KERNEL32 ref: 00406792
GetCurrentThreadId.KERNEL32 ref: 00406802

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756

Uniqueness

Uniqueness Score: -1.00%

Function 004B63A1 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x22238d0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				 *0x4ba450 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0);
				_t22 =  *0x4ba450; // 0x0
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x0
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4ca924
				_t4 = _t26 + 0x20; // 0x50750f
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4ca924
				_t7 = _t28 + 0x24; // 0xbea00
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0);
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0xffffffff
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x22238d0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32);
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47));
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x0
					_t40 = DestroyWindow(_t46);
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x0
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}

APIs

Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F

SetWindowLongW.USER32(00000000,000000FC,004AF69C), ref: 004B641E

Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA

Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00000000,004B6554), ref: 004B6514

Strings

STATIC, xrefs: 004B6400
/SL5="$%x,%d,%d,, xrefs: 004B645E
InnoSetupLdrWindow, xrefs: 004B63FB

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3586484885-3001827809
Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004971AC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}

APIs

GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247

Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A

GetCurrentThread.KERNEL32 ref: 0049727F
GetCurrentThreadId.KERNEL32 ref: 00497287

Strings

0@G, xrefs: 0049726E
XtI, xrefs: 00497214, 0049722F
l@, xrefs: 00497266

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Thread$Current$CreateErrorLast
String ID: 0@G$XtI$l@
API String ID: 3539746228-385768319
Opcode ID: 0f3d49910cd0fe0a2777fff9c7d37287e03b93d316d56716644e12c604fcc986
Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
Opcode Fuzzy Hash: 0f3d49910cd0fe0a2777fff9c7d37287e03b93d316d56716644e12c604fcc986
Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799

Uniqueness

Uniqueness Score: -1.00%

Function 004AF728 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51);
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}

APIs

CreateProcessW.KERNEL32 ref: 004AF798
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
GetExitCodeProcess.KERNEL32 ref: 004AF7DB
CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4

Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F

Strings

D, xrefs: 004AF772

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D

Uniqueness

Uniqueness Score: -1.00%

Function 00406424 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B

Strings

GetLogicalProcessorInformation, xrefs: 0040642F
@, xrefs: 004064D9
kernel32.dll, xrefs: 00406434

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 4275029093-79381301
Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004076B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}

0x004076c0
0x00407726
0x00407728
0x0040772a
0x0040772f
0x00407734
0x00407736
0x00407736
0x0040773c
0x004076c2
0x004076cb
0x004076db
0x004076db
0x004076f7
0x0040770a
0x0040771e
0x0040771e

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718

Strings

Runtime error at 00000000, xrefs: 004076EA, 0040772F
Error, xrefs: 0040772A

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileHandleWrite
String ID: Error$Runtime error at 00000000
API String ID: 3320372497-2970929446
Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E

Uniqueness

Uniqueness Score: -1.00%

Function 00420524 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}

0x00420532
0x0042055f
0x00420564
0x00420569
0x00420573
0x00420534
0x00420544
0x00420549
0x0042054e
0x0042054e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559

Strings

CompareStringOrdinal, xrefs: 00420534
NTDLL.DLL, xrefs: 00420554
RtlCompareUnicodeString, xrefs: 0042054F
kernel32.dll, xrefs: 00420539

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
API String ID: 1883125708-3870080525
Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E

Uniqueness

Uniqueness Score: -1.00%

Function 0042931C Relevance: 9.1, APIs: 6, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
VariantCopy.OLEAUT32(?,?), ref: 004294F7

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65

Uniqueness

Uniqueness Score: -1.00%

Function 00403EE8 Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2212e50
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2212e50
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2212e70
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

APIs

Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004B60E8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119);
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4ca924
					_t15 = _t37 + 0x14; // 0x5100a5
					_t38 =  *0x4c1d88; // 0x22238d0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					 *0x4c1d8c = E00423D00(1, 0, 1, 0);
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4ca924
					_t16 = _t44 + 0x18; // 0x2dfe00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4ca924
					_t17 = _t47 + 0x18; // 0x2dfe00
					_t86 =  *0x4c1de0; // 0x0
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x22238d0
					 *0x4c1de4 = E00424748(_t93, 1, _t51);
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4ca924
					_t18 = _t55 + 0x18; // 0x2dfe00
					_t56 =  *0x4c1de4; // 0x0
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x0
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x22238d0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32);
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82));
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x0
						_t75 = DestroyWindow(_t81);
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x0
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}

APIs

MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179

Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
DestroyWindow.USER32(00000000,004B6554), ref: 004B6514

Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Strings

0MB, xrefs: 004B6281
.tmp, xrefs: 004B61BF

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
String ID: .tmp$0MB
API String ID: 3858953238-176122739
Opcode ID: 301e16f47666b727b4d85adc4dd2dde41dfd151105f37d762b4374fa6a6ed9b3
Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
Opcode Fuzzy Hash: 301e16f47666b727b4d85adc4dd2dde41dfd151105f37d762b4374fa6a6ed9b3
Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004AFA44 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}

APIs

MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE

Strings

For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
Setup, xrefs: 004AFA9E
The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
/ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Message
String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
API String ID: 2030045667-3391638011
Opcode ID: 19aabbd57dabec6cee2d168a692b8da5fbf684a47e321c3871ba092039eb267d
Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
Opcode Fuzzy Hash: 19aabbd57dabec6cee2d168a692b8da5fbf684a47e321c3871ba092039eb267d
Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B8 Relevance: 7.8, APIs: 5, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C790 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C

Strings

yyyy, xrefs: 0041C7F1
, xrefs: 0041C7E2

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: $yyyy
API String ID: 3303714858-404527807
Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041EEFC Relevance: 6.1, APIs: 4, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C8 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7

Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004AF9F0 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}

0x004af9ff
0x004afa03
0x004afa05
0x004afa05
0x004afa15
0x004afa17
0x004afa17
0x004afa24
0x004afa28
0x004afa2a
0x004afa2a
0x004afa35
0x004afa39
0x004afa3b
0x004afa3b
0x004afa43

APIs

FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E

Uniqueness

Uniqueness Score: -1.00%

Function 004AEFE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78);
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8);
					if(CreateDirectoryW(E004084EC(_v8), 0) != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039

Strings

.tmp, xrefs: 004AF019

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 6f0e3b43b341346264ac3305718c7c69d836a314285037dfad24d3529da5ded2
Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
Opcode Fuzzy Hash: 6f0e3b43b341346264ac3305718c7c69d836a314285037dfad24d3529da5ded2
Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4);
				E00405730(_t13);
				return _t24;
			}

0x0040e457
0x0040e45c
0x0040e45e
0x0040e48f
0x0040e498
0x0040e4a4

APIs

CreateWindowExW.USER32 ref: 0040E48F

Strings

STATIC, xrefs: 0040E48D
InnoSetupLdrWindow, xrefs: 0040E453

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: CreateWindow
String ID: InnoSetupLdrWindow$STATIC
API String ID: 716092398-2209255943
Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}

0x00420bde
0x00420be3
0x00420be7
0x00420bef
0x00420bf4
0x00420bf4
0x00420c00
0x00420c07
0x00000000
0x00420c07
0x00420c0d

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE

Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2

Strings

kernel32.dll, xrefs: 00420BD9
GetDiskFreeSpaceExW, xrefs: 00420BE9

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1646373207-1127948838
Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C

Uniqueness

Uniqueness Score: -1.00%

Function 004AF1B4 Relevance: 5.0, APIs: 4, Instructions: 45
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19);
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200

Memory Dump Source

Source File: 00000002.00000002.242954494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.242941753.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243036002.00000000004B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243041797.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243055514.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.243058852.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_download.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	23:59:45
Start date:	08/04/2022
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download.exe" -install
Imagebase:	0x400000
File size:	1735928 bytes
MD5 hash:	A2C883B0E7A1B002B088F52F647F2E2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Target ID:	1
Start time:	23:59:48
Start date:	08/04/2022
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download.exe" /install
Imagebase:	0x400000
File size:	1735928 bytes
MD5 hash:	A2C883B0E7A1B002B088F52F647F2E2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Target ID:	2
Start time:	23:59:50
Start date:	08/04/2022
Path:	C:\Users\user\Desktop\download.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\download.exe" /load
Imagebase:	0x400000
File size:	1735928 bytes
MD5 hash:	A2C883B0E7A1B002B088F52F647F2E2F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: download.exePID: 6644, Parent PID: 2732

General

Chronological Activities

Analysis Process: download.exePID: 6696, Parent PID: 2732

General

Chronological Activities

Windows Analysis Report
download.exe

Function 004B5114 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165
libraryloaderCOMMON

Function 004AF91C Relevance: 7.6, APIs: 5, Instructions: 80
memoryCOMMON

Function 0040B044 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 0040AEF4 Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Function 0040AB18 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173
registryCOMMON

Function 004B5A90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56
COMMON

Function 00407750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
threadCOMMON

Function 00407748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
threadCOMMON

Function 004B5000 Relevance: 6.0, APIs: 4, Instructions: 43
threadCOMMON

Function 0041FF94 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Function 00406D86 Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Function 0040B110 Relevance: 3.1, APIs: 2, Instructions: 93
COMMON

Function 0040B234 Relevance: 3.1, APIs: 2, Instructions: 55
libraryCOMMON

Function 00421230 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Function 004052D4 Relevance: 2.6, APIs: 2, Instructions: 63
COMMON

Function 004AF404 Relevance: 1.5, APIs: 1, Instructions: 33
windowCOMMON

Function 004232EC Relevance: 1.5, APIs: 1, Instructions: 28
windowCOMMON

Function 00423DA8 Relevance: 1.5, APIs: 1, Instructions: 26
fileCOMMON

Function 00409FA8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0040CAA4 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00403BCC Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Function 0040A928 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140
stringlibraryfileCOMMON

Function 004AF110 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
shutdownCOMMON

Function 004AF9F0 Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Function 0040A4CC Relevance: 4.6, APIs: 3, Instructions: 99
COMMON

Function 0041A4DC Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 0041E034 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0041E080 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 004AF218 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Function 0041C3D8 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Function 004255DC Relevance: .5, Instructions: 545
COMMONCrypto

Function 004323DC Relevance: .4, Instructions: 408
COMMONCrypto

Function 00427874 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Function 0041E7CC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194
threadCOMMON

Function 0040A250 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28
libraryloaderCOMMON

Function 0041E0AC Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216
threadCOMMON

Function 0040A7E4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76
COMMON

Function 0042301C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82
registryCOMMON

Function 0040D218 Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Function 004047B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51
fileCOMMON

Function 0040426C Relevance: 12.2, APIs: 8, Instructions: 221
sleepCOMMON

Function 0041F0F4 Relevance: 12.1, APIs: 8, Instructions: 97
filewindowCOMMON

Function 00404464 Relevance: 10.9, APIs: 7, Instructions: 406
COMMON

Function 0041F7A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131
COMMON